/
standard-query-library.yml
1070 lines (1070 loc) · 51.5 KB
/
standard-query-library.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
apiVersion: v1
kind: query
spec:
name: Get OpenSSL versions
platform: linux
description: Retrieves the OpenSSL version.
query: SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';
purpose: Informational
tags: inventory
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get authorized SSH keys
platform: darwin, linux
description: Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.
query: SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);
purpose: Informational
remediation: Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)
tags: built-in, ssh
contributors: mike-j-thomas
---
apiVersion: v1
kind: query
spec:
name: Get authorized keys for Domain Joined Accounts
platform: darwin, linux
description: List authorized_keys for each user on the system.
query: SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last);
purpose: Informational
tags: active directory, ssh
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get crashes
platform: darwin
description: Retrieve application, system, and mobile app crash logs.
query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);
purpose: Informational
tags: troubleshooting
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get installed Chrome Extensions
platform: darwin, linux, windows
description: List installed Chrome Extensions for all users.
query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
purpose: Informational
tags: browser, built-in, inventory
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get installed Linux software
platform: linux
description: Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;
purpose: Informational
tags: inventory, built-in
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get installed macOS software
platform: darwin
description: Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;
purpose: Informational
tags: inventory, built-in
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get installed Safari extensions
platform: darwin
description: Retrieves the list of installed Safari Extensions for all users in the target system.
query: SELECT safari_extensions.* FROM users join safari_extensions USING (uid);
purpose: Informational
tags: browser, built-in, inventory
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get installed Windows software
platform: windows
description: Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
query: SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages;
purpose: Informational
tags: inventory, built-in
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get laptops with failing batteries
platform: darwin
description: Lists all laptops with under-performing or failing batteries.
query: SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');
purpose: Informational
tags: troubleshooting, hardware, inventory
contributors: zwass
---
apiVersion: v1
kind: query
spec:
name: Get current users with active shell/console on the system
platform: darwin, linux, windows
description: Get current users with active shell/console on the system and associated process
query: SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;
purpose: Informational
tags: hunting, built-in
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get unencrypted SSH keys for local accounts
platform: darwin, linux, windows
description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;
purpose: Informational
tags: inventory, compliance, ssh, built-in
remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get unencrypted SSH keys for domain-joined accounts
platform: darwin, linux, windows
description: Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
query: SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);
purpose: Informational
tags: inventory, compliance, ssh, active directory
remediation: First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get dynamic linker hijacking on Linux (MITRE. T1574.006)
platform: linux
description: Detect any processes that run with LD_PRELOAD environment variable
query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';
purpose: Informational
tags: hunting, ATTACK, t1574
remediation: Identify the process/binary detected and confirm with the system's owner.
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get dynamic linker hijacking on macOS (MITRE. T1574.006)
platform: darwin
description: Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable
query: SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';
purpose: Informational
tags: hunting, ATTACK, t1574
remediation: Identify the process/binary detected and confirm with the system's owner.
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get etc hosts entries
platform: darwin, linux
description: Line-parsed /etc/hosts
query: SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');
purpose: informational
tags: hunting, inventory
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get network interfaces
platform: darwin, linux, windows
description: Network interfaces MAC address
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');
purpose: informational
tags: hunting, inventory
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get local user accounts
platform: darwin, linux, windows
description: Local user accounts (including domain accounts that have logged on locally (Windows)).
query: SELECT uid, gid, username, description, directory, shell FROM users;
purpose: informational
tags: hunting, inventory
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get active user accounts on servers
platform: linux
description: Domain Joined environments normally have root or other service only accounts and users are SSH-ing using their Domain Accounts.
query: SELECT * FROM shadow WHERE password_status='active' and username!='root';
purpose: informational
tags: hunting, inventory, Active Directory
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get Nmap scanner
platform: darwin, linux, windows
description: Get Nmap scanner process, as well as its user, parent, and process details.
query: SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent,
(SELECT name FROM processes WHERE pid=p.parent) AS parent_name,
(SELECT username FROM users WHERE uid=p.uid) AS username
FROM processes as p WHERE cmdline like 'nmap%';
purpose: Informational
tags: hunting, ATTACK, t1046
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get Docker contained processes on a system
platform: darwin, linux
description: Docker containers Processes, can be used on normal systems or a kubenode.
query: SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id);
purpose: Informational
tags: built-in, containers, inventory
contributors: anelshaer
---
apiVersion: v1
kind: query
spec:
name: Get Windows print spooler remote code execution vulnerability
platform: windows
description: Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.
query: SELECT CASE cnt WHEN 2 THEN "TRUE" ELSE "FALSE" END "Vulnerable" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;
purpose: Informational
tags: vulnerability
contributors: maravedi
---
apiVersion: v1
kind: query
spec:
name: Get local users and their privileges
platform: darwin, linux, windows
description: Collects the local user accounts and their respective user group.
query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
purpose: informational
tags: inventory
contributors: noahtalerman
---
apiVersion: v1
kind: query
spec:
name: Get processes that no longer exist on disk
platform: linux, darwin, windows
description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.
query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
purpose: Incident response
tags: hunting, built-in
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Get user files matching a specific hash
platform: darwin, linux
description: Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
query: SELECT path, sha256 FROM hash WHERE path IN (SELECT path FROM file WHERE size < 50000000 AND path LIKE '/Users/%/Documents/%%') AND sha256 = '16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75';
purpose: Informational
tags: hunting, built-in
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Get local administrator accounts on macOS
platform: darwin
description: The query allows you to check macOS systems for local administrator accounts.
