apiVersion: v1 kind: policy spec: name: Ensure a password is required to wake the computer from sleep or screen saver is enabled platforms: macOS platform: darwin description: Checks that password is required to wake the computer from sleep or screen saver is enabled. resolution: | Automated method: Ask your system administrator to deploy an MDM profile that ensures a password is required to wake the computer from sleep or screen saver is enabled. Graphical method: Perform the following steps to ensure a password is required to wake the computer from sleep or screen saver is enabled: 1. Open System Settings 2. Select Lock Screen 3. Verify that "Require password after screensaver begins or display is turned off" is set with "After 0 seconds" or "After 5 seconds" query: |- SELECT 1 WHERE EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND (value = 1 OR value = 'true') AND username = '' ) AND EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPasswordDelay' AND value <= 5 AND username = '' ) AND NOT EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND (value != 1 AND value != 'true') ) AND NOT EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPasswordDelay' AND value > 5 ); purpose: Informational tags: compliance, CIS, CIS_Level1, premium, contributors: sharon-fdm,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Screensaver PayloadIdentifier com.apple.screensaver.AB633B1B-EAEF-4AB6-B5F6-DE67193267E9 PayloadType com.apple.screensaver PayloadUUID AB633B1B-EAEF-4AB6-B5F6-DE67193267E9 PayloadVersion 1 askForPassword askForPasswordDelay 0 PayloadDisplayName Require password after screensaver or sleep PayloadIdentifier com.fleetdm.password_policy PayloadType Configuration PayloadUUID 5A2DC0F2-C5FE-4808-9083-D9879684D7FA PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Ensure auto-update is enabled platforms: macOS platform: darwin description: Checks that the system is configured via MDM to automatically install updates. resolution: "Ask your system administrator to deploy an MDM profile that enables automatic updates." query: | SELECT 1 WHERE EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND (value = 1 OR value = 'true') AND username = '' ) AND NOT EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND (value != 1 AND value != 'true') ); purpose: Informational tags: compliance, CIS, CIS_Level1, premium contributors: sharon-fdm,ddribeiro configuration_profile: | PayloadContent AutomaticCheckEnabled PayloadDisplayName Software Update PayloadIdentifier com.apple.SoftwareUpdate.8567CAE0-4F08-49B7-9DEE-EE7A1FB232E4 PayloadType com.apple.SoftwareUpdate PayloadUUID 8567CAE0-4F08-49B7-9DEE-EE7A1FB232E4 PayloadVersion 1 PayloadDisplayName Automatically install updates PayloadIdentifier com.fleetdm.automatically_install_updates PayloadType Configuration PayloadUUID C9797096-D3DD-4BB4-85B0-6679209BA78F PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Ensure 'Minimum password length' is set to '14 or more characters' platforms: win10 platform: windows description: | This policy setting determines the least number of characters that make up a password for a user account. resolution: | Automatic method: Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 14 or more characters 'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length' query: | SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14; powershell: | $netAccountsOutput = net accounts $minPwdLine = $netAccountsOutput | Where-Object {$_ -match "Minimum password length"} if ($minPwdLine -match "Minimum password length:\s*(\d+)") { $minPasswordLength = [int]$matches[1] if ($minPasswordLength -ge 14) { Write-Output "1" } } purpose: Informational tags: compliance, CIS, CIS_Level1, premium contributors: marcosd4h --- apiVersion: v1 kind: query spec: name: Get OpenSSL versions platform: linux description: Retrieves the OpenSSL version. query: SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%'; purpose: Informational tags: inventory contributors: zwass --- apiVersion: v1 kind: policy spec: name: Get Ubuntu Advantage (Ubuntu Pro) attachment status platform: linux description: Checks to see if the Ubuntu Pro status file exists, and ensures attachment and expiry are as expected. Combine with a script automation to run the attach command for remediation. query: SELECT 1 FROM parse_json WHERE path = '/var/lib/ubuntu-advantage/status.json' AND ((key = 'attached' AND value = 'true') OR (key = 'expires' AND datetime(value) > datetime('now'))) GROUP BY path HAVING SUM(CASE WHEN key = 'attached' AND value = 'true' THEN 1 ELSE 0 END) = 1 AND SUM(CASE WHEN key = 'expires' AND datetime(value) > datetime('now') THEN 1 ELSE 0 END) = 1; contributors: GrayW --- apiVersion: v1 kind: query spec: name: Get authorized SSH keys platform: darwin, linux description: Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes. query: SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid); purpose: Informational remediation: Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s) tags: built-in, ssh contributors: mike-j-thomas --- apiVersion: v1 kind: query spec: name: Get authorized keys for Domain Joined Accounts platform: darwin, linux description: List authorized_keys for each user on the system. query: SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last); purpose: Informational tags: active directory, ssh contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get crashes platform: darwin description: Retrieve application, system, and mobile app crash logs. query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid); purpose: Informational tags: troubleshooting contributors: zwass --- apiVersion: v1 kind: query spec: name: Get installed Chrome Extensions platform: darwin, linux, windows description: List installed Chrome Extensions for all users. query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); purpose: Informational tags: browser, built-in, inventory contributors: zwass --- apiVersion: v1 kind: query spec: name: Get installed Linux software platform: linux description: Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table. query: SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages; purpose: Informational tags: inventory, built-in contributors: zwass --- apiVersion: v1 kind: query spec: name: Get installed macOS software platform: darwin description: Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table. query: SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages; purpose: Informational tags: inventory, built-in contributors: zwass --- apiVersion: v1 kind: query spec: name: Get installed Safari extensions platform: darwin description: Retrieves the list of installed Safari Extensions for all users in the target system. query: SELECT safari_extensions.