* Our devices should give contributors the freedom to work from anywhere.
* To allow maximum freedom in where and how we work, we assume that "Safe" networks do not exist. Contributors should be able to work on a coffee shop's Wi-Fi as if it were their home or work network.
* To limit the impact on user experience, we do not dictate security configurations unless the security benefit is significant; only if it dramatically reduces risk for the company, customers, or open source users.
* By using techniques such as Two-Factor Authentication (2FA), code reviews, and more, we can further empower contributors to work comfortably from any location - on any network.
We use configuration profiles to standardize security settings for our Mac devices. We use [CIS Benchmark for macOS 12](https://www.cisecurity.org/benchmark/apple_os), as our configuration baseline, and adapt it to:
* Suit a remote team
* Balance the need for productivity and security
* Limit the impact on the daily use of our devices
Our policy, which applies to Fleet owned laptops purchased via Apple's DEP (Device Enrollment Program), and which will retroactively be applied to every company owned Mac consists of:
| 1.1 | Ensure all Apple-provided software is current |
| 1.2 | Ensure auto update is enabled | |
| 1.4 | Ensure installation of app updates is enabled |
| 1.5 | Ensure system data files and security updates are downloaded automatically is enabled |
| 1.6 | Ensure install of macOS updates is enabled |
*Note: the setting numbers included in the tables throughout this section are the recommended numbers from the CIS Benchmark for macOS12 document referenced above.*
**Why?**
Keeping software up-to-date helps to improve the resilience of our Mac fleet. Software updates include security updates that fix vulnerabilities that could otherwise be exploited. Browsers, for example, are often exposed to untrusted code, have a significant attack surface, and are frequently attacked.
macOS includes [malware protection tools](https://support.apple.com/en-ca/guide/security/sec469d47bd8/web) such as *Xprotect*, which is antivirus technology based on [YARA](https://github.com/VirusTotal/yara), and MRT (Malware Removal Tool), which is a tool built by Apple to remove common malware from systems that are infected.
By enabling these settings we:
* Ensure the operating system is kept up to date.
* Ensure XProtect and MRT are as up to date as possible.
* Ensure that Safari is kept up to date.
This improves the resilience of our Mac fleet.
**User experience impact**
* Updates are required, which can be disruptive. For this reason, we allow the user to **postpone the installation 5 times**.
* Critical security updates are automatically downloaded, which could result in bandwidth use on slow or expensive links. For this reason, we limit automatic downloads to critical security updates only, while feature updates, that are typically larger, are downloaded at the time of installation selected by the user.
* Enforced updates **do not** include major macOS releases (e.g., 11➡️12). Those updates are tracked and enforced separately, as the impact can be more significant. We require installation of the latest macOS version within 3 months of release, or when known vulnerabilities have remained unpatched on the older version.
| 2.2.1 | Ensure "Set time and date automatically" is enabled |
**Why?**
Accurate time is important for two main reasons:
1. Authentication. Many authentication systems like [Kerberos](https://en.wikipedia.org/wiki/Kerberos_(protocol)) and [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) require the time between clients and servers to be [close](http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html). Keeping accurate time allows those protocols to prevent attacks that would leverage old authentication sessions.
2. Logging. Performing troubleshooting or incident response is much easier when all the logs involved have close to perfectly synchronized timestamps.
**User experience impact**
* Minimal. Inability to set the wrong time. Time zones remain user-configurable.
| 5.2.3 | Ensure complex password must contain alphabetic characters is configured |
| 5.8 | Ensure a password is required to wake the computer from sleep or screen saver is enabled |
**Why?**
This category of settings is special because there are more settings that we do *not* configure than ones we do.
We follow the CIS benchmark where it makes sense, and in this case, take guidance from [NIST SP800-63B - Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), especially [Appendix A -Strength of Memorized Secrets](https://pages.nist.gov/800-63-3/sp800-63b.html#appA).
* We do NOT enforce special complexity beyond requiring letters to be in the password.
Length is the most important factor when determining a secure password; while enforcing password expiration, special characters and other restrictive patterns are not as effective as previously believed and provide little benefit at the cost of hurting the user experience.
* We do NOT enforce extremely long passwords.
As we use recent Macs with T2 chips or Apple Silicon, brute-force attacks against the hardware are [mitigated](https://www.apple.com/mideast/mac/docs/Apple_T2_Security_Chip_Overview.pdf).
* We DO require passwords to be a minimum of 8 characters long with letters.
Since we can't eliminate the risk of passwords being cracked remotely, we require passwords to be a minimum of 8 characters long with letters, a length reasonably hard to crack over the network, and the minimum recommendation by SP800-63B.
