mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
Add policy templates to standard query library (#3956)
* Add remaining policy templates * Removeempty resolution field * Update naming for standard policies * Add enabled word to SIP policy * Use full SIP * Also change in constants * Update windows disk encryption * Add changes file * Tweak windows disk encryption policy * Address lint errors * Make requested changes * Reflect changes in policy tempaltes * Make sure that standard policies and policy templates are the same * Edit automatic login disabled description * Also edit in constants
This commit is contained in:
Noah Talerman
GitHub
parent
447a4b58ed
commit
9c24c7d92c
2
changes/update-standard-policies
Normal file
2
changes/update-standard-policies
Normal file
@ -0,0 +1,2 @@
|
||||
* Update standard policy templates to use new naming convention. For example, "Is FileVault enabled on macOS
|
||||
devices?" is now "Full disk encryption enabled (macOS)."
|
||||
@ -637,7 +637,7 @@ spec:
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: Is Gatekeeper enabled on macOS devices?
|
||||
name: Gatekeeper enabled (macOS)
|
||||
query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;
|
||||
description: Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.
|
||||
resolution: "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
|
||||
@ -647,9 +647,9 @@ spec:
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: Is disk encryption enabled on Windows devices?
|
||||
name: Full disk encryption enabled (Windows)
|
||||
query: SELECT 1 FROM bitlocker_info where protection_status = 1;
|
||||
description: Checks to make sure that device encryption is enabled on Windows devices.
|
||||
description: Checks to make sure that full disk encryption is enabled on Windows devices.
|
||||
resolution: "To get additional information, run the following osquery query on the failing device: SELECT * FROM bitlocker_info. In the
|
||||
query results, if protection_status is 2, then the status cannot be determined. If it is 0, it is
|
||||
considered unprotected. Use the additional results (percent_encrypted, conversion_status, etc.) to
|
||||
@ -660,10 +660,49 @@ spec:
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: Is FileVault enabled on macOS devices?
|
||||
name: Full disk encryption enabled (macOS)
|
||||
query: SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1;
|
||||
description: Checks to make sure that the FileVault feature is enabled on macOS devices.
|
||||
resolution: "To enable FileVault, on the failing device, select System Preferences >
|
||||
description: Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.
|
||||
resolution: "To enable full disk encryption, on the failing device, select System Preferences >
|
||||
Security & Privacy > FileVault > Turn On FileVault."
|
||||
platforms: macOS
|
||||
contributors: groob
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: System Integrity Protection enabled (macOS)
|
||||
query: SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;
|
||||
description: Checks to make sure that the System Integrity Protection feature is enabled.
|
||||
resolution: "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
|
||||
platforms: macOS
|
||||
contributors: groob
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: Automatic login disabled (macOS)
|
||||
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;
|
||||
description: "Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the device user cannot log in to the device without a password."
|
||||
resolution: "The following example profile includes a setting to disable automatic login: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L64-L65."
|
||||
platforms: macOS
|
||||
contributors: groob
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: Guest users disabled (macOS)
|
||||
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.MCX' AND name = 'DisableGuestAccount' AND value = 1 LIMIT 1;
|
||||
description: "Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that guest accounts cannot be used to log in to the device without a password."
|
||||
resolution: "The following example profile includes a setting to disable guest users: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L68-L71."
|
||||
platforms: macOS
|
||||
contributors: groob
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: Secure keyboard entry for Terminal.app enabled (macOS)
|
||||
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1;
|
||||
description: "Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the Secure Keyboard Entry setting is enabled."