* FROM users join safari_extensions USING (uid); purpose: Informational tags: browser, built-in, inventory contributors: zwass --- apiVersion: v1 kind: query spec: name: Get installed Windows software platform: windows description: Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table. query: SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages; purpose: Informational tags: inventory, built-in contributors: zwass --- apiVersion: v1 kind: query spec: name: Get laptops with failing batteries platform: darwin description: Lists all laptops with under-performing or failing batteries. query: SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal'); purpose: Informational tags: troubleshooting, hardware, inventory contributors: zwass --- apiVersion: v1 kind: query spec: name: Get current users with active shell/console on the system platform: darwin, linux, windows description: Get current users with active shell/console on the system and associated process query: SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time; purpose: Informational tags: hunting, built-in contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get unencrypted SSH keys for local accounts platform: darwin, linux, windows description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008) query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0; purpose: Informational tags: inventory, compliance, ssh, built-in remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected. contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get unencrypted SSH keys for domain-joined accounts platform: darwin, linux, windows description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008) query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last); purpose: Informational tags: inventory, compliance, ssh, active directory remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected. contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get dynamic linker hijacking on Linux (MITRE. T1574.006) platform: linux description: Detect any processes that run with LD_PRELOAD environment variable query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD'; purpose: Informational tags: hunting, ATTACK, t1574 remediation: Identify the process/binary detected and confirm with the system's owner. contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get dynamic linker hijacking on macOS (MITRE. T1574.006) platform: darwin description: Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES'; purpose: Informational tags: hunting, ATTACK, t1574 remediation: Identify the process/binary detected and confirm with the system's owner. contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get etc hosts entries platform: darwin, linux description: Line-parsed /etc/hosts query: SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1'); purpose: informational tags: hunting, inventory contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get network interfaces platform: darwin, linux, windows description: Network interfaces MAC address query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1'); purpose: informational tags: hunting, inventory contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get local user accounts platform: darwin, linux, windows description: Local user accounts (including domain accounts that have logged on locally (Windows)). query: SELECT uid, gid, username, description, directory, shell FROM users; purpose: informational tags: hunting, inventory contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get active user accounts on servers platform: linux description: Domain Joined environments normally have root or other service only accounts and users are SSH-ing using their Domain Accounts. query: SELECT * FROM shadow WHERE password_status='active' and username!='root'; purpose: informational tags: hunting, inventory, Active Directory contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get Nmap scanner platform: darwin, linux, windows description: Get Nmap scanner process, as well as its user, parent, and process details. query: SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%'; purpose: Informational tags: hunting, ATTACK, t1046 contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get Docker contained processes on a system platform: darwin, linux description: Docker containers Processes, can be used on normal systems or a kubenode. query: SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id); purpose: Informational tags: built-in, containers, inventory contributors: anelshaer --- apiVersion: v1 kind: query spec: name: Get Windows print spooler remote code execution vulnerability platform: windows description: Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled. query: SELECT CASE cnt WHEN 2 THEN "TRUE" ELSE "FALSE" END "Vulnerable" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2; purpose: Informational tags: vulnerability contributors: maravedi --- apiVersion: v1 kind: query spec: name: Get local users and their privileges platform: darwin, linux, windows description: Collects the local user accounts and their respective user group. query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid; purpose: informational tags: inventory contributors: noahtalerman --- apiVersion: v1 kind: query spec: name: Get processes that no longer exist on disk platform: linux, darwin, windows description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence. query: SELECT name, path, pid FROM processes WHERE on_disk = 0; purpose: Incident response tags: hunting, built-in contributors: alphabrevity --- apiVersion: v1 kind: query spec: name: Get user files matching a specific hash platform: darwin, linux description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.) query: SELECT path, sha256 FROM hash WHERE path IN (SELECT path FROM file WHERE size < 50000000 AND path LIKE '/Users/%/Documents/%%') AND sha256 = '16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75'; purpose: Informational tags: hunting, built-in contributors: alphabrevity --- apiVersion: v1 kind: query spec: name: Get local administrator accounts on macOS platform: darwin description: The query allows you to check macOS systems for local administrator accounts. query: SELECT uid, username, type FROM users u JOIN groups g ON g.gid = u.gid; purpose: Informational tags: hunting, inventory contributors: alphabrevity --- apiVersion: v1 kind: query spec: name: Get all listening ports, by process platform: linux, darwin, windows description: List ports that are listening on all interfaces, along with the process to which they are attached. query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0"; purpose: Informational tags: hunting, network contributors: alphabrevity --- apiVersion: v1 kind: query spec: name: Get whether TeamViewer is installed/running platform: windows description: Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine. query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%"; purpose: Informational tags: hunting, inventory contributors: alphabrevity --- apiVersion: v1 kind: query spec: name: Get malicious Python backdoors platform: darwin, linux, windows description: Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html) query: SELECT CASE cnt WHEN 0 THEN "NONE_INSTALLED" ELSE "INSTALLED" END AS "Malicious Python Packages", package_name, package_version FROM (SELECT COUNT(name) AS cnt, name AS package_name, version AS package_version, path AS package_path FROM python_packages WHERE package_name IN ('acquisition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib')); purpose: Informational tags: hunting, inventory, malware contributors: alphabrevity --- apiVersion: v1 kind: query spec: name: Check for artifacts of the Floxif trojan platform: windows description: Checks for artifacts from the Floxif trojan on Windows machines. query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%'; purpose: Informational tags: hunting, malware contributors: micheal-o --- apiVersion: v1 kind: query spec: name: Get Shimcache table platform: windows description: Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed. query: select * from Shimcache purpose: Informational tags: hunting contributors: puffyCid --- apiVersion: v1 kind: query spec: name: Get running docker containers platform: darwin, linux description: Returns the running