**User experience impact**
* A password is required to boot and unlock a laptop. Touch ID and Apple Watch unlock are allowed, and we recommend using a longer password combined with TouchID or Apple Watch to reduce password annoyances throughout the day.
| 6.1.4 | Ensure guest access to shared folders is disabled |
**Why?**
* Any service listening on a port expands the attack surface, especially when working on unsafe networks, to which we assume all laptops are connected.
* Laptops with tunnels connecting to internal systems (TLS tunnel, SSH tunnel, VPN.) or multiple network interfaces could be turned into a bridge and exposed to an attack if internet sharing is enabled.
* Guest access to shared data could lead to accidental exposure of confidential work files.
**User experience impact**
* Inability to use the computer as a server to share internet access, printers, content caching of macOS and iOS updates, and streaming iTunes media to devices on the local network.
| 2.5.2.3 | Ensure firewall Stealth Mode is enabled |
| 3.6 | Ensure firewall logging is enabled and configured |
**Why?**
* Using FileVault protects the data on our laptops, including confidential data and session material (browser cookies), SSH keys, and more. Using FileVault ensures a lost laptop is a minor inconvenience and not an incident. We escrow the keys to be sure we can recover the data if needed.
* [Gatekeeper](https://support.apple.com/en-ca/HT202491) is a macOS feature that ensures users can safely open software on their Mac. With Gatekeeper enabled, users may execute only trustworthy apps (signed by the software developer and/or checked for malicious software by Apple). This is a useful first line of defense to have.
* Using the firewall will ensure that we limit the exposure to our devices, while Stealth mode makes them more difficult to discover.
* Firewall logging allows us to troubleshoot and investigate whether the firewall blocks applications or connections.
**User experience impact**
* Due to FileVault's encryption process, a password is needed as soon as the laptop is turned on, instead of once it has booted.
* No performance impact - macOS encrypts the system drive by default.
* With Gatekeeper enabled, unsigned or unnotarized (not checked for malware by Apple) applications require extra steps to execute.
* With the firewall enabled, unsigned applications cannot open a firewall port for inbound connections.
* Fleet contributors are free to work from wherever they choose. If a laptop is lost or forgotten, automatic login exposes sensitive company data and poses a critical security risk.
* Password hints can sometimes be easier to guess than the password itself. Since we support contributors remotely via MDM and do not require users to change passwords frequently, we eliminate the need for passwords hints and their associated risk.
* Since company laptops are issued primarily for work, and tied to a single contributor's identity, guest accounts are not permitted.
* Automatic logon would defeat the purpose of even requiring passwords to unlock computers.
**User experience impact**
* Laptops lock after 20 minutes of inactivity. To voluntarily pause this, a [hot corner](https://support.apple.com/en-mo/guide/mac-help/mchlp3000/mac) can be configured to disable the screen saver. This is useful if you are, for example, watching an online meeting without moving the mouse and want to be sure the laptop will not lock.
* Forgotten passwords can be fixed via MDM, instead of relying on potentially dangerous hints.
* Guest accounts are not available.
#### iCloud
We do not apply ultra restrictive Data Loss Prevention style policies to our devices. Instead, by using our company Google Drive, we ensure that the most critical company data never reaches our laptops, so it can remain secure, while our laptops can remain productive.
* We do not use managed Apple IDs, and allow contributors to use their own iCloud accounts. We disable iCloud Documents and Desktop sync to avoid accidental copying of data to iCloud, but we do allow iCloud drive.
* iCloud remains allowed, but the Desktop and Documents folders will not be synchronized. Ensure you put your documents in our Google Drive, so you do not lose them if your laptop has an issue.
| 6.3 | Ensure automatic opening of safe files in Safari is disabled |
**Why?**
* Limiting ad tracking has privacy benefits, and no downside.
* Protecting keyboard entry into Terminal.app could prevent malicious applications or non-malicious but inappropriate applications from receiving passwords.
* Library validation ensures that an attacker can't trick applications into loading a software library in a different location, leaving it open to abuse.
* Safari opening files automatically can lead to negative scenarios where files are downloaded and automatically opened in another application. Though the setting relates to files deemed "safe", it includes PDFs and other file formats where malicious documents exploiting vulnerabilities have been seen before.
**User experience impact**
* There is minimal to no user experience impact for these settings. However, applications used to create custom keyboard macros will not receive keystrokes when Terminal.app is the active application window.
#### Enforce DNS-over-HTTPs (DoH)
| # | Setting |
| -- | ---------------------- |
| NA | Enforce [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) |
**Why?**
* We assume that no network is "safe." Therefore, DNS queries could be exposed and leak private data. An attacker on the same wireless network could see DNS queries, determine who your employer is, or even intercept them and [respond with malicious answers](https://github.com/iphelix/dnschef). Using DoH protects the DNS queries from eavesdropping and tampering.
