Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 31
fleet/docs/solutions/cis/win-10
History
Adam Baali 2e631491c2
claude/fix-cis-shebang-NTw1M (#43681) 
When importing CIS benchmark content for multiple OS versions into a
single
Fleet team via GitOps, users encounter several hard validation failures
because
Fleet enforces uniqueness on script basenames, mobileconfig
PayloadDisplayName /
PayloadIdentifier, and policy name fields.

Changes (all confined to docs/solutions/cis/):
- Fix #!/usr/bin/env bash shebang in CIS_2.6.7.sh (macOS 13/14/15) ->
#!/bin/bash
- Prefix script filenames with OS slug (macos13-, macos14-, macos15-,
win10-,
  win11-, win11-intune-) to prevent basename collisions
- Prefix mobileconfig PayloadDisplayName with OS tag ([macOS 13] etc.),
which
  is the field Fleet uses for identity
- Prefix mobileconfig PayloadIdentifier with an OS slug so identifiers
stay
  unique across versions
- Prefix every policy name: field with the OS tag; preserve original
YAML
formatting (plain, single-quoted with '' escapes, and folded block
scalars)
- Rename Windows XML profiles with win10-, win11-, and win11-intune-
prefixes

None of these changes affect the security logic or coverage of the
benchmarks.
They only make the content importable without manual intervention.

Co-authored-by: Claude <noreply@anthropic.com>
2026-04-16 15:37:31 -04:00
..
configuration-profiles claude/fix-cis-shebang-NTw1M (#43681) 2026-04-16 15:37:31 -04:00
policies claude/fix-cis-shebang-NTw1M (#43681) 2026-04-16 15:37:31 -04:00
scripts claude/fix-cis-shebang-NTw1M (#43681) 2026-04-16 15:37:31 -04:00
README.md Migrate CIS benchmarks to docs/solutions/cis/ with production-ready profiles, scripts, and policies (#43657) 2026-04-16 16:16:22 +02:00

README.md

Windows 10 Enterprise benchmarks

Fleet's policies have been written against v3.0.0 of the benchmark. You can refer to the CIS website for full details about this version.

For requirements and usage details, see the CIS Benchmarks documentation.

Contents

Folder Description
policies/ GitOps-compatible policy YAML — import via fleetctl apply or reference with - path: in fleet.yml
configuration-profiles/ SyncML XML profiles — upload via Fleet UI or fleetctl apply to enforce the settings checked by the policies
scripts/ PowerShell scripts — upload via Fleet UI or fleetctl apply and link as run_script remediation in the corresponding policy

Limitations

None. All items in this version of the benchmark are able to be automated.

Checks that require a Group Policy template

Several items require Group Policy templates in place in order to audit them. These items are tagged with the label CIS_group_policy_template_required in the YAML file, and details about the required Group Policy templates can be found in each item's resolution.