Documentation changes for the 4.73.0 release
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Fixes#31106
Details of the changes done
- for macOS 15:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155384061
- for macOS 14:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155691097
- for macOS 13:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155763952
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added new security policies for macOS 15, including controls for Apple
Intelligence features such as external intelligence extensions, writing
tools, mail summarization, and notes summarization.
* Introduced a policy to ensure sleep and display sleep are enabled on
Apple Silicon devices.
* **Improvements**
* Enhanced and clarified descriptions for several existing macOS CIS
policies, including Bluetooth Sharing, Siri, NFS Server, password
policies, and filename extension visibility.
* Updated policy queries and resolutions to align with the latest CIS
Benchmark version 1.1.0 and current macOS settings.
* Standardized resolution instructions and improved contributor
attribution across policies.
* **Bug Fixes**
* Corrected and clarified policy names and descriptions, such as
renaming Siri policy to ensure it is disabled and focusing on
world-writable folders instead of files.
* **Removals**
* Removed the policy requiring auto-update to be enabled for macOS 15.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This is fixing a misinterpretation of the [CIS
document](https://drive.google.com/file/d/1Bq6GSn_wRMp2JKbYsRt51V5BXV1gizDp/view?usp=drive_link)
for Macos 15/
In the doc search for: "show full Website".
The Audit bash script is:
```
% /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType |
/usr/bin/grep ShowFullURLInSmartSearchField | /usr/bin/tr -d ' '
Result on my Mac:
ShowFullURLInSmartSearchField = 1;
```
This should be interpreted as 'Any user who has this setting is ok'. Not
looking for an empty user.
We have 48 other occurrences that we will discuss outside the scope of
this issue.
QA:
Applying the profile for my main user worked.
Adding a test user
The configuration was applied to it without the need to redeploy the
profile.
--> Hence, we are good with the way CIS recommends auditing.
checking with a query finds both accounts with the proper settign:
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
#27396
## Results
First Column:
- `+` = Added
- D = Duplicate
- X = Updated/Removed
- ? = Unclear/un-actionable
Tested Column:
- Yes = Works as described
- NF = Could not find GP setting, but registry key exists and editing it
makes the policy pass
- NA = Not available. Could not find GP setting, registry setting
doesn't exist
| | Tested | Type | Comment |
|--- |------- |------
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
| + | NF | ADD | 5 (L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc)' is set to 'Disabled' |
| + | Yes | ADD | 18.10.58 (L1) Ensure 'Turn on Basic feed
authentication over HTTP' is set to 'Disabled' |
| + | Yes | ADD | 2.3.11 (L1) Ensure 'Network security: LDAP client
encryption requirements' is set to 'Negotiate sealing' or higher |
| + | Yes | ADD | 18.6.4 (L1) Ensure 'Configure multicast DNS (mDNS)
protocol' is set to 'Disabled' |
| + | Yes | ADD | 18.6.4 (L2) Ensure 'Turn off default IPv6 DNS Servers'
is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit client does not support
encryption' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit client does not support
signing' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit insecure guest logon' is set
to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Enable authentication rate
limiter' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Enable remote mailslots' is set to
'Disabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Mandate the minimum version of
SMB' is set to 'Enabled: 3.1.1' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Set authentication rate limiter
