From ff1941c755515d176c99df4394037228148930ef Mon Sep 17 00:00:00 2001 From: Guillaume Ross Date: Mon, 24 Oct 2022 08:45:58 -0400 Subject: [PATCH] Adding policy queries (#8298) --- .../standard-query-library.yml | 12 ++++++- frontend/pages/policies/constants.ts | 33 +++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index fb7be756fe..cc02a9c858 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -992,4 +992,14 @@ spec: tags: compliance, CIS, CIS18.9.108.2.1 platform: windows contributors: defensivedepth - +--- +apiVersion: v1 +kind: policy +spec: + name: Identify Apple development secrets (macOS) + query: SELECT * FROM keychain_items WHERE label LIKE '%ABCDEFG%'; + description: "Identifies certificates associated with Apple development signing and notarization. Replace ABCDEFG with your company's identifier." + resolution: "Ensure your official Apple builds, signing and notarization happen on a centralized system, and remove these certificates from workstations." + tags: compliance, inventory, built-in + platform: darwin + contributors: GuillaumeRoss diff --git a/frontend/pages/policies/constants.ts b/frontend/pages/policies/constants.ts index 249403234f..7885745486 100644 --- a/frontend/pages/policies/constants.ts +++ b/frontend/pages/policies/constants.ts @@ -423,4 +423,37 @@ export const DEFAULT_POLICIES: IPolicyNew[] = [ "Contact your IT administrator to ensure your computer is receiving a Group policy that enables Automatic Updates.", platform: "windows", }, + { + key: 38, + query: + "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename like '%%Emergency Kit%%.pdf' AND (path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/%%/Desktop/%%'));", + name: "No 1Password emergency kit stored on desktop or in downloads (macOS)", + description: + "Looks for PDF files with file names typically used by 1Password for emergency recovery kits.", + resolution: + "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location.", + platform: "darwin", + }, + { + key: 39, + query: + "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM users CROSS JOIN user_ssh_keys USING (uid) WHERE encrypted='0');", + name: "No unencrypted SSH keys present", + description: + "Checks if unencrypted SSH keys are present on the system.", + resolution: + "Remove SSH keys that are not necessary, and encrypt those that are. On Mac and Linux, use this command to encrypt your existing SSH keys: ssh-keygen -o -p -f path/to/keyfile", + platform: "darwin", + }, + { + key: 40, + query: + "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM keychain_items WHERE label LIKE '%ABCDEFG%' LIMIT 1);", + name: "No Apple signing or notarization credentials secrets stored (macOS)", + description: + "Looks for certificate material linked to a company's Apple Developer account, which should only be present on build servers and not workstations. Replace *ABCDEFG* with your company's identifier.", + resolution: + "Ensure your official Apple builds, signing and notarization happen on a centralized system, and remove these certificates from workstations.", + platform: "darwin", + }, ];