Update device health policies (#22)

- Add Windows device health policies
- Add Linux device health policies
- Update macOS device health policies. Remove some of them. Easier to start with fewer

lib/linux-device-health.policies.yml

@@ -0,0 +1,5 @@
+- name: Linux - Enable disk encryption
+  platform: darwin
+  description: This policy checks if disk encryption is enabled.
+  resolution: As an IT admin, deploy an image that includes disk encryption.
+  query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';

lib/macos-device-health.policies.yml

@@ -1,252 +1,52 @@
-# The Fleet Enterprise Edition (EE) license applies to code in this file. See the license here: https://github.com/fleetdm/fleet/blob/main/ee/LICENSE
-
-- name: macOS - CIS - Ensure FileVault is enabled (MDM required)
+- name: macOS - Enable FileVault
   platform: darwin
-  description: Checks that FileVault is enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it.
-  resolution: |
-    Automated method:
-    Ask your system administrator to deploy an MDM profile that enables FileVault and disables turning it off.
-    Graphical method:
-      Perform the following steps to ensure FileVault Is Enabled:
-        1. Open System Settings
-        2. Select Privacy & Privacy
-        3. Verify that FileVault states FileVault is turned on for the disk "<disk name>"
-        4. Select Privacy & Security
-        5. Select Profile
-        6. Verify that an installed profile has FileVault Can't Disable set to True
-  query: |
-    SELECT 1 WHERE 
-      EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.MCX' AND 
-            name='dontAllowFDEDisable' AND 
-            (value = 1 OR value = 'true') AND 
-            username = ''
-        )
-      AND NOT EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.MCX' AND 
-            name='dontAllowFDEDisable' AND 
-            (value != 1 AND value != 'true')
-        )
-      AND EXISTS (
-        SELECT 1 FROM disk_encryption WHERE 
-            user_uuid IS NOT "" AND 
-            filevault_status = 'on' 
-        );
-- name: macOS - CIS - Ensure Firewall logging is enabled and configured (MDM required)
+  description: This policy checks if FileVault (disk encryption) is enabled.
+  resolution: As an IT admin, turn on disk encryption in Fleet.
+  query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.';
+- name: macOS - Disable guest account
   platform: darwin
-  description: |
-    The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to "detailed" to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine Firewall connection attempts.
-  resolution: |
-    Profile Method:
-    Create or edit a configuration profile with the following information:
-    1. The Payload Type string is com.apple.security.firewall 
-    2. The key to include is EnableFirewall
-    3. The key must be set to<true/>
-    4. The key to also include is EnableLogging
-    5. The key must be set to<true/>
-    6. The key to also include is LoggingOption
-    7. The key must be set to <string>detail</string>
-  query: |
-    SELECT 1 WHERE
-    (
-      EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.security.firewall' AND 
-            name='EnableLogging' AND 
-            (value = 1 OR value = 'true') AND 
-            username = ''
-        )
-      AND EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.security.firewall' AND 
-            name='LoggingOption' AND 
-            value = "detail" AND 
-            username = ''
-        )
-      AND NOT EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.security.firewall' AND 
-            name='EnableLogging' AND 
-            (value != 1 AND value != 'true')
-        )
-      AND NOT EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.security.firewall' AND 
-            name='LoggingOption' AND 
-            value != "detail"
-        )
-    )
-    OR
-    (
-      EXISTS ( 
-        SELECT 1 FROM plist WHERE 
-            path='/Library/Preferences/com.apple.alf.plist' AND 
-            key='loggingenabled' AND 
-            value = 1 
-        )
-      AND EXISTS ( 
-        SELECT 1 FROM plist WHERE 
-        path='/Library/Preferences/com.apple.alf.plist' AND 
-        key='loggingoption' AND 
-        value = 2 
-        )
-    );
-- name: macOS - CIS - Ensure NFS server is disabled
+  description: This policy checks if the guest account is disabled.
+  resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true.
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1;
+- name: macOS - Enable Firewall
   platform: darwin
-  description: |
-    macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount
-    shares and gain access to information from the user's computer.
-  resolution: |
-    Automated method:
-    Ask your system administrator to deploy the following script which will disable the NFS service
-    and its directory listing:
-    /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
-    /usr/bin/sudo /bin/rm /etc/exports
-  query: |
-    SELECT 1 WHERE
-    NOT EXISTS(SELECT 1 FROM processes WHERE path = '/sbin/nfsd')
-    AND
-    NOT EXISTS(SELECT 1 FROM file WHERE path = '/etc/exports');
-- name: macOS - CIS - Ensure Remote Application Scripting is disabled
+  description: This policy checks if Firewall is enabled.
+  resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true.
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1;
+- name: macOS - Require 10 character password
   platform: darwin
-  description: |
-    Apple Application Scripting is a technology that allows one program to communicate with other programs.
-    Remote Apple Application Scripting allows a program on one computer to communicate with a program on a
-    different computer. Disabling Remote Application Scripting mitigates the risk of an unauthorized
-    program gaining access to the system.
-  resolution: |
-    Graphical Method:
-    1. Open System Settings
-    2. Select General
-    3. Select Sharing
