empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Adding tags to all queries (#5474)

Browse Source
This commit is contained in:
Guillaume Ross 2022-05-02 17:57:15 -04:00 committed by GitHub
parent 991c7ccadc
commit 293ede98d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 65 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View File

@ -7,6 +7,7 @@ spec:
description: Retrieves the OpenSSL version.
query: SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';
purpose: Informational
tags: inventory
contributors: zwass
---
apiVersion: v1
@ -18,26 +19,18 @@ spec:
query: SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);
purpose: Informational
remediation: Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)
tags: built-in, ssh
contributors: mike-j-thomas
---
apiVersion: v1
kind: query
spec:
name: Get authorized keys for Local Accounts
platforms: macOS, Linux
description: List authorized_keys for each user on the system.
query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
purpose: Informational
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get authorized keys for Domain Joined Accounts
platforms: macOS, Linux
description: List authorized_keys for each user on the system.
query: SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last);
purpose: Informational
tags: active directory, ssh
contributors: anelshaer
---
apiVersion: v1
@ -48,6 +41,7 @@ spec:
description: Retrieve application, system, and mobile app crash logs.
query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);
purpose: Informational
tags: troubleshooting
contributors: zwass
---
apiVersion: v1
@ -58,6 +52,7 @@ spec:
description: List installed Chrome Extensions for all users.
query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
purpose: Informational
tags: browser, built-in, inventory
contributors: zwass
---
apiVersion: v1
@ -68,6 +63,7 @@ spec:
description: Get all software installed on a FreeBSD computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Package (pkg)' AS type, 'pkg_packages' AS source FROM pkg_packages;
purpose: Informational
tags: inventory
contributors: zwass
---
apiVersion: v1
@ -78,6 +74,7 @@ spec:
description: Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;
purpose: Informational
tags: inventory, built-in
contributors: zwass
---
apiVersion: v1
@ -88,6 +85,7 @@ spec:
description: Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;
purpose: Informational
tags: inventory, built-in
contributors: zwass
---
apiVersion: v1
@ -98,6 +96,7 @@ spec:
description: Retrieves the list of installed Safari Extensions for all users in the target system.
query: SELECT safari_extensions.* FROM users join safari_extensions USING (uid);
purpose: Informational
tags: browser, built-in, inventory
contributors: zwass
---
apiVersion: v1
@ -108,6 +107,7 @@ spec:
description: Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages;
purpose: Informational
tags: inventory, built-in
contributors: zwass
---
apiVersion: v1
@ -118,6 +118,7 @@ spec:
description: Lists all laptops with under-performing or failing batteries.
query: SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');
purpose: Informational
tags: troubleshooting, hardware, inventory
contributors: zwass
---
apiVersion: v1
@ -128,6 +129,7 @@ spec:
description: Get current users with active shell/console on the system and associated process
query: SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;
purpose: Informational
tags: hunting, built-in
contributors: anelshaer
---
apiVersion: v1
@ -138,7 +140,8 @@ spec:
description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;
purpose: Informational
remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.
tags: inventory, compliance, ssh, built-in
remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.
contributors: anelshaer
---
apiVersion: v1
@ -149,7 +152,8 @@ spec:
description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);
purpose: Informational
remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.
tags: inventory, compliance, ssh, active directory
remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.
contributors: anelshaer
---
apiVersion: v1
@ -160,6 +164,7 @@ spec:
description: Detect any processes that run with LD_PRELOAD environment variable
query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';
purpose: Informational
tags: hunting, ATTACK, t1574
remediation: Identify the process/binary detected and confirm with the system's owner.
contributors: anelshaer
---
@ -171,6 +176,7 @@ spec:
description: Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable
query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';
purpose: Informational
tags: hunting, ATTACK, t1574
remediation: Identify the process/binary detected and confirm with the system's owner.
contributors: anelshaer
---
@ -181,7 +187,8 @@ spec:
platforms: macOS, Linux
description: Line-parsed /etc/hosts
query: SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');
purpose: Informational
purpose: informational
tags: hunting, inventory
contributors: anelshaer
---
apiVersion: v1
@ -191,7 +198,8 @@ spec:
platforms: macOS, Linux, Windows, FreeBSD
description: Network interfaces MAC address
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');
purpose: Informational
purpose: informational
tags: hunting, inventory
contributors: anelshaer
---
apiVersion: v1
@ -201,7 +209,8 @@ spec:
platforms: macOS, Linux, Windows, FreeBSD
description: Local user accounts (including domain accounts that have logged on locally (Windows)).
query: SELECT uid, gid, username, description, directory, shell FROM users;
purpose: Informational
purpose: informational
tags: hunting, inventory
contributors: anelshaer
---
apiVersion: v1
@ -211,7 +220,8 @@ spec:
platforms: Linux
description: Domain Joined environments normally have root or other service only account and users are SSH-ing using their Domain Accounts.
