diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 373a4966f5..d4adfc731a 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -481,7 +481,7 @@ spec: description: Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine. resolution: "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable." platforms: macOS - tags: compliance, hardening, built-in + tags: compliance, hardening, built-in, CIS2.5.2.1 platform: darwin contributors: groob --- @@ -509,7 +509,7 @@ spec: description: Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices. resolution: To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault. platforms: macOS - tags: compliance, hardening, built-in + tags: compliance, hardening, built-in, CIS2.5.1.1 platform: darwin contributors: groob --- @@ -533,7 +533,7 @@ spec: description: Checks to make sure that the System Integrity Protection feature is enabled. resolution: "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable." platforms: macOS - tags: compliance, malware, hardening, built-in + tags: compliance, malware, hardening, built-in, CIS5.1.2 platform: darwin contributors: groob --- @@ -700,7 +700,7 @@ spec: description: "Checks if the firewall is enabled." resolution: "In System Preferences, open Security & Privacy, navigate to the Firewall tab and click Turn On Firewall." platforms: macOS - tags: hardening, compliance, built-in + tags: hardening, compliance, built-in, CIS2.5.2.2 platform: darwin contributors: GuillaumeRoss --- @@ -736,7 +736,7 @@ spec: description: "Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer." resolution: "Contact your IT administrator to make sure your Mac is receiving configuration profiles for password length." platforms: macOS - tags: compliance, hardening, built-in + tags: compliance, hardening, built-in, CIS5.2.2 platform: darwin contributors: GuillaumeRoss --- @@ -786,4 +786,136 @@ spec: platforms: macOS tags: compliance, CIS, CIS1.4 platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic security and data file updates is enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1; + description: "Checks that the operating system is configured to automatically download updates to built-in macOS security tools such as malware removal tools." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation." + platforms: macOS + tags: compliance, CIS, CIS1.5 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic installation of operating system updates is enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically install operating system updates." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates." + platforms: macOS + tags: compliance, CIS, CIS1.6 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Time and date are configured to be updated automatically (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically update the time and date." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration." + platforms: macOS + tags: compliance, CIS, CIS2.2.1 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Inactivity limit of 20 minutes or less (macOS) + query: SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1); + description: "Checks that a mobile device management (MDM) solution configures the operating system lock the screen in 20 minutes or less." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver and lock within an inactivity delay of 20 minutes or less." + platforms: macOS + tags: compliance, CIS, CIS2.3.1, CIS5.8 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Internet sharing is blocked (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent Internet sharing." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing." + platforms: macOS + tags: compliance, CIS, CIS2.4.2 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Content caching is disabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to disable content caching." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching." + platforms: macOS + tags: compliance, CIS, CIS2.4.10 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Ad tracking is limited (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to limit advertisement tracking." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking." + platforms: macOS + tags: compliance, CIS, CIS2.5.6 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: iCloud Desktop and Document sync is disabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent iCloud Desktop and Documents sync." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync." + platforms: macOS + tags: compliance, CIS, CIS2.6.1.4 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Firewall logging is enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system log firewall activity." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging." + platforms: macOS + tags: compliance, CIS, CIS3.6 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Guest account is disabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent the use of a guest account." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account." + platforms: macOS + tags: compliance, CIS, CIS6.1.3 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Guest access to shared folders is disabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to prevent guest access to shared folders." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders." + platforms: macOS + tags: compliance, CIS, CIS6.1.4 + platform: darwin contributors: GuillaumeRoss \ No newline at end of file diff --git a/frontend/utilities/constants.ts b/frontend/utilities/constants.ts index c72177cd76..1cb925ae97 100644 --- a/frontend/utilities/constants.ts +++ b/frontend/utilities/constants.ts @@ -72,7 +72,7 @@ export const DEFAULT_POLICIES = [ key: 6, query: "SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT '' AND filevault_status = 'on' LIMIT 1;", - name: "Full disk encryption enabled (macOS)", + name: "Full disk encryption enabled (macOS) [CIS 2.5.1.1]", description: "Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.", resolution: @@ -93,7 +93,7 @@ export const DEFAULT_POLICIES = [ { key: 8, query: "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;", - name: "Gatekeeper enabled (macOS)", + name: "Gatekeeper enabled (macOS) [2.5.2.1]", description: "Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.", resolution: @@ -134,7 +134,7 @@ export const DEFAULT_POLICIES = [ key: 12, query: "SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;", - name: "System Integrity Protection enabled (macOS)", + name: "System Integrity Protection enabled (macOS) [CIS 5.1.2]", description: "Checks to make sure that the System Integrity Protection feature is enabled.", resolution: @@ -144,7 +144,7 @@ export const DEFAULT_POLICIES = [ { key: 13, query: "SELECT 1 FROM alf WHERE global_state >= 1;", - name: "Firewall enabled (macOS)", + name: "Firewall enabled (macOS) [CIS 2.5.2.2]", description: "Checks if the firewall is enabled.", resolution: "In System Preferences, open Security & Privacy, navigate to the Firewall tab and click Turn On Firewall.", @@ -175,7 +175,7 @@ export const DEFAULT_POLICIES = [ key: 16, query: "SELECT 1 FROM (SELECT cast(lengthtxt as integer(2)) minlength FROM (SELECT SUBSTRING(length, 1, 2) AS lengthtxt FROM (SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length FROM password_policy WHERE policy_identifier LIKE '%minLength')) WHERE minlength >= 10);", - name: "Password requires 10 or more characters (macOS)", + name: "Password requires 10 or more characters (macOS) [CIS 5.2.2]", description: "Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer.", resolution: @@ -224,6 +224,131 @@ export const DEFAULT_POLICIES = [ "Contact your IT administrator to ensure your Mac is receiving a profile that enables installation of application updates.", platform: "darwin", }, + { + key: 22, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;", + name: + "Automatic security and data file updates is enabled (macOS) [CIS 1.5]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates to built-in macOS security tools such as malware removal tools.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation.", + platform: "darwin", + }, + { + key: 23, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;", + name: + "Automatic installation of operating system updates is enabled (macOS) [CIS 1.6]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically install operating system updates.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates.", + platform: "darwin", + }, + { + key: 24, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;", + name: + "Time and date are configured to be updated automatically (macOS) [CIS 2.2.1]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically update the time and date.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration.", + platform: "darwin", + }, + { + key: 25, + query: + "SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1);", + name: + "Inactivity limit of 20 minutes or less (macOS) [CIS 2.3.1] [CIS 5.8]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system lock the screen in 20 minutes or less.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver and lock within an inactivity delay of 20 minutes or less.", + platform: "darwin", + }, + { + key: 26, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1;", + name: "Internet sharing is blocked (macOS) [CIS 2.4.2]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to prevent Internet sharing.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing.", + platform: "darwin", + }, + { + key: 27, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1;", + name: "Content caching is disabled (macOS) [CIS 2.4.10]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to disable content caching.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching.", + platform: "darwin", + }, + { + key: 28, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1;", + name: "Ad tracking is limited (macOS) [CIS 2.5.6]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to limit advertisement tracking.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking.", + platform: "darwin", + }, + { + key: 29, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1;", + name: "iCloud Desktop and Document sync is disabled (macOS) [CIS 2.6.1.4]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to prevent iCloud Desktop and Documents sync.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync.", + platform: "darwin", + }, + { + key: 30, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1;", + name: "Firewall logging is enabled (macOS) [CIS 3.6]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system log firewall activity.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging.", + platform: "darwin", + }, + { + key: 31, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1;", + name: "Guest account is disabled (macOS) [CIS 6.1.3]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to prevent the use of a guest account.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account.", + platform: "darwin", + }, + { + key: 32, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1;", + name: "Guest access to shared folders is disabled (macOS) [CIS 6.1.4]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to prevent guest access to shared folders.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders.", + platform: "darwin", + }, ] as IPolicyNew[]; export const FREQUENCY_DROPDOWN_OPTIONS = [