delay (milliseconds)' is set to 'Enabled: 2000' or more |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit insecure guest logon' is set
to 'Enabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit server does not support
encryption' is set to 'Enabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit server does not support
signing' is set to 'Enabled' |
| D | -- | ADD | 18.6.8 (L1) Ensure 'Enable remote mailslots' is set to
'Disabled' |
| D | -- | ADD | 18.6.8 (L1) Ensure 'Mandate the minimum version of SMB'
is set to 'Enabled: 3.1.1' |
| + | Yes | ADD | 18.7 (L2) Ensure 'Configure Windows protected print'
is set to 'Enabled' |
| + | Yes | ADD | 18.9 (L1) Ensure 'Configure the behavior of the sudo
command' is set to 'Enabled: Disabled' |
| + | Yes | ADD | 18.9.30.1 (L1) Ensure 'Block NetBIOS-based discovery
for domain controller location' is set to 'Enabled' |
| + | Yes | ADD | 18.9.39 (L1) Ensure 'Configure SAM change password RPC
methods policy' is set to 'Enabled: Block all change password RPC
methods' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off API Sampling' is set to
'Enabled' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off Application Footprint'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off Install Tracing' is set
to 'Enabled' |
| + | Yes | ADD | 18.10.4 (L1) Ensure 'Not allow per-user unsigned
packages to install by default (requires explicitly allow per install)'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.18 (L1) Ensure 'Enable App Installer Local
Archive Malware Scan Override' is set to 'Disabled' |
| + | Yes | ADD | 18.10.18 (L1) Ensure 'Enable App Installer Microsoft
Store Source Certificate Validation Bypass' is set to 'Disabled' |
| + | Yes | ADD | 18.10.18 (L2) Ensure 'Enable Windows Package Manager
command line interfaces' is set to 'Disabled' |
| + | Yes | ADD | 18.10.29 (L1) Ensure 'Do not apply the Mark of the Web
tag to files copied from insecure sources' is set to 'Disabled' |
| + | Yes | ADD | 18.10.43 (L1) Ensure 'Control whether exclusions are
visible to local users' is set to 'Enabled' |
| + | Yes | ADD | 18.10.43.4 (L1) Ensure 'Enable EDR in block mode' is
set to 'Enabled' |
| + | Yes | ADD | 18.10.43.8 (L2) Ensure 'Convert warn verdict to block'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.43.10 (L1) Ensure 'Configure real-time
protection and Security Intelligence Updates during OOBE' is set to
'Enabled' |
| + | Yes | ADD | 18.10.43.11.1.1 (L2) Ensure 'Configure Brute-Force
Protection aggressiveness' is set to 'Enabled: Medium' or higher |
| + | Yes | ADD | 18.10.43.11.1.1 (L1) Ensure 'Configure Remote
Encryption Protection Mode' is set to 'Enabled: Audit' or higher |
| + | Yes | ADD | 18.10.43.11.1.2 (L2) Ensure 'Configure how
aggressively Remote Encryption Protection blocks threats' is set to
'Enabled: Medium' or higher |
| + | Yes | ADD | 18.10.43.13 (L1) Ensure 'Scan excluded files and
directories during quick scans' is set to 'Enabled: 1' |
| + | Yes | ADD | 18.10.43.13 (L1) Ensure 'Trigger a quick scan after X
days without any scans' is set to 'Enabled: 7' |
| + | Yes | ADD | 18.10.57.3.3 (L2) Ensure 'Restrict clipboard transfer
from server to client' is set to 'Enabled: Disable clipboard transfers
from server to client' |
| + | NA | ADD | 19.7.40 (L1) Ensure 'Turn off Windows Copilot' is set
to 'Enabled' |
| + | NF | ADD | 5 (L2) Ensure 'GameInput Service (GameInputSvc)' is set
to 'Disabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Require Encryption' is set to
'Enabled' |
| + | Yes | ADD | 18.10.91 (L2) Ensure 'Allow mapping folders into
Windows Sandbox' is set to 'Disabled' |
| X | Yes | MOVE | 18.4.1 (L1) Ensure 'Configure RPC packet level
privacy setting for incoming connections' is set to 'Enabled' TO 18.7 |
| X | Yes | REMOVE | 18.10.42 Ensure 'Turn off Microsoft Defender
AntiVirus' is set to 'Disabled' |