Docker containers query: SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = "running"; purpose: Informational tags: containers, inventory contributors: DominusKelvin --- apiVersion: v1 kind: query spec: name: Get applications hogging memory platform: darwin, linux, windows description: Returns top 10 applications or processes hogging memory the most. query: SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10; purpose: Informational tags: troubleshooting contributors: DominusKelvin --- apiVersion: v1 kind: query spec: name: Get servers with root login in the last 24 hours platform: darwin, linux, windows description: Returns servers with root login in the last 24 hours and the time the users were logged in. query: SELECT * FROM last WHERE username = "root" AND time > (( SELECT unix_time FROM time ) - 86400 ); purpose: Informational tags: hunting contributors: DominusKelvin --- apiVersion: v1 kind: query spec: name: Detect active processes with Log4j running platform: darwin, linux description: "Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely." query: | WITH target_jars AS ( SELECT DISTINCT path FROM ( WITH split(word, str) AS( SELECT '', cmdline || ' ' FROM processes UNION ALL SELECT substr(str, 0, instr(str, ' ')), substr(str, instr(str, ' ') + 1) FROM split WHERE str != '') SELECT word AS path FROM split WHERE word LIKE '%.jar' UNION ALL SELECT path FROM process_open_files WHERE path LIKE '%.jar' ) ) SELECT path, matches FROM yara WHERE path IN (SELECT path FROM target_jars) AND count > 0 AND sigrule IN ( 'rule log4jJndiLookup { strings: $jndilookup = "JndiLookup" condition: $jndilookup }', 'rule log4jJavaClass { strings: $javaclass = "org/apache/logging/log4j" condition: $javaclass }' ); purpose: Detection tags: vulnerability contributors: zwass,tgauda --- apiVersion: v1 kind: query spec: name: Get applications that were opened within the last 24 hours platform: darwin description: Returns applications that were opened within the last 24 hours starting with the last opened application. query: SELECT * FROM apps WHERE last_opened_time > (( SELECT unix_time FROM time ) - 86400 ) ORDER BY last_opened_time DESC; purpose: Informational tags: inventory contributors: DominusKelvin --- apiVersion: v1 kind: query spec: name: Get applications that are not in the Applications directory platform: darwin description: Returns applications that are not in the `/Applications` directory query: SELECT * FROM apps WHERE path NOT LIKE '/Applications/%'; purpose: Informational tags: hunting, inventory contributors: DominusKelvin --- apiVersion: v1 kind: query spec: name: Get subscription-based applications that have not been opened for the last 30 days platform: darwin description: Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case. query: SELECT * FROM apps WHERE path LIKE '/Applications/%' AND name IN ("Photoshop.app", "Adobe XD.app", "Sketch.app", "Illustrator.app") AND last_opened_time < (( SELECT unix_time FROM time ) - 2592000000000 ); purpose: Informational tags: inventory contributors: DominusKelvin --- apiVersion: v1 kind: query spec: name: Get operating system information platform: darwin, windows, linux description: Returns the operating system name and version on the device. query: SELECT name, version FROM os_version; purpose: Informational tags: inventory, built-in contributors: noahtalerman --- apiVersion: v1 kind: policy spec: name: Gatekeeper enabled (macOS) query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1; bash: spctl --status | grep -q 'assessments enabled' && echo 1 || echo 0 description: Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine. resolution: "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable." tags: compliance, hardening, built-in, CIS, CIS2.5.2.1, critical platform: darwin contributors: groob,ddribeiro script: | #!/bin/sh ## command to enable gatekeeper /usr/sbin/spctl --master-enable configuration_profile: | PayloadContent EnableAssessment PayloadDisplayName System Policy Control PayloadIdentifier com.apple.systempolicy.control.6CA698CD-1DBB-445C-BDA3-60E35FBBF0E9 PayloadType com.apple.systempolicy.control PayloadUUID 6CA698CD-1DBB-445C-BDA3-60E35FBBF0E9 PayloadVersion 1 PayloadDisplayName Enable Gatekeeper PayloadIdentifier com.fleetdm.enablegatekeeper.DF30A9A2-C9F9-421D-A26A-6FAA7216E72F PayloadType Configuration PayloadUUID DF30A9A2-C9F9-421D-A26A-6FAA7216E72F PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Full disk encryption enabled (Windows) query: SELECT 1 FROM bitlocker_info WHERE drive_letter='C:' AND protection_status=1; description: Checks to make sure that full disk encryption is enabled on Windows devices. resolution: "To get additional information, run the following osquery query on the failing device: SELECT * FROM bitlocker_info. In the query results, if protection_status is 2, then the status cannot be determined. If it is 0, it is considered unprotected. Use the additional results (percent_encrypted, conversion_status, etc.) to help narrow down the specific reason why Windows considers the volume unprotected." platform: windows powershell: | $bitlockerInfo = Get-BitLockerVolume -MountPoint "C:" if ($bitlockerInfo.ProtectionStatus -eq 1) { Write-Output 1 } tags: compliance, hardening, built-in, critical contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: Full disk encryption enabled (macOS) query: SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1; bash: fdesetup status | grep -q "FileVault is On." && echo 1 || echo 0 description: Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices. resolution: To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault. tags: compliance, hardening, built-in, CIS, CIS2.5.1.1, critical platform: darwin contributors: groob --- apiVersion: v1 kind: policy spec: name: Full disk encryption enabled (Linux) query: SELECT 1 FROM mounts m, disk_encryption d WHERE m.device_alias = d.name AND d.encrypted = 1 AND m.path = '/'; description: Checks if the root drive is encrypted. There are many ways to encrypt Linux systems. This is the default on distributions such as Ubuntu. resolution: "Ensure the image deployed to your Linux workstation includes full disk encryption." platform: linux tags: compliance, hardening, built-in, critical contributors: jbilling,GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: System Integrity Protection enabled (macOS) query: SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1; bash: csrutil status | grep -q 'enabled' && echo 1 || echo 0 description: Checks to make sure that the System Integrity Protection feature is enabled. resolution: "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable." tags: compliance, malware, hardening, built-in, CIS, CIS5.1.2 platform: darwin contributors: groob --- apiVersion: v1 kind: policy spec: name: Automatic login disabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'DisableFDEAutoLogin' AND value = 1 LIMIT 1; bash: "[ \"$(defaults read '/Library/Managed Preferences/com.apple.loginwindow' 'com.apple.login.mcx.DisableAutoLoginClient' 2>/dev/null)\" = \"1\" ] && echo 1 || echo 0" description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent login in without a password. Note: This policy will not report a value if FileVault is disabled." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables automatic login." tags: MDM required, compliance, hardening, built-in, critical platform: darwin contributors: groob,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Login Window #1 PayloadIdentifier com.apple.loginwindow.CE506065-7C0E-434E-8B8C-12E164116C94 PayloadType com.apple.loginwindow PayloadUUID CE506065-7C0E-434E-8B8C-12E164116C94 PayloadVersion 1 DisableFDEAutoLogin com.apple.login.mcx.DisableAutoLoginClient PayloadDisplayName Disable Automatic Login PayloadIdentifier com.fleetdm.disableautomaticlogin.F07E2CB5-56CC-4699-B061-EAA253220BA8 PayloadType Configuration PayloadUUID F07E2CB5-56CC-4699-B061-EAA253220BA8 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Secure keyboard entry for Terminal application enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1; bash: '[ "$(defaults read "/Library/Managed Preferences/com.apple.Terminal" SecureKeyboardEntry 2>/dev/null)" = "1" ] && echo 1 || echo 0' description: "Checks that a mobile device management (MDM) solution configures the Mac to enabled secure keyboard entry for the Terminal application." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables secure keyboard entry for the Terminal application." tags: MDM required, compliance, hardening, built-in platform: darwin contributors: groob,ddribeiro configuration_profile: | PayloadContent SecureKeyboardEntry PayloadDisplayName Terminal PayloadIdentifier com.apple.Terminal.89C5FA0F-CA32-4CC7-99D9-931B13CB923B PayloadType com.apple.Terminal PayloadUUID 89C5FA0F-CA32-4CC7-99D9-931B13CB923B PayloadVersion 1 PayloadDisplayName Enable Terminal Secure Keyboard Entry PayloadIdentifier com.fleetdm.enableterminalsecurekeyboardentry.6E73E3DF-0D0A-4B17-BBCB-3E0906C78743 PayloadType Configuration PayloadUUID 6E73E3DF-0D0A-4B17-BBCB-3E0906C78743 PayloadVersion 1 --- apiVersion: v1 kind: query spec: name: Get built-in antivirus status on macOS platform: darwin query: SELECT path, value AS version FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist') OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist'); description: Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists purpose: Informational tags: compliance, malware, hardening, built-in contributors: GuillaumeRoss --- apiVersion: v1 kind: query spec: name: Get antivirus status from the Windows Security Center platform: windows query: SELECT antivirus, signatures_up_to_date from windows_security_center CROSS JOIN windows_security_products WHERE type = 'Antivirus'; description: Selects the antivirus and signatures status from Windows Security Center. purpose: Informational tags: compliance, malware, hardening, built-in contributors: GuillaumeRoss --- apiVersion: v1 kind: query spec: name: Get antivirus (ClamAV/clamd) and updater (freshclam) process status platform: linux query: SELECT pid, state, cmdline, name FROM processes WHERE name='clamd' OR name='freshclam'; description: Selects the clamd and freshclam processes to ensure AV and its updater are running purpose: Informational tags: compliance, malware, hardening, built-in contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: Antivirus healthy (macOS) query: SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist' AND value>=2162) OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist' and value>=1.93)) WHERE score == 1; bash: x=$(/usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" "/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist" 2>/dev/null); m=$(/usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" "/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist" 2>/dev/null); if [[ $x =~ ^[0-9]+$ ]] && [ "$x" -ge 2162 ] && [[ $m =~ ^[0-9]+(\.[0-9]+)?$ ]] && [ "$(echo "$m >= 1.93" | bc -l)" -eq 1 ]; then echo 1; else echo 0; fi description: Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with the latest version regularly. resolution: To enable automatic security definition updates, on the failing device, select System Preferences > Software Update > Advanced > Turn on Install system data files and security updates. tags: compliance, malware, hardening, built-in, template platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent ConfigDataInstall CriticalUpdateInstall PayloadDisplayName Software Update PayloadIdentifier com.apple.SoftwareUpdate.C0292C9C-7506-4A51-9C19-52FF2DB632EC PayloadType com.apple.SoftwareUpdate PayloadUUID C0292C9C-7506-4A51-9C19-52FF2DB632EC PayloadVersion 1 PayloadDisplayName Enable automatic system data files and security updates PayloadIdentifier com.fleetdm.enableSystemDataFilesAndSecurityUpdates.1C24BCAF-E18D-434B-B5D2-70F886F19912 PayloadType Configuration PayloadUUID 1C24BCAF-E18D-434B-B5D2-70F886F19912 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Antivirus healthy (Windows) query: SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1; description: Checks the status of antivirus and signature updates from the Windows Security Center. resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center." tags: compliance, malware, hardening, built-in powershell: | $avProducts = Get-CimInstance -Namespace "root/SecurityCenter2" -ClassName AntiVirusProduct -ErrorAction SilentlyContinue if ($avProducts) { $goodProducts = $avProducts | Where-Object { # Check that the antivirus appears enabled (bit 0x10) and definitions are up‐to‐date (bit 0x100) ($_.productState -band 0x10) -eq 0x10 -and ($_.productState -band 0x100) -eq 0x100 } if ($goodProducts) { Write-Output "1" } } platform: windows contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: Antivirus healthy (Linux) query: SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1; description: Checks that both ClamAV's daemon and its updater service (freshclam) are running. resolution: "Ensure ClamAV and Freshclam are installed and running." tags: compliance, malware, hardening, built-in platform: linux contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: MDM enrolled (macOS) query: SELECT 1 from mdm WHERE enrolled='true'; bash: if profiles status -type enrollment 2>/dev/null | grep -qi "Enrolled"; then echo 1; else echo 0; fi description: "Required: osquery deployed with Orbit, or manual installation of macadmins/osquery-extension. Checks that a mac is enrolled to MDM. Add a AND on identity_certificate_uuid to check for a specific MDM." resolution: "Enroll device to MDM" tags: compliance, hardening, built-in, critical platform: darwin contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: Docker application is up to date or not present (macOS) query: SELECT 1 WHERE EXISTS (SELECT 1 FROM apps a1 WHERE a1.bundle_identifier = 'com.electron.dockerdesktop' AND a1.bundle_short_version>='4.6.1') OR NOT EXISTS (SELECT 1 FROM apps a2 WHERE a2.bundle_identifier = 'com.electron.dockerdesktop'); bash: app=$(mdfind "kMDItemCFBundleIdentifier == 'com.electron.dockerdesktop'" | head -n1); [ -z "$app" ] && echo 1 || { ver=$(defaults read "$app/Contents/Info" CFBundleShortVersionString 2>/dev/null); [ "$(printf '%s\n' 4.6.1 "$ver" | sort -V | head -n1)" = "4.6.1" ] && echo 1 || echo 0; } description: "Checks if the application (Docker Desktop example) is installed and up to date, or not installed. Fails if the application is installed and on a lower version. You can copy this query and replace the bundle_identifier and bundle_version values to apply the same type of policy to other applications." resolution: "Update Docker or remove it if not used." tags: inventory, vulnerability, built-in platform: darwin contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: SSH keys encrypted query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM users CROSS JOIN user_ssh_keys USING (uid) WHERE encrypted='0'); bash: if find /Users -type f -path "*/.ssh/id_*" ! -name "*.pub" 2>/dev/null | while read -r f; do grep -q "ENCRYPTED" "$f" || { echo "$f" && break; }; done | grep -q .; then echo 0; else echo 1; fi description: "Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present." resolution: "Use this command to encrypt existing SSH keys by providing the path to the file: ssh-keygen -o -p -f /path/to/file" tags: compliance, ssh, built-in contributors: GuillaumeRoss platform: darwin,linux,windows --- apiVersion: v1 kind: policy spec: name: Suspicious autostart (Windows) query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM startup_items WHERE path = "regsvr32" AND args LIKE "%http%"); description: "Checks for an autostart that is attempting to load a dynamic link library (DLL) from the internet." resolution: "Remove the suspicious startup entry." powershell: | $found = $false $startupItems = @() function Get-RegistryStartupItems { $regPaths = @( "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ) foreach ($regPath in $regPaths) { if (Test-Path $regPath) { try { $props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue foreach ($prop in $props.PSObject.Properties) { if ($prop.Name -notmatch "^PS(Remote)?