query: SELECT * FROM shadow WHERE password_status='active' and username!='root';
purpose: Informational
purpose: informational
tags: hunting, inventory, Active Directory
contributors: anelshaer
---
apiVersion: v1
@ -225,6 +235,7 @@ spec:
(SELECT username FROM users WHERE uid=p.uid) AS username
FROM processes as p WHERE cmdline like 'nmap%';
purpose: Informational
tags: hunting, ATTACK, t1046
contributors: anelshaer
---
apiVersion: v1
@ -235,6 +246,7 @@ spec:
description: Docker containers Processes, can be used on normal system or a kubenode.
query: SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id);
purpose: Informational
tags: built-in, containers, inventory
contributors: anelshaer
---
apiVersion: v1
@ -245,6 +257,7 @@ spec:
description: Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.
query: SELECT CASE cnt WHEN 2 THEN "TRUE" ELSE "FALSE" END "Vulnerable" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;
purpose: Informational
tags: vulnerability
contributors: maravedi
---
apiVersion: v1
@ -254,7 +267,8 @@ spec:
platforms: macOS, Linux, Windows
description: Collects the local user accounts and their respective user group.
query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
purpose: Informational
purpose: informational
tags: inventory
contributors: noahtalerman
---
apiVersion: v1
@ -265,6 +279,7 @@ spec:
description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.
query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
purpose: Incident response
tags: hunting, built-in
contributors: alphabrevity
---
apiVersion: v1
@ -275,6 +290,7 @@ spec:
description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
query: SELECT path, sha256 FROM hash WHERE path IN (SELECT path FROM file WHERE size < 50000000 AND path LIKE '/Users/%/Documents/%%') AND sha256 = '16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75';
purpose: Informational
tags: hunting, built-in
contributors: alphabrevity
---
apiVersion: v1
@ -285,6 +301,7 @@ spec:
description: The query allows you to check macOS systems for local administrator accounts.
query: SELECT uid, username, type, group name FROM users u JOIN groups g ON g.gid = u.gid;
purpose: Informational
tags: hunting, inventory
contributors: alphabrevity
---
apiVersion: v1
@ -295,6 +312,7 @@ spec:
description: List ports that are listening on all interfaces, along with the process to which they are attached.
query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0";
purpose: Informational
tags: hunting, network
contributors: alphabrevity
---
apiVersion: v1
@ -305,6 +323,7 @@ spec:
description: Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%";
purpose: Informational
tags: hunting, inventory
contributors: alphabrevity
---
apiVersion: v1
@ -315,6 +334,7 @@ spec:
description: Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
query: SELECT CASE cnt WHEN 0 THEN "NONE_INSTALLED" ELSE "INSTALLED" END AS "Malicious Python Packages", package_name, package_version FROM (SELECT COUNT(name) AS cnt, name AS package_name, version AS package_version, path AS package_path FROM python_packages WHERE package_name IN ('acqusition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib'));
purpose: Informational
tags: hunting, inventory, malware
contributors: alphabrevity
---
apiVersion: v1
@ -325,6 +345,7 @@ spec:
description: Checks for artifacts from the Floxif trojan on Windows machines.
query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';
purpose: Informational
tags: hunting, malware
contributors: micheal-o
---
apiVersion: v1
@ -335,6 +356,7 @@ spec:
description: Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.
query: select * from Shimcache
purpose: Informational
tags: hunting
contributors: puffyCid
---
apiVersion: v1
@ -345,6 +367,7 @@ spec:
description: Returns the running Docker containers
query: SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = "running";
purpose: Informational
tags: containers, inventory
contributors: DominusKelvin
---
apiVersion: v1
@ -355,6 +378,7 @@ spec:
description: Returns top 10 applications or processes hogging memory the most.
query: SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;
purpose: Informational
tags: troubleshooting
contributors: DominusKelvin
---
apiVersion: v1
@ -365,6 +389,7 @@ spec:
description: Returns servers with root login in the last 24 hours and the time the users where logged in.
query: SELECT * FROM last WHERE username = "root" AND time > (( SELECT unix_time FROM time ) - 86400 );
purpose: Informational
tags: hunting
contributors: DominusKelvin
---
apiVersion: v1
@ -412,6 +437,7 @@ spec:
}'
);
purpose: Detection
tags: vulnerability
contributors: zwass,tgauda
---
apiVersion: v1
@ -422,6 +448,7 @@ spec:
description: Returns applications that were opened within the last 24 hours starting with the last opened application.
query: SELECT * FROM apps WHERE last_opened_time > (( SELECT unix_time FROM time ) - 86400 ) ORDER BY last_opened_time DESC;
purpose: Informational
tags: inventory
contributors: DominusKelvin
---
apiVersion: v1
@ -432,6 +459,7 @@ spec:
description: Returns applications that are not in the `/Applications` directory
query: SELECT * FROM apps WHERE path NOT LIKE '/Applications/%';
purpose: Informational
tags: hunting, inventory
contributors: DominusKelvin
---
apiVersion: v1
@ -442,6 +470,7 @@ spec:
description: Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.