-    4. Set Remote Application Scripting to disabled
-  query: |
-    SELECT 1 WHERE NOT EXISTS (
-      SELECT * FROM plist WHERE
-        path = '/var/db/com.apple.xpc.launchd/disabled.plist' AND
-        key = 'com.apple.AEServer' AND
-        value = 0
-    );
-- name: macOS - CIS - Ensure Remote Login is disabled
-  platform: darwin
-  description: |
-    Remote Login allows an interactive terminal session to a computer.
-    The SSH server built into macOS should not be enabled on a standard user computer,
-    particularly one that changes locations and IP addresses.
-    A standard user that runs local applications, including email, web browser,
-    and productivity tools, should not use the same device as a server
-
-  resolution: |
-    Graphical Method:
-    1. Open System Settings
-    2. Select General
-    3. Select Sharing
-    4. Set Remote Login to disabled
-  query: |
-    SELECT 1 WHERE NOT EXISTS (
-      SELECT * FROM plist WHERE
-        path = '/var/db/com.apple.xpc.launchd/disabled.plist' AND
-        key = 'com.openssh.sshd' AND
-        value = '0'
-    );
-- name: macOS - CIS - Ensure Remote Management is disabled
-  platform: darwin
-  description: |
-    Remote Management is the client portion of Apple Remote Desktop (ARD).
-    Remote Management can be used by remote administrators to view the current screen,
-    install software, report on, and generally manage client Macs.
-    Remote Management should only be enabled on trusted networks with strong
-    user controls present in a Directory system.
-    Mobile devices without strict controls are vulnerable to exploit and monitoring.
-  resolution: |
-    Graphical Method:
-    1. Open System Settings
-    2. Select General
-    3. Select Sharing
-    4. Set Remote Management to disabled
-  query: |
-    SELECT 1 WHERE NOT EXISTS (
-      SELECT * FROM processes WHERE
-        path = '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent'
-    );
-- name: macOS - CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)
-  platform: darwin
-  description: A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop- down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
-  resolution: |
-    Automated method:
-    Ask your system administrator to deploy an MDM profile that ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver to be Enabled.
-    Graphical method:
-      Perform the following steps to ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled:
-        1. Open System Settings
-        2. Select Lock Screen
-        3. Verify that Start Screen Saver when inactive is set for 20 minutes or less (≤1200 seconds)
+  description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
+  resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10.
   query: |
     SELECT 1 WHERE 
       EXISTS (
         SELECT 1 FROM managed_policies WHERE 
             domain='com.apple.screensaver' AND 
-            name='idleTime' AND 
-            CAST(value AS INT) <= 1200 AND 
-            username = ''
+            name='askForPassword' AND 
+            CAST(value AS INT)
         )
-      AND NOT EXISTS (
+      AND EXISTS (
         SELECT 1 FROM managed_policies WHERE 
             domain='com.apple.screensaver' AND 
-            name='idleTime' AND 
-            CAST(value AS INT) > 1200
+            name='minLength' AND 
+            CAST(value AS INT) <= 10
         );
-- name: macOS - CIS - Ensure Password is Required to Wake the Computer From Sleep or Screen Saver is enabled (MDM Required)
+- name: macOS - Enable screen saver after 20 minutes
   platform: darwin
-  description: Checks that Password is Required to Wake the Computer From Sleep or Screen Saver is enabled.
-  resolution: |
-    Automated method:
-    Ask your system administrator to deploy an MDM profile that Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.
-    Graphical method:
-      Perform the following steps to ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled:
-        1. Open System Settings
-        2. Select Lock Screen
-        3. Verify that Require password after screensaver begins or display is turned
-        off is set with After 0 seconds or After 5 seconds
+  description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
+  resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
   query: |
     SELECT 1 WHERE 
       EXISTS (
         SELECT 1 FROM managed_policies WHERE 
             domain='com.apple.screensaver' AND 
-            name='askForPassword' AND 
-            (value = 1 OR value = 'true') AND 
-            username = ''
-        )
-      AND EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.screensaver' AND 
-            name='askForPasswordDelay' AND 
-            value <= 60 AND 
+            name='idleTime' AND 
+            CAST(value AS INT) <= 1200 AND 
             username = ''
         )
       AND NOT EXISTS (
         SELECT 1 FROM managed_policies WHERE 
             domain='com.apple.screensaver' AND 
-            name='askForPassword' AND 
-            (value != 1 AND value != 'true')
-        )
-      AND NOT EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
-            domain='com.apple.screensaver' AND 
-            name='askForPasswordDelay' AND 
-            value > 60
+            name='idleTime' AND 
+            CAST(value AS INT) > 1200
         );
-- name: macOS - CIS - Ensure System Integrity Protection Status (SIP) is enabled
-  platform: darwin
-  description: |
-    System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID.
-  resolution: |
-    Terminal Method:
-    Perform the following steps to enable System Integrity Protection:
-      1. Reboot into the Recovery Partition (reboot and hold down Command (⌘) + R)
-      2. Select Utilities
-      3. Select Terminal
-      4. Run the following command:
-          /usr/bin/sudo /usr/bin/csrutil enable
-  query: SELECT 1 FROM sip_config WHERE config_flag="sip" and enabled=1;