* We use Cloudflare's DoH servers with basic malware blocking. No censorship should be applied on these servers, except towards destinations known as malware related.
**User experience impact**
* Some misconfigured "captive portals", typically used in hotels and airports, might be unusable with DoH due to how they are configured. This can be worked around by using the hotspot on your phone, and if you really have to use this network for an extended period of time, there are usually workarounds that can be performed to connect to them. Navigating to http://1.1.1.1 often resolves the issue.
* If you are trying to reach a site, and you believe it is being blocked accidentally, please submit it to Cloudflare. This should be extremely rare. If it is not, please let the security team know.
* If your ISP's DNS service goes down, you'll be able to continue working 😎
*Note: If you from another organization, reading this to help create your own configuration, remember that implementing DoH in an office environment where other network controls are in place has different downsides than doing it for a remote company. In those cases, **disabling** DoH makes more sense, so network controls can retain visibility. Please evaluate your situation before implementing any of our recommendations at your organization, especially DoH.*
#### Deploy osquery
| # | Setting |
| -- | ---------------------- |
| NA | Deploy [osquery](https://osquery.io/) pointed to our dogfood instance |
***Why?***
We use osquery and Fleet to monitor our own devices. This is used for vulnerability detection, security posture tracking, and can be used for incident response when necessary.
### Chrome configuration
We configure Chrome on company-owned devices with a basic policy.
* Browsers have a large attack surface, and their updates contain critical security updates.
**User experience impact**
* Chrome needs to be restarted within 48 hours of patches being installed. The automatic restart happens after 19:00 and before 6:00 if the computer is running, and tabs are restored (except for incognito tabs).
* Ads considered intrusive are blocked.
* uBlock Origin is enabled by default, and is 100% configurable, improving security and performance of browsing.
* Endpoint Verification is used to make access decisions based on the security posture of the device. For example, an outdated Mac could be prevented access to Google Drive.
### Personal mobile devices
The use of personal devices is allowed for some applications, as long as the iOS or Android device is kept up to date.
At Fleet, we handle software vulnerabilities no matter what their source is.
The process is simple:
1. A person or tool discovers a vulnerability and informs us.
2. Fleet determines if we must fix this vulnerability, and if not, documents why.
3. As long as it respects our remediation timelines and enough time remains for implementation and testing, Fleet fixes vulnerabilities in the next scheduled release. Else, Fleet creates a special release to address the vulnerabilities.
### Timeline
Fleet commits to remediating vulnerabilities according to the following:
| Critical | 4 business hours | 7 days | 30 days |
| High | 2 business days | 14 days | 30 days |
| Medium | 1 week | 60 days | 60 days |
| Low | Best effort | Best effort | Best effort |
| Unspecified | 2 business days | N/A | N/A |
### Mapping of CVSSv3 scores to Fleet severity
Fleet adapts the severity assigned to vulnerabilities when needed.
The features we use in a library, for example, can mean that some vulnerabilities in the library are unexploitable. In other cases, it might make the vulnerability easier to exploit. In those cases, Fleet would first categorize the vulnerability using publicly available information, then lower or increase the severity based on additional context.
When using externally provided CVSSv3 scores, Fleet maps them this way:
| Determined on a case by case basis | Critical + in-the-wild-exploitation |
### Disclosure
Researchers who discover vulnerabilities in Fleet can disclose them as per the [Fleet repository security policy](https://github.com/fleetdm/fleet/security/policy).
If Fleet confirms the vulnerability:
1. Fleet's security team creates a private Github security advisory.
2. Fleet asks the researcher if they want credit or anonymity. If the researcher wishes to be credited, we invite them to the private advisory on Github.
3. We request a CVE through Github.
4. Developers address the issue in a private branch.
5. As we release the fix, we make the advisory public.
Example Fleet vulnerability advisory: [CVE-2022-23600](https://github.com/fleetdm/fleet/security/advisories/GHSA-ch68-7cf4-35vr)
### Vulnerabilities in dependencies
Fleet remediates vulnerabilities related to vulnerable dependencies, but we do not create security advisories on the Fleet repository unless we believe that the vulnerability could impact Fleet. In some situations where we believe it is warranted, we mention the updates in release notes. The best way of knowing what dependencies are required to use Fleet is to look at them directly [in the repository](https://github.com/fleetdm/fleet/blob/main/package.json).
We use [Dependabot](https://github.com/dependabot) to create pull requests to update vulnerable dependencies. You can find these PRs by filtering on the [*Dependabot*](https://github.com/fleetdm/fleet/pulls?q=is%3Apr+author%3Aapp%2Fdependabot+) author in the repository.
We ensure the fixes to vulnerable dependencies are also performed according to our remediation timeline. We fix as many dependencies as possible in a single release.