Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 114

7231 - Second batch of macOS policy queries for CIS Benchmark (#7380)

Browse source 
* Adding CIS 1.5 / 1.6 / 2.2.1 to constants.ts

* Adding CIS 1.5 / 1.6 / 2.2.1 to standard query library

* Adding 2.3.1

* Adding 2.3.1 to query library and 2.4.2 to both

* Adding 2.4.10

* Tagging 2.5.1.1

* Tagging 2.5.2.1

* Tagging 2.5.2.2

* Adding 2.5.6

* Adding 2.6.1.4

* Adding 3.6

* Tagging 5.1.2

* Tagging 5.2.2

* Tagging 5.8

The query we have for the screen lock is comprehensive and covers more than one CIS requirement

* Adding 6.1.3 and 6.1.4
This commit is contained in:
Guillaume Ross 2022-08-26 16:59:16 -04:00 committed by GitHub
parent 0572c621d5
commit f413ae764a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 267 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

142
docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View file

@ -481,7 +481,7 @@ spec:
description: Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.
resolution: "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
platforms: macOS
tags: compliance, hardening, built-in
tags: compliance, hardening, built-in, CIS2.5.2.1
platform: darwin
contributors: groob
---
@ -509,7 +509,7 @@ spec:
description: Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.
resolution: To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.
platforms: macOS
tags: compliance, hardening, built-in
tags: compliance, hardening, built-in, CIS2.5.1.1
platform: darwin
contributors: groob
---
@ -533,7 +533,7 @@ spec:
description: Checks to make sure that the System Integrity Protection feature is enabled.
resolution: "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
platforms: macOS
tags: compliance, malware, hardening, built-in
tags: compliance, malware, hardening, built-in, CIS5.1.2
platform: darwin
contributors: groob
---
@ -700,7 +700,7 @@ spec:
description: "Checks if the firewall is enabled."
resolution: "In System Preferences, open Security & Privacy, navigate to the Firewall tab and click Turn On Firewall."
platforms: macOS
tags: hardening, compliance, built-in
tags: hardening, compliance, built-in, CIS2.5.2.2
platform: darwin
contributors: GuillaumeRoss
---
@ -736,7 +736,7 @@ spec:
description: "Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer."
resolution: "Contact your IT administrator to make sure your Mac is receiving configuration profiles for password length."
platforms: macOS
tags: compliance, hardening, built-in
tags: compliance, hardening, built-in, CIS5.2.2
platform: darwin
contributors: GuillaumeRoss
---
@ -786,4 +786,136 @@ spec:
platforms: macOS
tags: compliance, CIS, CIS1.4
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic security and data file updates is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;
description: "Checks that the operating system is configured to automatically download updates to built-in macOS security tools such as malware removal tools."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation."
platforms: macOS
tags: compliance, CIS, CIS1.5
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic installation of operating system updates is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically install operating system updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates."
platforms: macOS
tags: compliance, CIS, CIS1.6
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Time and date are configured to be updated automatically (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically update the time and date."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration."
platforms: macOS
tags: compliance, CIS, CIS2.2.1
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Inactivity limit of 20 minutes or less (macOS)
query: SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1);
description: "Checks that a mobile device management (MDM) solution configures the operating system lock the screen in 20 minutes or less."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver and lock within an inactivity delay of 20 minutes or less."
platforms: macOS
tags: compliance, CIS, CIS2.3.1, CIS5.8
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Internet sharing is blocked (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent Internet sharing."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing."
platforms: macOS
tags: compliance, CIS, CIS2.4.2
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Content caching is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to disable content caching."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching."
platforms: macOS
tags: compliance, CIS, CIS2.4.10
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Ad tracking is limited (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to limit advertisement tracking."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking."
platforms: macOS
tags: compliance, CIS, CIS2.5.6
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: iCloud Desktop and Document sync is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent iCloud Desktop and Documents sync."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync."
platforms: macOS
tags: compliance, CIS, CIS2.6.1.4
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Firewall logging is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system log firewall activity."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging."
platforms: macOS
tags: compliance, CIS, CIS3.6
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Guest account is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent the use of a guest account."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account."
platforms: macOS
tags: compliance, CIS, CIS6.1.3
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Guest access to shared folders is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent guest access to shared folders."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders."
platforms: macOS
tags: compliance, CIS, CIS6.1.4
platform: darwin
contributors: GuillaumeRoss