| X | Yes | REMOVE | 18.10.15 (L1) Ensure 'Toggle user control over
Insider builds' is set to 'Disabled' |
| X | Yes | REMOVE | 18.10.66 (L1) Ensure 'Only display the private
store within the Microsoft Store' is set to 'Enabled' |
| X | Yes | REMOVE | 2.3.1 (L1) Ensure 'Accounts: Block Microsoft
accounts' is set to 'Users can't add or log on with Microsoft accounts'
|
| X | Yes | REMOVE | 18.9.7.1 (BL) Ensure 'Prevent installation of
devices that match any of these device IDs: Prevent installation of
devices that match any of these device IDs' is set to
'PCI\CC<sub>0C0A</sub>' |
| X | Yes | REMOVE | 18.9.7 (BL) Ensure 'Prevent installation of devices
that match any of these device IDs: Also apply to matching devices that
are already installed.' is set to 'True' (checked) |
| X | Yes | REMOVE | 18.9.7 (BL) Ensure 'Prevent installation of devices
that match any of these device IDs' is set to 'Enabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Name Resolution Protocol
(PNRPsvc)' is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Networking Grouping (p2psvc)'
is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Networking Identity Manager
(p2pimsvc)' is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'PNRP Machine Name Publication
Service (PNRPAutoReg)' is set to 'Disabled' |
| X | Yes | REMOVE | 18.6.4 (L1) Ensure ‘Configure DNS over HTTPS (DoH)
name resolution' is set to 'Enabled: Allow DoH' or higher |
| X | Yes | RENAME | 2.2 (L1) Configure 'Create symbolic links' TO (L1)
Ensure 'Create symbolic links' is set to 'Administrators'23528 |
| X | Yes | RENAME | 2.2 (L2) Configure 'Log on as a service' TO (L2)
Ensure 'Log on as a service' is configured |
| + | Yes | RENAME | 18.10.82.1 (L1) Ensure 'Enable MPR notifications
for the system' TO 'Configure the transmission of the user's password in
the content of MPR notifications sent by winlogon.' |
| X | Yes | UPDATE | 18.10.17 (L1 -> L2) Ensure 'Enable App Installer'
is set to 'Disabled' |
| X | Yes | UPDATE | 18.4 (L1) Ensure 'Enable Certificate Padding' TO
Allow REG<sub>DWORD</sub> or REG<sub>SZ</sub> |
| X | NA | UPDATE | 18.9.26 Ensure 'Configures LSASS to run as a
protected process' is set to 'Enabled: Enabled with UEFI Lock' |
| ? | Unknown | UPDATE | Section 17 Auditpol commands to use Policy
GUIDs |
| ? | Unknown | UPDATE | 18.4 (L1) Ensure 'Enable Certificate Padding'
is set to 'Enabled' |
| ? | Unknown | UPDATE | Section changes from Windows 11 Release 23H2
v2.0 Administrative Templates |
| ? | Unknown | UPDATE | Section changes from Windows 11 Release 24H2
Administrative Templates |
| ? | Unknown | UPDATE | User Overview (Section 19) |
| ? | Unknown | UPDATE | Profile Names |
| ? | Unknown | UPDATE | General Overview and Intended Audience Section
|
| ? | Unknown | UPDATE | BitLocker Operating System Drive Section |
| ? | Unknown | UPDATE | 18.10.93.4 (L1) Ensure 'Enable optional
updates' is set to 'Disabled' |
Move around some parameters and mark `script_id` required
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
PR for https://github.com/fleetdm/fleet/issues/24647
Adds:
- 2.6.3.3: Ensure Improve Assistive Voice Features Is Disabled
- 5.11: Ensure Logging Is Enabled for Sudo (Automated)
2.6.3.1, 2.6.3.2, 2.6.3.4 were previously added.
2.7.2. is a `Manual` check, which is not supported here.
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
All edited YAML files were ran through a YAML syntax check before before
committed.
**macOS-13**
- UPDATED: "3.5 - Ensure Access to Audit Records Is Controlled"
Description and Resolution. Query did not change.
- ADDED: "5.10 - Ensure XProtect Is Running and Updated" Checking for
updated is actually handled via a different query.
**macOS-14**
- UPDATED: "3.5 - Ensure Access to Audit Records Is Controlled"
Description and Resolution. Query did not change.
- ADDED: "5.10 - Ensure XProtect Is Running and Updated" Checking for
updated is actually handled via a different query.