query: SELECT * FROM apps WHERE path LIKE '/Applications/%' AND name IN ("Photoshop.app", "Adobe XD.app", "Sketch.app", "Illustrator.app") AND last_opened_time < (( SELECT unix_time FROM time ) - 2592000000000 );
purpose: Informational
tags: inventory
contributors: DominusKelvin
---
apiVersion: v1
@ -452,6 +481,7 @@ spec:
description: Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.
resolution: "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
platforms: macOS
tags: compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -467,6 +497,7 @@ spec:
help narrow down the specific reason why Windows considers the volume unprotected."
platforms: Windows
platform: windows
tags: compliance, hardening, built-in
contributors: defensivedepth
---
apiVersion: v1
@ -477,6 +508,7 @@ spec:
description: Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.
resolution: To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.
platforms: macOS
tags: compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -489,6 +521,7 @@ spec:
resolution: "Ensure the image deployed to your Linux workstation includes full disk encryption."
platforms: Linux
platform: linux
tags: compliance, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
@ -499,6 +532,7 @@ spec:
description: Checks to make sure that the System Integrity Protection feature is enabled.
resolution: "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
platforms: macOS
tags: compliance, malware, hardening, built-in
platform: darwin
contributors: groob
---
@ -510,6 +544,7 @@ spec:
description: "Required: Youre already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the device user cannot log in to the device without a password."
resolution: "The following example profile includes a setting to disable automatic login: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L64-L65."
platforms: macOS
tags: compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -521,6 +556,7 @@ spec:
description: "Required: Youre already enforcing a policy via Moble Device Management (MDM). Checks to make sure that guest accounts cannot be used to log in to the device without a password."
resolution: "The following example profile includes a setting to disable guest users: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L68-L71."
platforms: macOS
tags: compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -531,6 +567,7 @@ spec:
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1;
description: "Required: Youre already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the Secure Keyboard Entry setting is enabled."
platforms: macOS
tags: compliance, hardening, built-in
platform: darwin
contributors: groob
---
@ -542,6 +579,7 @@ spec:
query: SELECT path, value AS version FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist') OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist');
description: Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists
purpose: Informational
tags: compliance, malware, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
@ -552,6 +590,7 @@ spec:
query: SELECT antivirus, signatures_up_to_date from windows_security_center CROSS JOIN windows_security_products WHERE type = 'Antivirus';
description: Selects the antivirus and signatures status from Windows Security Center.
purpose: Informational
tags: compliance, malware, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
@ -562,6 +601,7 @@ spec:
query: SELECT pid, state, cmdline, name FROM processes WHERE name='clamd' OR name='freshclam';
description: Selects the clamd and freshclam processes to ensure AV and its updater are running
purpose: Informational
tags: compliance, malware, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
@ -574,6 +614,7 @@ spec:
Preferences > Software Update > Advanced > Turn on Install system data files and security
updates.
platforms: macOS
tags: compliance, malware, hardening, built-in
platform: darwin
contributors: GuillaumeRoss
---
@ -585,6 +626,7 @@ spec:
description: Checks the status of antivirus and signature updates from the Windows Security Center.
resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center."
platforms: Windows
tags: compliance, malware, hardening, built-in
platform: windows
contributors: GuillaumeRoss
---
@ -596,6 +638,7 @@ spec:
description: Checks that both ClamAV's daemon and its updater service (freshclam) are running.
resolution: "Ensure ClamAV and Freshclam are installed and running."
platforms: Linux
tags: compliance, malware, hardening, built-in
platform: linux
contributors: GuillaumeRoss
---
@ -607,6 +650,7 @@ spec:
description: "Required: osquery deployed with Orbit, or manual installation of macadmins/osquery-extension. Checks that a mac is enrolled to MDM. Add a AND on identity_certificate_uuid to check for a specific MDM."
resolution: "Enroll device to MDM"
platforms: macOS
tags: compliance, hardening, built-in
platform: darwin
contributors: GuillaumeRoss
---
@ -618,6 +662,7 @@ spec:
description: "Checks if the application (Docker Desktop example) is installed and up to date, or not installed. Fails if the application is installed and on a lower version. You can copy this query and replace the bundle_identifier and bundle_version values to apply the same type of policy to other applications."
resolution: "Update Docker or remove it if not used."
platforms: macOS
tags: inventory, vulnerability, built-in
platform: darwin
contributors: GuillaumeRoss
---
@ -629,5 +674,7 @@ spec:
description: "Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present."
resolution: "Use this command to encrypt existing SSH keys by providing the path to the file: ssh-keygen -o -p -f /path/to/file"
platforms: macOS, Linux, Windows
platform: darwin,linux,windows
tags: compliance, ssh, built-in
contributors: GuillaumeRoss
platform: darwin,linux,windows
contributors: GuillaumeRoss