$" -and $prop.Value -and ($prop.Name -ne "PSPath" -and $prop.Name -ne "PSParentPath" -and $prop.Name -ne "PSChildName" -and $prop.Name -ne "PSDrive" -and $prop.Name -ne "PSProvider")) { $startupItems += $prop.Value } } } catch { continue } } } } function Get-StartupFolderItems { $folders = @( "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup", "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" ) $wscript = New-Object -ComObject WScript.Shell foreach ($folder in $folders) { if (Test-Path $folder) { Get-ChildItem -Path $folder -Filter *.lnk -ErrorAction SilentlyContinue | ForEach-Object { try { $shortcut = $wscript.CreateShortcut($_.FullName) $command = $shortcut.TargetPath if ($shortcut.Arguments) { $command += " " + $shortcut.Arguments } $startupItems += $command } catch { continue } } } } } Get-RegistryStartupItems Get-StartupFolderItems foreach ($item in $startupItems) { if (-not $item) { continue } # Remove any surrounding quotes and trim whitespace. $item = $item.Trim('"').Trim() if ($item.Length -eq 0) { continue } # Split into tokens by whitespace. $tokens = $item -split "\s+" if ($tokens.Count -eq 0) { continue } # Get the executable portion and extract the file name without extension. $exePath = $tokens[0] $exeName = [System.IO.Path]::GetFileNameWithoutExtension($exePath) if ($exeName -ieq "regsvr32" -and $item -imatch "http") { $found = $true break } } if (-not $found) { Write-Output "1" } tags: malware, hunting platform: windows contributors: kswagler-rh --- apiVersion: v1 kind: policy spec: name: Firewall enabled (macOS) query: SELECT 1 FROM alf WHERE global_state >= 1; bash: echo $(( $(defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null || echo 0) >= 1 )) description: "Checks if the firewall is enabled." resolution: "In System Preferences, open Security & Privacy, navigate to the Firewall tab and click Turn On Firewall." tags: hardening, compliance, built-in, CIS, CIS2.5.2.2 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent EnableFirewall PayloadDisplayName Firewall PayloadIdentifier com.apple.security.firewall.84151DEA-D0E5-4334-91D4-4BBDFA38CD17 PayloadType com.apple.security.firewall PayloadUUID 84151DEA-D0E5-4334-91D4-4BBDFA38CD17 PayloadVersion 1 PayloadDisplayName Enable Firewall PayloadIdentifier com.fleetdm.enablefirewall.D93BF783-383E-41CD-97AA-1D3FD71045BE PayloadType Configuration PayloadUUID D93BF783-383E-41CD-97AA-1D3FD71045BE PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Screen lock enabled (macOS) query: SELECT 1 FROM managed_policies WHERE name='askForPassword' AND value='1'; description: "Checks that a mobile device management (MDM) solution configures the Mac to enable screen lock." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables screen lock." tags: MDM required, compliance, hardening, built-in platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Screensaver PayloadIdentifier com.apple.screensaver.C3B911F5-A787-4B64-86D9-3DFE19B5F72F PayloadType com.apple.screensaver PayloadUUID C3B911F5-A787-4B64-86D9-3DFE19B5F72F PayloadVersion 1 askForPassword askForPasswordDelay 0 PayloadDisplayName Enable screen lock PayloadIdentifier com.fleetdm.enableScreenLock.5BFC3E0C-50E1-4D61-82D8-3A784D4DD200 PayloadType Configuration PayloadUUID 5BFC3E0C-50E1-4D61-82D8-3A784D4DD200 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Screen lock enabled (Windows) query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs' AND CAST(data as INTEGER) <= 1800; description: "Checks if the screen lock is enabled and configured to lock the system within 30 minutes or less." resolution: "Contact your IT administrator to enable the Interactive Logon: Machine inactivity limit setting with a value of 1800 seconds or lower." powershell: | $regPath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' $value = (Get-ItemProperty -Path $regPath -Name 'InactivityTimeoutSecs' -ErrorAction SilentlyContinue).InactivityTimeoutSecs if ($value -and ([int]$value) -le 1800) { Write-Output 1 } else { Write-Output 0 } tags: compliance, hardening, built-in platform: windows contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: Password requires 10 or more characters (macOS) query: SELECT 1 FROM (SELECT cast(lengthtxt as integer(2)) minlength FROM (SELECT SUBSTRING(length, 1, 2) AS lengthtxt FROM (SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length FROM password_policy WHERE policy_identifier LIKE '%minLength')) WHERE minlength >= 10); description: "Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer." resolution: "Contact your IT administrator to make sure your Mac is receiving configuration profiles for password length." platform: darwin tags: compliance, hardening, built-in, CIS, CIS5.2.2 contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Passcode PayloadIdentifier com.apple.mobiledevice.passwordpolicy.0668AAD7-0A80-476C-AAF7-C5F63B5E8E3D PayloadType com.apple.mobiledevice.passwordpolicy PayloadUUID 0668AAD7-0A80-476C-AAF7-C5F63B5E8E3D PayloadVersion 1 minLength 10 PayloadDisplayName Require password of 10 or more characters PayloadIdentifier com.fleetdm.passwordPolicy10Characters.D3CDEDA2-DC77-484F-92F8-68A4902800AD PayloadType Configuration PayloadUUID D3CDEDA2-DC77-484F-92F8-68A4902800AD PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Operating system up to date (macOS) query: SELECT 1 FROM os_version WHERE version >= '14.1.1'; bash: version=$(sw_vers -productVersion); [ "$(printf '%s\n' "$version" "14.1.1" | sort -V | head -n1)" = "14.1.1" ] && echo 1 || echo 0 description: "Checks that the operating system is up to date." resolution: "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password." tags: compliance, CIS, template, CIS1.1, critical platform: darwin contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: Automatic updates enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically check for updates." