This PR adds support for CIS Controls for macOS 14 - Sonoma.
The CIS Control changes from macOS 13 to 14 was minimal:
- Removed 5.9
- Added 2.18.1
- tested by running the test profile (ee/cis/macos-14/test/profiles/on-device-dictiation-enabled.mobileconfig)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Found while working on #12696.
This was caught be a recent check added by @mostlikelee to `fleetctl
apply` (#13294).
Sample error:
```sh
$ fleetctl apply --context loadtest -f ee/cis/win-10/cis-policy-queries.yml
Error: applying policies: policy names must be globally unique. Please correct policy "CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'\n" and try again.
```
#11939
- This PR fixes typos in three CIS Windows queries (the queries were
failing with `invalid SQL syntax`).
- Also adds tooling to perform similar testing that we ran for macOS
(using `fleetd_tables` as an extension).
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
#10292
The query was processing *every* file under `/Applications/`, which
makes it super expensive both in CPU usage and Memory footprint. This
query was the main culprit of triggering worker process kills by the
watchdog.
On some runs it triggered CPU usage alerts:
```
7716:W0623 15:38:05.402959 221732864 watcher.cpp:415] osqueryd worker (72976) stopping:
Maximum sustainable CPU utilization limit 1200ms exceeded for 12 seconds
```
And on other runs it triggered memory usage alerts:
```
4431 W0626 07:28:50.868021 147312640 watcher.cpp:424] osqueryd worker (21453) stopping:
Memory limits exceeded: 214020096 bytes (limit is 200MB)
```
For the above logs I used a custom osqueryd branch to be able to print
more information: https://github.com/osquery/osquery/pull/8070
The metrics for the old query were CPU usage: ~4521 ms
```
435:level=warn ts=2023-06-26T09:58:29.665712Z query=fleet_policy_query_1233 queryTime=4521 memory=12226560 msg="distributed query performance is excessive" hostID=308 platform=darwin
```
With the new query, CPU usage: ~210 ms.
```
23893:level=debug ts=2023-06-26T18:06:08.242456Z query=fleet_policy_query_1233 queryTime=210 msg=stats memory=0 hostID=308 platform=darwin
```
Basically a ~20x improvement.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
https://github.com/fleetdm/fleet/issues/10602
@xpkoala this PR will require testing of all modified items.
Preferably, we should perform the tests before merging to master. Can we
use the dev branch for that? -- Items were tested locally.
This relates to #11312
`18.9.17.6`: Fixing the issue with policy pointing to a different GPO
and Registry value
`18.9.47.4.2`: Adding COLLATE NOCASE to avoid case sensitive issue with
SpynetReporting value
I've tested all queries on my system. I'm not quite sure if the cast is
necessary but it was common other queries so I used it. This adds the
queries referenced in #10360
- [x] Manual QA for all new/changed functionality
This adds all queries referenced in #10359. Some are in the
non-completed since I couldn't test. The referenced UI path didn't exist
on the latest version if Wondows 10 and the ADMX is supposed to be built
in on recent version of Windows.
# Checklist for submitter
- [x] Manual QA for all new/changed functionality
1. FIX for **18.5.9.2** - successfully tested for positive/negative
cases.
2. BUG in **18.5.11.3** and **18.5.11.4** - Registry keys do not appear.
Moved to **`NON-COMPLETED`**
18.2.1 - successfully Tested for negative and positive cases
18.2.2 - successfully Tested for negative and positive cases
18.2.3 - successfully Tested for negative and positive cases
18.2.4 - successfully Tested for negative and positive cases
18.2.5 - successfully Tested for negative and positive cases
18.2.6 - successfully Tested for negative and positive cases
Many of these queries reference registry keys that do not exist so I
moved them to the NON-COMPLETED file. However, all queries name in
#10355 are included in either the main or non completed file.
- [x] Manual QA for all new/changed functionality
Go tests are failing in main with:
```
=== RUN TestGroupFromBytesWithWin10CISQueries
spec_test.go:69:
Error Trace: /Users/roperzh/fleet/pkg/spec/spec_test.go:69
Error: Received unexpected error:
failed to unmarshal spec item error converting YAML to JSON: yaml: line 20: mapping values are not allowed in this context:
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
platforms: win10
platform: windows
description: |
This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
For scheduler jobs, the following are audited:
- Job created.
- Job deleted.
- Job enabled.
- Job disabled.
- Job updated.
For COM+ objects, the following are audited:
- Catalog object added.
- Catalog object updated.
- Catalog object deleted.
The recommended state for this setting is: Success and Failure.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to Success and Failure:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditOtherObjectAccessEvents</LocURI></Target></Item></Get></SyncBody>"
AND mdm_command_output = 3;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.6.3
contributors: sharon-fdm
Test: TestGroupFromBytesWithWin10CISQueries
--- FAIL: TestGroupFromBytesWithWin10CISQueries (0.31s)
```
This adds a missing indentation to make them pass.
## Issue
Cerra #10369
## Description
- Lots of trial and error to get the wild card to work (only works with
single \ in the path)
- 6 of 7 tested and working
- Final policy is intended for Windows 11