|
||||
platforms: macOS
|
||||
contributors: groob
|
||||
|
||||
@ -17,29 +17,29 @@ export const DEFAULT_POLICIES = [
|
||||
{
|
||||
key: 1,
|
||||
query: `SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1`,
|
||||
name: "Is FileVault enabled on macOS devices?",
|
||||
name: "Full disk encryption enabled (macOS)",
|
||||
description:
|
||||
"Checks to make sure that the Filevault feature is enabled on macOS devices.",
|
||||
"Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.",
|
||||
resolution:
|
||||
"To enable FileVault, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.",
|
||||
"To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.",
|
||||
platform: "darwin",
|
||||
},
|
||||
{
|
||||
key: 2,
|
||||
query: "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1",
|
||||
name: "Is Gatekeeper enabled on macOS devices?",
|
||||
name: "Gatekeeper enabled (macOS)",
|
||||
description:
|
||||
"Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.",
|
||||
resolution:
|
||||
"To enable Gatekeeper, one the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable.",
|
||||
"To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable.",
|
||||
platform: "darwin",
|
||||
},
|
||||
{
|
||||
key: 3,
|
||||
query: "SELECT 1 FROM bitlocker_info WHERE protection_status = 1;",
|
||||
name: "Is disk encryption enabled on Windows devices?",
|
||||
name: "Full disk encryption enabled (Windows)",
|
||||
description:
|
||||
"Checks to make sure that device encryption is enabled on Windows devices.",
|
||||
"Checks to make sure that full disk encryption is enabled on Windows devices.",
|
||||
resolution:
|
||||
"To get additional information, run the following osquery query on the failing device: SELECT * FROM bitlocker_info. In the query results, if protection_status is 2, then the status cannot be determined. If it is 0, it is considered unprotected. Use the additional results (percent_encrypted, conversion_status, etc.) to help narrow down the specific reason why Windows considers the volume unprotected.",
|
||||
platform: "windows",
|
||||
@ -48,39 +48,40 @@ export const DEFAULT_POLICIES = [
|
||||
key: 4,
|
||||
query:
|
||||
"SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;",
|
||||
name: "Is System Integrity Protection (SIP) enabled on macOS devices?",
|
||||
description: "Checks to make sure that the SIP is enabled.",
|
||||
name: "System Integrity Protection enabled (macOS)",
|
||||
description:
|
||||
"Checks to make sure that the System Integrity Protection feature is enabled.",
|
||||
resolution:
|
||||
"On the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable",
|
||||
"To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable.",
|
||||
platform: "darwin",
|
||||
},
|
||||
{
|
||||
key: 5,
|
||||
query:
|
||||
"SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1",
|
||||
name: "Is automatic login disabled on macOS devices?",
|
||||
name: "Automatic login disabled (macOS)",
|
||||
description:
|
||||
"Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the device user cannot log in to the device without a password. It’s good practice to have both this policy and the “Is Filevault enabled on macOS devices?” policy enabled.",
|
||||
"Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the device user cannot log in to the device without a password.",
|
||||
resolution:
|
||||
"The following example profile includes a setting to disable automatic login: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L64-L65",
|
||||
"The following example profile includes a setting to disable automatic login: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L64-L65.",
|
||||
platform: "darwin",
|
||||
},
|
||||
{
|
||||
key: 6,
|
||||
query:
|
||||
"SELECT 1 FROM managed_policies WHERE domain = 'com.apple.MCX' AND name = 'DisableGuestAccount' AND value = 1 LIMIT 1;",
|
||||
name: "Are guest users disabled on macOS devices?",
|
||||
name: "Guest users disabled (macOS)",
|
||||
description:
|
||||
"Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that guest accounts cannot be used to log in to the device without a password.",
|
||||
resolution:
|
||||
"The following example profile includes a setting to disable guest users: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L68-L71",
|
||||
"The following example profile includes a setting to disable guest users: https://github.com/gregneagle/profiles/blob/fecc73d66fa17b6fa78b782904cb47cdc1913aeb/loginwindow.mobileconfig#L68-L71.",
|
||||
platform: "darwin",
|
||||
},
|
||||
{
|
||||
key: 7,
|
||||
query:
|
||||
"SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1;",
|
||||
name: "Is secure keyboard entry enabled on macOS devices?",
|
||||
name: "Secure keyboard entry for Terminal.app enabled (macOS)",
|
||||
description:
|
||||
"Required: You’re already enforcing a policy via Moble Device Management (MDM). Checks to make sure that the Secure Keyboard Entry setting is enabled.",
|
||||
resolution: "",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user