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates." tags: MDM required, compliance, CIS, CIS1.2 platform: darwin contributors: GuillaumeRoss --- apiVersion: v1 kind: policy spec: name: Automatic update downloads enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1; bash: '[[ "$(defaults read "/Library/Managed Preferences/com.apple.SoftwareUpdate" AutomaticDownload 2>/dev/null)" == "1" ]] && echo 1 || echo 0' description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads." tags: MDM required, compliance, CIS, CIS1.3 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent AutomaticDownload PayloadDisplayName Software Update PayloadIdentifier com.apple.SoftwareUpdate.79490A7F-FBE2-4E28-9E98-CE8232A87C6A PayloadType com.apple.SoftwareUpdate PayloadUUID 79490A7F-FBE2-4E28-9E98-CE8232A87C6A PayloadVersion 1 PayloadDisplayName Enable automatic update downloads PayloadIdentifier com.fleetdm.enableAutomaticUpdateDownloads.16F48F16-F1DC-44D6-9126-B9D1E1274C93 PayloadType Configuration PayloadUUID 16F48F16-F1DC-44D6-9126-B9D1E1274C93 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Automatic installation of application updates is enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1; bash: "[ \"$(defaults read '/Library/Managed Preferences/com.apple.SoftwareUpdate' AutomaticallyInstallAppUpdates 2>/dev/null)\" = \"1\" ] && echo 1 || echo 0" description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically install updates to App Store applications." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates." tags: MDM required, compliance, CIS, CIS1.4 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent AutomaticallyInstallAppUpdates PayloadDisplayName Software Update PayloadIdentifier com.apple.SoftwareUpdate.4E11DA65-B6D8-4C65-AB72-DAC3177FC487 PayloadType com.apple.SoftwareUpdate PayloadUUID 4E11DA65-B6D8-4C65-AB72-DAC3177FC487 PayloadVersion 1 PayloadDisplayName Enable automatic installation of application updates PayloadIdentifier com.fleetdm.enableAutomaticInstallationOfAppUpdates.66A51CA4-49DE-49B1-A8EE-DFB0D44D5C62 PayloadType Configuration PayloadUUID 66A51CA4-49DE-49B1-A8EE-DFB0D44D5C62 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Automatic security and data file updates is enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates to built-in macOS security tools such as malware removal tools." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation." tags: MDM required, compliance, CIS, CIS1.5 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent CriticalUpdateInstall PayloadDisplayName Software Update PayloadIdentifier com.apple.SoftwareUpdate.E53C14AB-3694-4D90-87A0-79E6496EC0E1 PayloadType com.apple.SoftwareUpdate PayloadUUID E53C14AB-3694-4D90-87A0-79E6496EC0E1 PayloadVersion 1 PayloadDisplayName Enable automatic security and data file updates PayloadIdentifier com.fleetdm.enableAutomaticSecurityAndDataFileUpdates.Dales-MacBook-Pro.50CE2929-89F7-4283-922A-F30C15D6B1FD PayloadType Configuration PayloadUUID 50CE2929-89F7-4283-922A-F30C15D6B1FD PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Automatic installation of operating system updates is enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically install operating system updates." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates." tags: MDM required, compliance, CIS, CIS1.6 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent AutomaticallyInstallMacOSUpdates PayloadDisplayName Software Update PayloadIdentifier com.apple.SoftwareUpdate.B5EF9664-07BB-4775-B597-59F21F413878 PayloadType com.apple.SoftwareUpdate PayloadUUID B5EF9664-07BB-4775-B597-59F21F413878 PayloadVersion 1 PayloadDisplayName Enable automatic installation of OS updates PayloadIdentifier com.fleetdm.enableAutomaticOSUpddates.A5CA0F6B-02F8-42D0-805E-D13FDB9B093B PayloadType Configuration PayloadUUID A5CA0F6B-02F8-42D0-805E-D13FDB9B093B PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Lock screen after inactivity of 20 minutes or less (macOS) query: SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1); description: "Checks that a mobile device management (MDM) solution configures the Mac to lock the screen after 20 minutes or less." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver after inactivity of 20 minutes or less." tags: MDM required, compliance, CIS, CIS2.3.1, CIS5.8 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Screensaver PayloadIdentifier com.apple.screensaver.FDC5E74E-C09E-484C-B3F3-FF04BF8AF9AB PayloadType com.apple.screensaver PayloadUUID FDC5E74E-C09E-484C-B3F3-FF04BF8AF9AB PayloadVersion 1 askForPassword askForPasswordDelay 60 idleTime 1140 PayloadDisplayName Lock screen after inactivity of 20 minutes PayloadIdentifier com.fleetdm.lockScreenAfter20Minutes.34DD0263-156C-48DB-B6B8-64D3112A1128 PayloadType Configuration PayloadUUID 34DD0263-156C-48DB-B6B8-64D3112A1128 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Internet sharing is blocked (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1; bash: /usr/bin/defaults read "/Library/Managed Preferences/com.apple.MCX" forceInternetSharingOff 2>/dev/null | grep -qx "1" && echo "1" || echo "0" description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent Internet sharing." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing." tags: MDM required, compliance, CIS, CIS2.4.2 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Managed Preferences PayloadIdentifier com.apple.MCX.7BE9B7E8-14E4-49CF-AEC5-CD7806957F5A PayloadType com.apple.MCX PayloadUUID 7BE9B7E8-14E4-49CF-AEC5-CD7806957F5A PayloadVersion 1 forceInternetSharingOff PayloadDisplayName Turn off internet sharing PayloadIdentifier com.fleetdm.turnOffInternetSharing.22125243-721F-4A26-862E-5B16F28977C0 PayloadType Configuration PayloadUUID 22125243-721F-4A26-862E-5B16F28977C0 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Content caching is disabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to disable content caching." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching." tags: MDM required, compliance, CIS, CIS2.4.10 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName Restrictions PayloadIdentifier com.apple.applicationaccess.EEFDDF9B-F4D3-45FC-A832-F20096938668 PayloadType com.apple.applicationaccess PayloadUUID EEFDDF9B-F4D3-45FC-A832-F20096938668 PayloadVersion 1 allowContentCaching PayloadDisplayName Disable content caching PayloadIdentifier com.fleetdm.disableContentCaching.6154F973-CF2C-46A5-B38C-DCF44A3FFC65 PayloadType Configuration PayloadUUID 6154F973-CF2C-46A5-B38C-DCF44A3FFC65 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Ad tracking is limited (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to limit advertisement tracking." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking." tags: MDM required, compliance, CIS, CIS2.5.6 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName iCloud PayloadIdentifier com.apple.icloud.managed.19CEE0E2-2D04-43E7-AB98-B93B179A20ED PayloadType com.apple.icloud.managed PayloadUUID 19CEE0E2-2D04-43E7-AB98-B93B179A20ED PayloadVersion 1 DisableCloudSync PayloadDisplayName Limit ad tracking PayloadIdentifier com.fleetdm.disableiCloudDesktopAndDocumentsSync.9CEE4A9A-3BC6-4E2C-A093-8CC3B7F26EF8 PayloadType Configuration PayloadUUID 9CEE4A9A-3BC6-4E2C-A093-8CC3B7F26EF8 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: iCloud Desktop and Document sync is disabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent iCloud Desktop and Documents sync." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync." tags: MDM required, compliance, CIS, CIS2.6.1.4 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent PayloadDisplayName iCloud PayloadIdentifier com.apple.icloud.managed.19CEE0E2-2D04-43E7-AB98-B93B179A20ED PayloadType com.apple.icloud.managed PayloadUUID 19CEE0E2-2D04-43E7-AB98-B93B179A20ED PayloadVersion 1 DisableCloudSync PayloadDisplayName Disable iCloud Desktop and Documents Sync PayloadIdentifier com.fleetdm.disableiCloudDesktopAndDocumentsSync.9CEE4A9A-3BC6-4E2C-A093-8CC3B7F26EF8 PayloadType Configuration PayloadUUID 9CEE4A9A-3BC6-4E2C-A093-8CC3B7F26EF8 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Firewall logging is enabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to log firewall activity." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging." tags: MDM required, compliance, CIS, CIS3.6 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent EnableFirewall EnableLogging PayloadDisplayName Firewall PayloadIdentifier com.apple.security.firewall.E91C28D7-A35F-44DF-8656-07C738F8946E PayloadType com.apple.security.firewall PayloadUUID E91C28D7-A35F-44DF-8656-07C738F8946E PayloadVersion 1 PayloadDisplayName Enable firewall logging PayloadIdentifier com.fleetdm.enableFirewallLogging.A97BF2B6-968B-4C9B-B02C-331595377934 PayloadType Configuration PayloadUUID A97BF2B6-968B-4C9B-B02C-331595377934 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Guest account disabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='DisableGuestAccount' AND value='1' LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent the use of a guest account." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account." tags: MDM required, compliance, CIS, CIS6.1.3 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent DisableGuestAccount PayloadDisplayName Energy Saver, FileVault, Time Server, Mobile Accounts and Guest Account PayloadIdentifier com.apple.MCX.87E0D7FE-FDEF-4B61-8505-C009C975AFD4 PayloadType com.apple.MCX PayloadUUID 87E0D7FE-FDEF-4B61-8505-C009C975AFD4 PayloadVersion 1 PayloadDisplayName Disable guest account PayloadIdentifier com.fleetdm.disableGuestAccount.E29C0490-83B0-4AD1-AD50-AC9B63D1DD96 PayloadType Configuration PayloadUUID E29C0490-83B0-4AD1-AD50-AC9B63D1DD96 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: Guest access to shared folders is disabled (macOS) query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1; description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent guest access to shared folders." resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders." tags: MDM required, compliance, CIS, CIS6.1.4 platform: darwin contributors: GuillaumeRoss,ddribeiro configuration_profile: | PayloadContent guestAccess PayloadDisplayName File Server PayloadIdentifier com.apple.AppleFileServer.0C0C0FED-098F-4BAA-8917-3313A8A1F3A1 PayloadType com.apple.AppleFileServer PayloadUUID 0C0C0FED-098F-4BAA-8917-3313A8A1F3A1 PayloadVersion 1 PayloadDisplayName Disable guest access to shared folders PayloadIdentifier com.fleetdm.disableGuestAccessToSharedFolders.819D93D8-E078-43A5-9661-F5E96F84F384 PayloadType Configuration PayloadUUID 819D93D8-E078-43A5-9661-F5E96F84F384 PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: No 1Password emergency kit stored in desktop, documents, or downloads folders (macOS) query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%')); bash: if [ -z "$(find /Users/*/Desktop /Users/*/Documents /Users/*/Downloads /Users/Shared -type f -iname '*Emergency Kit*.pdf' 2>/dev/null)" ]; then echo 1; else echo 0; fi description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders." resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location." platform: darwin tags: compliance, built-in contributors: nonpunctual --- apiVersion: v1 kind: query spec: name: Discover TLS certificates platform: linux, windows, darwin description: Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications. query: SELECT * FROM curl_certificate WHERE hostname IN (SELECT DISTINCT 'localhost:'||port FROM listening_ports WHERE protocol=6 AND address!='127.0.0.1' AND address!='::1'); purpose: Informational tags: network, tls contributors: nabilschear --- apiVersion: v1 kind: query spec: name: Discover Python Packages from Running Python Interpreters platform: linux, darwin description: Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments. query: SELECT * FROM python_packages WHERE directory IN (SELECT DISTINCT directory FROM (SELECT SUBSTR(path,0,INSTR(path,'/bin/'))||'/lib' AS directory FROM processes WHERE path LIKE '%/bin/%' AND path LIKE '%python%' UNION SELECT SUBSTR(cmdline,0,INSTR(cmdline,'/bin/'))||'/lib' AS directory FROM processes WHERE cmdline LIKE '%python%' AND cmdline LIKE '%/bin/%' AND path LIKE '%python%' UNION SELECT cwd||'/lib' AS directory FROM processes WHERE path LIKE '%python%')); purpose: Informational tags: compliance, hunting contributors: nabilschear --- apiVersion: v1 kind: query spec: name: Identify the default mail, http and ftp applications platforms: macOS platform: darwin description: Lists the currently enabled applications configured to handle mailto, http and ftp schemes. query: SELECT * FROM app_schemes WHERE (scheme='mailto' OR scheme='http' OR scheme='ftp') AND enabled='1'; purpose: Informational tags: compliance, hunting contributors: brunerd --- apiVersion: v1 kind: policy spec: name: Firewall enabled, domain profile (Windows) query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall' AND CAST(data as integer) = 1; powershell: | $regPath = 'HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile' $value = (Get-ItemProperty -Path $regPath -Name 'EnableFirewall' -ErrorAction SilentlyContinue).EnableFirewall if ($value -eq 1) { Write-Output 1 } else { Write-Output 0 } description: "Checks if a Group Policy configures the computer to enable the domain profile for Windows Firewall. The domain profile applies to networks where the host system can authenticate to a domain controller. Some auditors requires that this setting is configured by a Group Policy." resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that enables the domain profile for Windows Firewall." platforms: Windows tags: compliance, CIS, CIS9.1.1 platform: windows contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: Firewall enabled, private profile (Windows) query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall' AND CAST(data as integer) = 1; powershell: | $regPath = 'HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile' $value = (Get-ItemProperty -Path $regPath -Name 'EnableFirewall' -ErrorAction SilentlyContinue).EnableFirewall if ($value -eq 1) { Write-Output 1 } else { Write-Output 0 } description: "Checks if a Group Policy configures the computer to enable the private profile for Windows Firewall. The private profile applies to networks where the host system is connected to a private or home network. Some auditors requires that this setting is configured by a Group Policy." resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that enables the private profile for Windows Firewall." platforms: Windows tags: compliance, CIS, CIS9.2.1 platform: windows contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: Firewall enabled, public profile (Windows) query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall' AND CAST(data as integer) = 1; powershell: | $regPath = 'HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile' $value = (Get-ItemProperty -Path $regPath -Name 'EnableFirewall' -ErrorAction SilentlyContinue).EnableFirewall if ($value -eq 1) { Write-Output 1 } else { Write-Output 0 } description: "Checks if a Group Policy configures the computer to enable the public profile for Windows Firewall. The public profile applies to networks where the host system is connected to public networks such as Wi-Fi hotspots at coffee shops and airports. Some auditors requires that this setting is configured by a Group Policy." resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that enables the public profile for Windows Firewall." platforms: Windows tags: compliance, CIS, CIS9.3.1 platform: windows contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: SMBv1 