empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Website: Add "Requires MDM" badge to /queries page (#9296)

Browse Source 
Changes:
- Added a "MDM required" tag to the queries in the standard query
library that use the `managed_policies` table.
- Updated the build script to add a `requiresMdm` value to queries added
to `builtStaticContent.queries`, and to set it to true if a query has
the "MDM required" tags
- Updated the `/queries` page to add a "Requires MDM" badge to queries
that have `requiresMdm: true`
 . . .

Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
This commit is contained in:
Eric 2023-01-12 10:05:03 -06:00 committed by GitHub
parent 4a2b3ef5c9
commit 09b88d0341
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 43 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View File

@ -539,7 +539,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent login in without a password."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables automatic login."
tags: compliance, hardening, built-in
tags: MDM required, compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -550,7 +550,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to enabled secure keyboard entry for the Terminal application."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables secure keyboard entry for the Terminal application."
tags: compliance, hardening, built-in
tags: MDM required, compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -685,7 +685,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE name='askForPassword' AND value='1';
description: "Checks that a mobile device management (MDM) solution configures the Mac to enable screen lock."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables screen lock."
tags: compliance, hardening, built-in
tags: MDM required, compliance, hardening, built-in
platform: darwin
contributors: GuillaumeRoss
---
@ -729,7 +729,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically check for updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates."
tags: compliance, CIS, CIS1.2
tags: MDM required, compliance, CIS, CIS1.2
platform: darwin
contributors: GuillaumeRoss
---
@ -740,7 +740,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads."
tags: compliance, CIS, CIS1.3
tags: MDM required, compliance, CIS, CIS1.3
platform: darwin
contributors: GuillaumeRoss
---
@ -751,7 +751,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically install updates to App Store applications."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates."
tags: compliance, CIS, CIS1.4
tags: MDM required, compliance, CIS, CIS1.4
platform: darwin
contributors: GuillaumeRoss
---
@ -762,7 +762,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates to built-in macOS security tools such as malware removal tools."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation."
tags: compliance, CIS, CIS1.5
tags: MDM required, compliance, CIS, CIS1.5
platform: darwin
contributors: GuillaumeRoss
---
@ -773,7 +773,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically install operating system updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates."
tags: compliance, CIS, CIS1.6
tags: MDM required, compliance, CIS, CIS1.6
platform: darwin
contributors: GuillaumeRoss
---
@ -784,7 +784,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically update the time and date."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration."
tags: compliance, CIS, CIS2.2.1
tags: MDM required, compliance, CIS, CIS2.2.1
platform: darwin
contributors: GuillaumeRoss
---
@ -795,7 +795,7 @@ spec:
query: SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1);
description: "Checks that a mobile device management (MDM) solution configures the Mac to lock the screen after 20 minutes or less."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver after inactivity of 20 minutes or less."
tags: compliance, CIS, CIS2.3.1, CIS5.8
tags: MDM required, compliance, CIS, CIS2.3.1, CIS5.8
platform: darwin
contributors: GuillaumeRoss
---
@ -806,7 +806,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent Internet sharing."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing."
tags: compliance, CIS, CIS2.4.2
tags: MDM required, compliance, CIS, CIS2.4.2
platform: darwin
contributors: GuillaumeRoss
---
@ -817,7 +817,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to disable content caching."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching."
tags: compliance, CIS, CIS2.4.10
tags: MDM required, compliance, CIS, CIS2.4.10
platform: darwin
contributors: GuillaumeRoss
---
@ -828,7 +828,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to limit advertisement tracking."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking."
tags: compliance, CIS, CIS2.5.6
tags: MDM required, compliance, CIS, CIS2.5.6
platform: darwin
contributors: GuillaumeRoss
---
@ -839,7 +839,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent iCloud Desktop and Documents sync."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync."
tags: compliance, CIS, CIS2.6.1.4
tags: MDM required, compliance, CIS, CIS2.6.1.4
platform: darwin
contributors: GuillaumeRoss
---
@ -850,7 +850,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to log firewall activity."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging."
tags: compliance, CIS, CIS3.6
tags: MDM required, compliance, CIS, CIS3.6
platform: darwin
contributors: GuillaumeRoss
---
@ -861,7 +861,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent the use of a guest account."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account."
tags: compliance, CIS, CIS6.1.3
tags: MDM required, compliance, CIS, CIS6.1.3
platform: darwin
contributors: GuillaumeRoss
---
@ -872,7 +872,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent guest access to shared folders."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders."
tags: compliance, CIS, CIS6.1.4
tags: MDM required, compliance, CIS, CIS6.1.4
platform: darwin
contributors: GuillaumeRoss
---

15
website/assets/styles/pages/query-library.less vendored
View File

@ -36,10 +36,23 @@
}
}
[purpose='requires-mdm-badge'] {
text-transform: uppercase;
background: #6A67FE;
border-radius: 4px;
padding: 4px;
font-weight: 700;
font-size: 10px;
line-height: 10px;
display: inline;
color: #FFF;
text-decoration: none;
}
[purpose='query-tag'] {
font-size: 12px;
font-weight: 700;
padding: 4px 8px;
padding: 2px 8px;
border-radius: 20px;
background-color: #E2E4EA;
}

10
website/scripts/build-static-content.js vendored
View File

@ -43,6 +43,7 @@ module.exports = {
} else if (query.resolution === undefined) {
query.resolution = 'N/A';// « We set this to a string here so that the data type is always string. We use N/A so folks can see there's no remediation and contribute if desired.
}
query.requiresMdm = false;
if (query.tags) {
if(!_.isString(query.tags)) {
queriesWithProblematicTags.push(query);
@ -52,8 +53,13 @@ module.exports = {
let formattedTags = [];
for (let tag of tagsToFormat) {
if(tag !== '') {// « Ignoring any blank tags caused by trailing commas in the YAML.
// Removing any extra whitespace from tags and changing them to be in lower case.
formattedTags.push(_.trim(tag.toLowerCase()));
// If a query has a 'requires MDM' tag, we'll set requiresMDM to true for this query, and we'll ingore this tag.
if(_.trim(tag.toLowerCase()) === 'mdm required'){
query.requiresMdm = true;
} else {
// Removing any extra whitespace from tags and changing them to be in lower case.
formattedTags.push(_.trim(tag.toLowerCase()));
}
}
}
// Removing any duplicate tags.

9
website/views/pages/query-library.ejs vendored
View File

@ -98,11 +98,10 @@
<div class="card-body">
<div class="row justify-content-between align-items-center query-card">
<div class="col-12">
<div class="d-block d-sm-flex flex-wrap">
<h5 class="card-title m-0 mb-1 mr-sm-2">{{query.name}}</h5>
<div class="my-2 my-sm-0 flex-wrap">
<span class="mr-2 mb-1 text-nowrap d-inline-block" purpose="query-tag" v-for="tag in query.tags" @click.stop="clickSelectTag(tag)">{{tag}}</span>
</div>
<div class="d-flex flex-row align-items-center flex-wrap">
<h5 class="card-title m-0 mb-1 mr-2">{{query.name}}</h5>
<a purpose="requires-mdm-badge" class="mr-2" v-if="query.requiresMdm">Requires MDM</a>
<span class="mr-2 my-sm-0 my-1 text-nowrap d-inline-flex" purpose="query-tag" v-for="tag in query.tags" @click.stop="clickSelectTag(tag)">{{tag}}</span>
</div>
</div>
<div class="col-sm-9 col-md-9">