135
frontend/utilities/constants.ts
View file

@ -72,7 +72,7 @@ export const DEFAULT_POLICIES = [
key: 6,
query:
"SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT '' AND filevault_status = 'on' LIMIT 1;",
name: "Full disk encryption enabled (macOS)",
name: "Full disk encryption enabled (macOS) [CIS 2.5.1.1]",
description:
"Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.",
resolution:
@ -93,7 +93,7 @@ export const DEFAULT_POLICIES = [
{
key: 8,
query: "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
name: "Gatekeeper enabled (macOS)",
name: "Gatekeeper enabled (macOS) [2.5.2.1]",
description:
"Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.",
resolution:
@ -134,7 +134,7 @@ export const DEFAULT_POLICIES = [
key: 12,
query:
"SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;",
name: "System Integrity Protection enabled (macOS)",
name: "System Integrity Protection enabled (macOS) [CIS 5.1.2]",
description:
"Checks to make sure that the System Integrity Protection feature is enabled.",
resolution:
@ -144,7 +144,7 @@ export const DEFAULT_POLICIES = [
{
key: 13,
query: "SELECT 1 FROM alf WHERE global_state >= 1;",
name: "Firewall enabled (macOS)",
name: "Firewall enabled (macOS) [CIS 2.5.2.2]",
description: "Checks if the firewall is enabled.",
resolution:
"In System Preferences, open Security & Privacy, navigate to the Firewall tab and click Turn On Firewall.",
@ -175,7 +175,7 @@ export const DEFAULT_POLICIES = [
key: 16,
query:
"SELECT 1 FROM (SELECT cast(lengthtxt as integer(2)) minlength FROM (SELECT SUBSTRING(length, 1, 2) AS lengthtxt FROM (SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length FROM password_policy WHERE policy_identifier LIKE '%minLength')) WHERE minlength >= 10);",
name: "Password requires 10 or more characters (macOS)",
name: "Password requires 10 or more characters (macOS) [CIS 5.2.2]",
description:
"Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer.",
resolution:
@ -224,6 +224,131 @@ export const DEFAULT_POLICIES = [
"Contact your IT administrator to ensure your Mac is receiving a profile that enables installation of application updates.",
platform: "darwin",
},
{
key: 22,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;",
name:
"Automatic security and data file updates is enabled (macOS) [CIS 1.5]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates to built-in macOS security tools such as malware removal tools.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation.",
platform: "darwin",
},
{
key: 23,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;",
name:
"Automatic installation of operating system updates is enabled (macOS) [CIS 1.6]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to automatically install operating system updates.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates.",
platform: "darwin",
},
{
key: 24,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;",
name:
"Time and date are configured to be updated automatically (macOS) [CIS 2.2.1]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to automatically update the time and date.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration.",
platform: "darwin",
},
{
key: 25,
query:
"SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1);",
name:
"Inactivity limit of 20 minutes or less (macOS) [CIS 2.3.1] [CIS 5.8]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system lock the screen in 20 minutes or less.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver and lock within an inactivity delay of 20 minutes or less.",
platform: "darwin",
},
{
key: 26,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1;",
name: "Internet sharing is blocked (macOS) [CIS 2.4.2]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to prevent Internet sharing.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing.",
platform: "darwin",
},
{
key: 27,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1;",
name: "Content caching is disabled (macOS) [CIS 2.4.10]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to disable content caching.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching.",
platform: "darwin",
},
{
key: 28,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1;",
name: "Ad tracking is limited (macOS) [CIS 2.5.6]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to limit advertisement tracking.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking.",
platform: "darwin",
},
{
key: 29,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1;",
name: "iCloud Desktop and Document sync is disabled (macOS) [CIS 2.6.1.4]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to prevent iCloud Desktop and Documents sync.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync.",
platform: "darwin",
},
{
key: 30,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1;",
name: "Firewall logging is enabled (macOS) [CIS 3.6]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system log firewall activity.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging.",
platform: "darwin",
},
{
key: 31,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1;",
name: "Guest account is disabled (macOS) [CIS 6.1.3]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to prevent the use of a guest account.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account.",
platform: "darwin",
},
{
key: 32,
query:
"SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1;",
name: "Guest access to shared folders is disabled (macOS) [CIS 6.1.4]",
description:
"Checks that a mobile device management (MDM) solution configures the operating system to prevent guest access to shared folders.",
resolution:
"Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders.",
platform: "darwin",
},
] as IPolicyNew[];
export const FREQUENCY_DROPDOWN_OPTIONS = [