client driver disabled (Windows) query: SELECT 1 FROM windows_optional_features WHERE name = 'SMB1Protocol-Client' AND state != 1; powershell: | $feature = Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Client' -Online -ErrorAction SilentlyContinue if ($feature -and $feature.State -ne 'Enabled') { Write-Output 1 } else { Write-Output 0 } description: "Checks that the SMBv1 client is disabled." resolution: "Contact your IT administrator to discuss disabling SMBv1 on your system." platforms: Windows tags: compliance, CIS, CIS18.3.2, built-in platform: windows contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: SMBv1 server disabled (Windows) query: SELECT 1 FROM windows_optional_features WHERE name = 'SMB1Protocol-Server' AND state != 1 powershell: | $feature = Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Server' -Online -ErrorAction SilentlyContinue if ($feature -and $feature.State -ne 'Enabled') { Write-Output 1 } else { Write-Output 0 } description: "Checks that the SMBv1 server is disabled." resolution: "Contact your IT administrator to discuss disabling SMBv1 on your system." platforms: Windows tags: compliance, CIS, CIS18.3.3, built-in platform: windows contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: Link-Local Multicast Name Resolution (LLMNR) disabled (Windows) query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast' AND CAST(data as integer) = 0; powershell: | $regPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' $value = (Get-ItemProperty -Path $regPath -Name 'EnableMulticast' -ErrorAction SilentlyContinue).EnableMulticast if ($value -eq 0) { Write-Output 1 } else { Write-Output 0 } description: "Checks if a Group Policy configures the computer to disable LLMNR. Disabling LLMNR can prevent malicious actors from gaining access to the computer's credentials. Some auditors require that this setting is configured by a Group Policy." resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that disables LLMNR on your system." platforms: Windows tags: compliance, CIS, CIS18.5.4.2 platform: windows contributors: defensivedepth --- apiVersion: v1 kind: policy spec: name: Automatic updates enabled (Windows) query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate' AND CAST(data as integer) = 0; powershell: | $regPath = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU' $value = (Get-ItemProperty -Path $regPath -Name 'NoAutoUpdate' -ErrorAction SilentlyContinue).NoAutoUpdate if ($value -eq 0) { Write-Output 1 } else { Write-Output 0 } description: "Checks if a Group Policy configures the computer to enable Automatic Updates. When enabled, the computer downloads and installs security and other important updates automatically. Some auditors require that this setting is configured by a Group Policy." resolution: "Contact your IT administrator to ensure your computer is receiving a Group policy that enables Automatic Updates." platforms: Windows tags: compliance, CIS, CIS18.9.108.2.1 platform: windows contributors: defensivedepth --- apiVersion: v1 kind: query spec: name: Identify Apple development secrets (macOS) query: SELECT * FROM keychain_items WHERE label LIKE '%ABCDEFG%'; description: "Identifies certificates associated with Apple development signing and notarization. Replace ABCDEFG with your company's identifier." tags: compliance, inventory, built-in platform: darwin contributors: GuillaumeRoss --- apiVersion: v1 kind: query spec: name: Geolocate via ipapi.co platform: darwin, linux, windows description: Geolocate a host using the [ipapi.co](https://ipapi.co) in an emergency. Requires the curl table. [Learn more](https://fleetdm.com/guides/locate-assets-with-osquery). query: >- SELECT JSON_EXTRACT(result, '$.ip') AS ip, JSON_EXTRACT(result, '$.city') AS city, JSON_EXTRACT(result, '$.region') AS region, JSON_EXTRACT(result, '$.country') AS country, JSON_EXTRACT(result, '$.latitude') AS latitude, JSON_EXTRACT(result, '$.longitude') AS longitude FROM curl WHERE url = 'http://ipapi.co/json'; purpose: inventory tags: inventory contributors: zwass --- apiVersion: v1 kind: query spec: name: Get Crowdstrike Falcon network content filter status platform: darwin description: Get the status of the Crowdstrike Falcon network content filter (as in "System Settings" > "Network > "Filters"). query: /* Load up the plist */ WITH extensions_plist AS (SELECT *, rowid FROM plist WHERE path = '/Library/Preferences/com.apple.networkextension.plist') /* Find the first "Enabled" key after the key indicating the crowdstrike app */ SELECT value AS enabled FROM extensions_plist WHERE subkey = 'Enabled' AND rowid > (SELECT rowid FROM extensions_plist WHERE value = 'com.crowdstrike.falcon.App') LIMIT 1; purpose: Informational tags: crowdstrike, plist, network, content filter contributors: zwass --- apiVersion: v1 kind: query spec: name: Get a list of Visual Studio Code extensions platform: darwin, linux, windows description: Get a list of installed VS Code extensions (requires osquery > 5.11.0). query: | SELECT u.username, vs.* FROM users u CROSS JOIN vscode_extensions vs USING (uid); purpose: Informational tags: inventory contributors: lucasmrod,sharon-fdm,zwass --- apiVersion: v1 kind: query spec: name: List osquery table names platform: darwin, linux, windows description: List all table names in the schema of the currently installed version of osquery query: SELECT DISTINCT name FROM osquery_registry; purpose: Informational tags: fleet, osquery, table, schema contributors: nonpunctual --- apiVersion: v1 kind: policy spec: name: Ensure Apple Intelligence is disabled platform: darwin description: | This policy detects if Apple Intelligence is disabled. resolution: | Manual method: Navigate to System Settings > Apple Intelligence & Siri > Toggle Apple Intelligence to off Automatic method: Ask your system administrator to deploy a configuration profile to disable this feature. query: | SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM plist WHERE path LIKE '/Users/%/Library/Preferences/com.apple.CloudSubscriptionFeatures.optIn.plist' AND value = 1); purpose: Informational tags: contributors: allenhouchins configuration_profile: | PayloadContent PayloadDisplayName Restrictions PayloadIdentifier com.apple.applicationaccess.B0BBE2AE-80C3-4182-9934-2A08ECED7DB4 PayloadType com.apple.applicationaccess PayloadUUID B0BBE2AE-80C3-4182-9934-2A08ECED7DB4 PayloadVersion 1 allowGenmoji allowImagePlayground allowWritingTools PayloadDisplayName Disable Apple Intelligence PayloadIdentifier com.example.disable_apple_intelligence PayloadOrganization Example Payload Organization PayloadRemovalDisallowed PayloadType Configuration PayloadUUID B3EAD179-9679-4B08-A421-4B03D081C5DC PayloadVersion 1 --- apiVersion: v1 kind: policy spec: name: CrowdStrike Falcon System Extension enabled and activated (macOS) query: | SELECT 1 WHERE EXISTS ( SELECT 1 FROM system_extensions WHERE identifier = 'com.crowdstrike.falcon.Agent' ) AND EXISTS ( SELECT 1 FROM system_extensions WHERE state = 'activated_enabled' ); bash: systemextensionsctl list | grep 'falcon' | grep 'activated enabled' description: Checks to make sure that the CrowdStrike System Extension is enabled and activated on macOS devices. resolution: "To activate the CrowdStrike Falcon System Extension, on the failing device, run the following command in the Terminal app: sudo /Applications/Falcon.app/Contents/Resources/falconctl load" tags: compliance, hardening, critical platform: darwin contributors: spalmesano0 script: | #!/bin/sh /Applications/Falcon.app/Contents/Resources/falconctl load