**macOS-15**
Initial version duplicated from macOS-14 queries, then the following
changes were applied:
- REMOVED: "3.6 - Ensure Firewall Logging Is Enabled and Configured"
The following controls were not added, further research on how to check
them with osquery is required:
- 2.6.3.1 - 2.6.3.5 and 2.7.2: I am not sure how we can accomplish this.
- "5.11 - Ensure Logging Is Enabled For Sudo" I believe this one can be
accomplished through the file_lines table
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Co-authored-by: Sharon Katz <sharon@fleetdm.com>
Changelog
ADD:
ADD - 2.3.3.2 Ensure the Time Service Is Enabled
ADD - 6.3.10 Ensure Show Status Bar Is Enabled
REMOVE:
REMOVE - 2.3.2.2 Ensure Time Is Set Within Appropriate Limits
UPDATE:
UPDATE - 2.6.1.2 Ensure Location Services Is in the Menu Bar
UPDATE - 3.1 Ensure Security Auditing Is Enabled
UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System
Folder
UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session
UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby
(Intel)
UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Changelog
ADD:
ADD - 2.3.3.2 Ensure the Time Service Is Enabled
ADD - 6.3.10 Ensure Show Status Bar Is Enabled
UPDATE:
UPDATE - 2.6.1.2 Ensure Location Services Is in the Menu Bar
UPDATE - 3.1 Ensure Security Auditing Is Enabled
UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session
UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System
Folder
UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby
(Intel)
UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Changelog
ADD:
ADD - 18.10.75.1 (L1) Ensure 'Automatic Data Collection' is set to
'Enabled'
ADD - 18.10.92.2 (L1) Ensure 'Enable features introduced via servicing
that are off by default' is set to 'Disabled'
ADD - 18.10.92.4 (L1) Ensure 'Enable optional updates' is set to
'Disabled'
ADD - 18.8 (L2) Ensure 'Remove Personalized Website Recommendations from
the Recommended section in the Start Menu' is set to 'Enabled'
ADD - 18.9.19 (L1) 'Configure security policy processing: Do not apply
during periodic background processing' is set to 'False'
ADD - 18.9.19 (L1) 'Configure security policy processing: Process even
if the Group Policy objects have not changed' is set to 'True'
ADD - 18.9.25 (L1) Ensure 'Configure password backup directory' is set
to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
ADD - 18.9.25 (L1) Ensure 'Enable password encryption' is set to
'Enabled'
ADD - 18.9.25 (L1) Ensure 'Post-authentication actions: Actions' is set
to 'Enabled: Reset the password and logoff the managed account' or
higher
ADD - 18.9.25 (L1) Ensure 'Post-authentication actions: Grace period
(hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
ADD - 19.7.38 (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
ADD - 2.3.11 (L1) Ensure 'Network security: Restrict NTLM: Audit
Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
ADD - 2.3.11 (L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM
traffic to remote servers' is set to 'Audit all' or higher
REMOVE:
REMOVE - 18.10.76.3 (L1) Ensure 'Prevent bypassing Windows Defender
SmartScreen prompts for sites' is set to 'Enabled'
REMOVE - 5 (L1) Ensure 'Internet Connection Sharing (ICS)
(SharedAccess)' is set to 'Disabled'
REMOVE - 9.1 (L1) Ensure 'Windows Firewall: Domain: Outbound
connections' is set to 'Allow (default)'
REMOVE - 9.2 (L1) Ensure 'Windows Firewall: Private: Outbound
connections' is set to 'Allow (default)'
REMOVE - 9.3 (L1) Ensure 'Windows Firewall: Public: Outbound
connections' is set to 'Allow (default)'
UPDATE:
UPDATE - 18.10.42.7 (L2 -> L1) Ensure 'Enable file hash computation
feature' is set to 'Enabled'
UPDATE - 18.10.86 (L1 -> L2) Ensure 'Turn on PowerShell Script Block
Logging' is set to 'Enabled'
UPDATE - 18.10.86 (L1 -> L2) Ensure 'Turn on PowerShell Transcription'
is set to 'Enabled'
UPDATE - 18.5 'MSS: (AutoAdminLogon) Enable Automatic Logon (not
recommended)' TO 'MSS: (AutoAdminLogon) Enable Automatic Logon'
