fae0c8561f
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [ ] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [ ] Confirmed that the fix is not expected to adversely impact load test results - [ ] Alerted the release DRI if additional load testing is needed ## Database migrations - [ ] Checked table schema to confirm autoupdate - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). ## New Fleet configuration settings - [ ] Setting(s) is/are explicitly excluded from GitOps If you didn't check the box above, follow this checklist for GitOps-enabled settings: - [ ] Verified that the setting is exported via `fleetctl generate-gitops` - [ ] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [ ] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [ ] Verified that any relevant UI is disabled when GitOps mode is enabled ## fleetd/orbit/Fleet Desktop - [ ] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [ ] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [ ] Verified that fleetd runs on macOS, Linux and Windows - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
7.8 KiB
CIS Benchmarks
Available in Fleet Premium.
CIS Benchmarks represent the consensus-based effort of cybersecurity experts to help you protect your systems against threats more confidently. For more information about CIS Benchmarks check out Center for Internet Security's website.
Fleet has implemented native support for CIS Benchmarks for the following platforms:
- macOS 13.0 Ventura
- macOS 14.0 Sonoma
- macOS 15.0 Sequoia
- Windows 10 Enterprise
- Windows 11 Enterprise
Where possible, each CIS Benchmark is implemented with a policy query in Fleet.
These policy queries are intended to assess your organization's security posture against the CIS benchmarks. Because the policy queries alone do not remediate security issues, a host may fail a CIS Benchmark policy if there is no device profile or script in place to enforce the setting. By enabling automations in Fleet, these policy queries can be used as the basis for managing security compliance and remediation in Fleet.
For example, this is the query for CIS - Ensure FileVault Is Enabled (MDM Required):
SELECT 1 WHERE
EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.MCX' AND
name='dontAllowFDEDisable' AND
(value = 1 OR value = 'true') AND
username = ''
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.MCX' AND
name='dontAllowFDEDisable' AND
(value != 1 AND value != 'true')
)
AND EXISTS (
SELECT 1 FROM disk_encryption WHERE
user_uuid IS NOT "" AND
filevault_status = 'on'
);
This policy is evaluating 2 attributes:
- Is FileVault currently enabled?
- Is there a profile in place that prevents FileVault from being disabled?
If either of these conditions fails, the host is considered to be failing the policy.
How to add CIS Benchmarks
All CIS policies are stored under our restricted licensed folder ee/cis/. To easily convert the CIS benchmarks YAML raw file to a YAML array format compatible with Fleet GitOps, follow these steps:
- Install yq if you don't have it already. (yq is a command-line YAML, JSON and XML processor.)
- Run this Shell script to transform the policies into Fleet YAML:
#!/bin/bash
#shellcheck disable=SC2207
# convert.cis.policy.queries.yml @2024 Fleet Device Management
# CIS queries as written here:
# https://github.com/fleetdm/fleet/blob/main/ee/cis/macos-14/cis-policy-queries.yml
# must be converted to be uploaded via Fleet GitOps.
#
# This script takes as input the YAML from the file linked above & creates a new YAML array compatible with the "Separate file" format documented here:
# https://fleetdm.com/docs/configuration/yaml-files#separate-file
# get CIS queries raw file from Fleet repo
cisfile='https://raw.githubusercontent.com/fleetdm/fleet/refs/heads/main/ee/cis/macos-14/cis-policy-queries.yml'
cispath='/private/tmp/cis.yml'
# cisspfl='/private/tmp/cis.gitops.yml'
/usr/bin/curl -X GET -LSs "$cisfile" -o "$cispath"
# create CIS benchmark array
IFS=$'\n'
cisarry=($(/opt/homebrew/bin/yq '.spec.name' "$cispath" | /usr/bin/grep -v '\-\-\-'))
for i in "${cisarry[@]}"
do
cisname="$(/opt/homebrew/bin/yq ".[] | select(.name == \"$i\") | (del(.platforms)) | (del(.purpose)) | (del(.tags)) | (del(.contributors))" "$cispath" | /opt/homebrew/bin/yq eval '.name')"
cispfrm="$(/opt/homebrew/bin/yq ".[] | select(.name == \"$i\") | (del(.platforms)) | (del(.purpose)) | (del(.tags)) | (del(.contributors))" "$cispath" | /opt/homebrew/bin/yq eval '.platform')"
cisdscr="$(/opt/homebrew/bin/yq ".[] | select(.name == \"$i\") | (del(.platforms)) | (del(.purpose)) | (del(.tags)) | (del(.contributors))" "$cispath" | /opt/homebrew/bin/yq eval --unwrapScalar=true '.description')"
cisrslt="$(/opt/homebrew/bin/yq ".[] | select(.name == \"$i\") | (del(.platforms)) | (del(.purpose)) | (del(.tags)) | (del(.contributors))" "$cispath" | /opt/homebrew/bin/yq eval --unwrapScalar=true '.resolution')"
cisqrry="$(/opt/homebrew/bin/yq ".[] | select(.name == \"$i\") | (del(.platforms)) | (del(.purpose)) | (del(.tags)) | (del(.contributors))" "$cispath" | /opt/homebrew/bin/yq eval --unwrapScalar=true '.query')"
printf "name: %s\nplatform: %s\ndescription: |\n%s\nresolution: |\n%s\nquery: |\n%s\n" "$cisname" "$cispfrm" "$cisdscr" "$cisrslt" "$cisqrry" | /usr/bin/sed 's/^/ /g;s/^[[:space:]]*name:/- name:/;s/^[[:space:]]*platform:/ platform:/;s/^[[:space:]]*description:/ description:/;s/^[[:space:]]*resolution:/ resolution:/;s/^[[:space:]]*query:/ query:/'
# set -x
# trap read debug
done
- The converted YAML is written to standard out in the Terminal. Copy/paste the CIS policies you wish to use into your own YAML file and run Fleet GitOps.
If you're using fleetctl apply, you can apply the policies to a specific team use the --policies-team flag:
fleetctl apply --policies-team "Workstations" -f cis-policy-queries.yml
Levels 1 and 2
CIS designates various benchmarks as Level 1 or Level 2 to describe the level of thoroughness and burden that each benchmark represents.
Each benchmark is tagged as CIS_Level1 or CIS_Level2.
Level 1
Items in this profile intend to:
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
Level 2
This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is paramount or acts as defense in depth measure
- may negatively inhibit the utility or performance of the technology.
Requirements
Following are the requirements to use the CIS Benchmarks in Fleet:
- Devices must be running
fleetd, Fleet's lightweight agent. - Some CIS Benchmarks explicitly involve verifying MDM-based controls, so devices must be enrolled to an MDM solution.
- On macOS, the orbit component of fleetd must have "Full Disk Access", see Grant Full Disk Access to Osquery on macOS.
Limitations
Certain benchmarks cannot be automated by a policy in Fleet. For a list of specific benchmarks which are not covered, please visit the README for each benchmark:
Performance testing
In August 2023, we completed scale testing on 10k Windows hosts and 70k macOS hosts. Ultimately, we validated both server and host performance at that scale.