query:SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';
description:Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.
query:SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);
remediation:Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)
description:Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.
query:SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;
description:Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
query:SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;
description:Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
query:SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages;
description:Get current users with active shell/console on the system and associated process
query:SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;
description:Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
query:SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);
description:Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable
query:SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';
query:SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');
description:Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.
query:SELECT CASE cnt WHEN 2 THEN "TRUE" ELSE "FALSE" END "Vulnerable" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;
description:Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.
description:Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
query:SELECT path, sha256 FROM hash WHERE path IN (SELECT path FROM file WHERE size < 50000000 AND path LIKE '/Users/%/Documents/%%') AND sha256 = '16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75';
description:Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
query:SELECT CASE cnt WHEN 0 THEN "NONE_INSTALLED" ELSE "INSTALLED" END AS "Malicious Python Packages", package_name, package_version FROM (SELECT COUNT(name) AS cnt, name AS package_name, version AS package_version, path AS package_path FROM python_packages WHERE package_name IN ('acquisition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib'));
description:Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.
description:"Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely."
name:Get subscription-based applications that have not been opened for the last 30 days
platforms:macOS
description:Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.
query:SELECT * FROM apps WHERE path LIKE '/Applications/%' AND name IN ("Photoshop.app", "Adobe XD.app", "Sketch.app", "Illustrator.app") AND last_opened_time < (( SELECT unix_time FROM time ) - 2592000000000 );
query:SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;
description:Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.
resolution:"To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
query:SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;
description:Checks to make sure that the System Integrity Protection feature is enabled.
resolution:"To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
query:SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;
description:"Required: You’re already enforcing a policy via Mobile Device Management (MDM). Checks to make sure that the device user cannot log in to the device without a password."
resolution:"The following example profile includes a setting to disable automatic login: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L64-L65."
description:"Required: You’re already enforcing a policy via Mobile Device Management (MDM). Checks to make sure that guest accounts cannot be used to log in to the device without a password."
resolution:"The following example profile includes a setting to disable guest users: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L68-L71."
description:"Required: You’re already enforcing a policy via Mobile Device Management (MDM). Checks to make sure that the Secure Keyboard Entry setting is enabled."
query:SELECT path, value AS version FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist') OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist');
description:Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists
query:SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist' AND value>=2155) OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist' and value>=1.88)) WHERE score == 1;
description:Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with the latest version regularly.
resolution:
To enable automatic security definition updates, on the failing device, select System
query:SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;
query:SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;
description:"Required: osquery deployed with Orbit, or manual installation of macadmins/osquery-extension. Checks that a mac is enrolled to MDM. Add a AND on identity_certificate_uuid to check for a specific MDM."
name:Application is up to date or not present (macOS)
query:SELECT 1 WHERE EXISTS (SELECT 1 FROM apps a1 WHERE a1.bundle_identifier = 'com.electron.dockerdesktop' AND a1.bundle_short_version>='4.6.1') OR NOT EXISTS (SELECT 1 FROM apps a2 WHERE a2.bundle_identifier = 'com.electron.dockerdesktop');
description:"Checks if the application (Docker Desktop example) is installed and up to date, or not installed. Fails if the application is installed and on a lower version. You can copy this query and replace the bundle_identifier and bundle_version values to apply the same type of policy to other applications."
resolution:"Update Docker or remove it if not used."
query:SELECT 1 FROM managed_policies WHERE name='askForPassword' AND value='1';
description:"Checks that a MDM profile configures the screen lock."
resolution:"Contact your IT administrator to help you enroll your computer in your organization's MDM. If already enrolled, ask your IT administrator to enable the screen lock feature in the profile configuration."
query:SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs' AND CAST(data as INTEGER) <= 1800;
description:"Checks if the screen lock is enabled and configured to lock the system within 30 minutes or less."
resolution:"Ask your IT administrator to enable the Interactive Logon: Machine inactivity limit setting with a value of 1800 seconds or lower."
name:Password requires 10 or more characters (macOS)
query:SELECT 1 FROM (SELECT cast(lengthtxt as integer(2)) minlength FROM (SELECT SUBSTRING(length, 1, 2) AS lengthtxt FROM (SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length FROM password_policy WHERE policy_identifier LIKE '%minLength')) WHERE minlength >= 10);
description:"Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer."
query:SELECT 1 FROM os_version WHERE version >= '12.5.1';
description:"Checks that the operating system is up to date."
resolution:"From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password."
platforms:macOS
tags:compliance, CIS, template, CIS1.1
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Automatic updates enabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates."
platforms:macOS
tags:compliance, CIS, CIS1.2
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Automatic update downloads enabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads."
platforms:macOS
tags:compliance, CIS, CIS1.3
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Automatic installation of application updates is enabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to App Store applications."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates."
name:Automatic security and data file updates is enabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;
description:"Checks that the operating system is configured to automatically download updates to built-in macOS security tools such as malware removal tools."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation."
platforms:macOS
tags:compliance, CIS, CIS1.5
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Automatic installation of operating system updates is enabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to automatically install operating system updates."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates."
platforms:macOS
tags:compliance, CIS, CIS1.6
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Time and date are configured to be updated automatically (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to automatically update the time and date."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration."
platforms:macOS
tags:compliance, CIS, CIS2.2.1
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Inactivity limit of 20 minutes or less (macOS)
query:SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1);
description:"Checks that a mobile device management (MDM) solution configures the operating system lock the screen in 20 minutes or less."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver and lock within an inactivity delay of 20 minutes or less."
platforms:macOS
tags:compliance, CIS, CIS2.3.1, CIS5.8
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Internet sharing is blocked (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to prevent Internet sharing."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing."
platforms:macOS
tags:compliance, CIS, CIS2.4.2
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Content caching is disabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to disable content caching."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching."
platforms:macOS
tags:compliance, CIS, CIS2.4.10
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Ad tracking is limited (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to limit advertisement tracking."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking."
platforms:macOS
tags:compliance, CIS, CIS2.5.6
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:iCloud Desktop and Document sync is disabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to prevent iCloud Desktop and Documents sync."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync."
platforms:macOS
tags:compliance, CIS, CIS2.6.1.4
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Firewall logging is enabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system log firewall activity."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging."
platforms:macOS
tags:compliance, CIS, CIS3.6
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Guest account is disabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to prevent the use of a guest account."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account."
platforms:macOS
tags:compliance, CIS, CIS6.1.3
platform:darwin
contributors:GuillaumeRoss
---
apiVersion:v1
kind:policy
spec:
name:Guest access to shared folders is disabled (macOS)
query:SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1;
description:"Checks that a mobile device management (MDM) solution configures the operating system to prevent guest access to shared folders."
resolution:"Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders."
name:No1Password emergency kit stored on desktop or in downloads (macOS)
query:SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename like '%%Emergency Kit%%.pdf' AND (path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/%%/Desktop/%%'));
description:"Looks for PDF files with file names typically used by 1Password for emergency recovery kits."
resolution:"Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location."