UPDATE - 18.5 'MSS: (DisableIPSourceRouting IPv6) IP source routing
protection level (protects against packet spoofing)' TO 'MSS:
(DisableIPSourceRouting IPv6) IP source routing protection level'
UPDATE - 18.5 'MSS: (DisableIPSourceRouting) IP source routing
protection level (protects against packet spoofing)' TO 'MSS:
(DisableIPSourceRouting) IP source routing protection level'
UPDATE - 18.5 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)' TO 'MSS:
(PerformRouterDiscovery) Allow IRDP to detect and configure Default
Gateway addresses'
UPDATE - 18.5 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended)' TO 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode'
UPDATE - 18.5 'MSS: (ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires (0 recommended)' TO 'MSS:
(ScreenSaverGracePeriod) The time in seconds before the screen saver
grace period expires'
UPDATE - 18.5 'MSS: (KeepAliveTime) How often keep-alive packets are
sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes
(recommended)' TO 'Enabled: 300,000 or 5 minutes'
UPDATE - 18.9.50.1 (L2 -> L1) Ensure 'Enable Windows NTP Client' is set
to 'Enabled'
UPDATE - 18.9.50.1 (L2 -> L1) Ensure 'Enable Windows NTP Server' is set
to 'Disabled'
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Co-authored-by: Sharon Katz <sharon@fleetdm.com>
This PR adds support for CIS Controls for macOS 14 - Sonoma.
The CIS Control changes from macOS 13 to 14 was minimal:
- Removed 5.9
- Added 2.18.1
- tested by running the test profile (ee/cis/macos-14/test/profiles/on-device-dictiation-enabled.mobileconfig)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Found while working on #12696.
This was caught be a recent check added by @mostlikelee to `fleetctl
apply` (#13294).
Sample error:
```sh
$ fleetctl apply --context loadtest -f ee/cis/win-10/cis-policy-queries.yml
Error: applying policies: policy names must be globally unique. Please correct policy "CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'\n" and try again.
```
#11939
- This PR fixes typos in three CIS Windows queries (the queries were
failing with `invalid SQL syntax`).
- Also adds tooling to perform similar testing that we ran for macOS
(using `fleetd_tables` as an extension).
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
#10292
The query was processing *every* file under `/Applications/`, which
makes it super expensive both in CPU usage and Memory footprint. This
query was the main culprit of triggering worker process kills by the
watchdog.
On some runs it triggered CPU usage alerts:
```
7716:W0623 15:38:05.402959 221732864 watcher.cpp:415] osqueryd worker (72976) stopping:
Maximum sustainable CPU utilization limit 1200ms exceeded for 12 seconds
```
And on other runs it triggered memory usage alerts:
```
4431 W0626 07:28:50.868021 147312640 watcher.cpp:424] osqueryd worker (21453) stopping:
Memory limits exceeded: 214020096 bytes (limit is 200MB)
```
For the above logs I used a custom osqueryd branch to be able to print
more information: https://github.com/osquery/osquery/pull/8070
The metrics for the old query were CPU usage: ~4521 ms
```
435:level=warn ts=2023-06-26T09:58:29.665712Z query=fleet_policy_query_1233 queryTime=4521 memory=12226560 msg="distributed query performance is excessive" hostID=308 platform=darwin
```
With the new query, CPU usage: ~210 ms.
```
23893:level=debug ts=2023-06-26T18:06:08.242456Z query=fleet_policy_query_1233 queryTime=210 msg=stats memory=0 hostID=308 platform=darwin
```
Basically a ~20x improvement.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
https://github.com/fleetdm/fleet/issues/10602
@xpkoala this PR will require testing of all modified items.
Preferably, we should perform the tests before merging to master. Can we
use the dev branch for that? -- Items were tested locally.
This relates to #11312
`18.9.17.6`: Fixing the issue with policy pointing to a different GPO
and Registry value
`18.9.47.4.2`: Adding COLLATE NOCASE to avoid case sensitive issue with
SpynetReporting value