query: SELECT uid, username, type FROM users u JOIN groups g ON g.gid = u.gid;
purpose: Informational
tags: hunting, inventory
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Get all listening ports, by process
platform: linux, darwin, windows
description: List ports that are listening on all interfaces, along with the process to which they are attached.
query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0";
purpose: Informational
tags: hunting, network
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Get whether TeamViewer is installed/running
platform: windows
description: Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%";
purpose: Informational
tags: hunting, inventory
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Get malicious Python backdoors
platform: darwin, linux, windows
description: Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
query: SELECT CASE cnt WHEN 0 THEN "NONE_INSTALLED" ELSE "INSTALLED" END AS "Malicious Python Packages", package_name, package_version FROM (SELECT COUNT(name) AS cnt, name AS package_name, version AS package_version, path AS package_path FROM python_packages WHERE package_name IN ('acquisition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib'));
purpose: Informational
tags: hunting, inventory, malware
contributors: alphabrevity
---
apiVersion: v1
kind: query
spec:
name: Check for artifacts of the Floxif trojan
platform: windows
description: Checks for artifacts from the Floxif trojan on Windows machines.
query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';
purpose: Informational
tags: hunting, malware
contributors: micheal-o
---
apiVersion: v1
kind: query
spec:
name: Get Shimcache table
platform: windows
description: Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.
query: select * from Shimcache
purpose: Informational
tags: hunting
contributors: puffyCid
---
apiVersion: v1
kind: query
spec:
name: Get running docker containers
platform: darwin, linux
description: Returns the running Docker containers
query: SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = "running";
purpose: Informational
tags: containers, inventory
contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
name: Get applications hogging memory
platform: darwin, linux, windows
description: Returns top 10 applications or processes hogging memory the most.
query: SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;
purpose: Informational
tags: troubleshooting
contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
name: Get servers with root login in the last 24 hours
platform: darwin, linux, windows
description: Returns servers with root login in the last 24 hours and the time the users were logged in.
query: SELECT * FROM last WHERE username = "root" AND time > (( SELECT unix_time FROM time ) - 86400 );
purpose: Informational
tags: hunting
contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
name: Detect active processes with Log4j running
platform: darwin, linux
description: "Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely."
query: |
WITH target_jars AS (
SELECT DISTINCT path
FROM (
WITH split(word, str) AS(
SELECT '', cmdline || ' '
FROM processes
UNION ALL
SELECT substr(str, 0, instr(str, ' ')), substr(str, instr(str, ' ') + 1)
FROM split
WHERE str != '')
SELECT word AS path
FROM split
WHERE word LIKE '%.jar'
UNION ALL
SELECT path
FROM process_open_files
WHERE path LIKE '%.jar'
)
)
SELECT path, matches
FROM yara
WHERE path IN (SELECT path FROM target_jars)
AND count > 0
AND sigrule IN (
'rule log4jJndiLookup {
strings:
$jndilookup = "JndiLookup"
condition:
$jndilookup
}',
'rule log4jJavaClass {
strings:
$javaclass = "org/apache/logging/log4j"
condition:
$javaclass
}'
);
purpose: Detection
tags: vulnerability
contributors: zwass,tgauda
---
apiVersion: v1
kind: query
spec:
name: Get applications that were opened within the last 24 hours
platform: darwin
description: Returns applications that were opened within the last 24 hours starting with the last opened application.
query: SELECT * FROM apps WHERE last_opened_time > (( SELECT unix_time FROM time ) - 86400 ) ORDER BY last_opened_time DESC;
purpose: Informational
tags: inventory
contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
name: Get applications that are not in the Applications directory
platform: darwin
description: Returns applications that are not in the `/Applications` directory
query: SELECT * FROM apps WHERE path NOT LIKE '/Applications/%';
purpose: Informational
tags: hunting, inventory
contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
name: Get subscription-based applications that have not been opened for the last 30 days
platform: darwin
description: Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.
query: SELECT * FROM apps WHERE path LIKE '/Applications/%' AND name IN ("Photoshop.app", "Adobe XD.app", "Sketch.app", "Illustrator.app") AND last_opened_time < (( SELECT unix_time FROM time ) - 2592000000000 );
purpose: Informational
tags: inventory
contributors: DominusKelvin
---
apiVersion: v1
kind: query
spec:
name: Get operating system information
platform: darwin, windows, linux
description: Returns the operating system name and version on the device.
query: SELECT name, version FROM os_version;
purpose: Informational
tags: inventory, built-in
contributors: noahtalerman
---
apiVersion: v1
kind: policy
spec:
name: Gatekeeper enabled (macOS)
query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;
description: Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.
resolution: "To enable Gatekeeper, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
tags: compliance, hardening, built-in, CIS, CIS2.5.2.1, critical
platform: darwin
contributors: groob
---
apiVersion: v1
kind: policy
spec:
name: Full disk encryption enabled (Windows)
query: SELECT 1 FROM bitlocker_info WHERE drive_letter='C:' AND protection_status=1;
description: Checks to make sure that full disk encryption is enabled on Windows devices.
resolution:
"To get additional information, run the following osquery query on the failing device: SELECT * FROM bitlocker_info. In the
query results, if protection_status is 2, then the status cannot be determined. If it is 0, it is
considered unprotected. Use the additional results (percent_encrypted, conversion_status, etc.) to
help narrow down the specific reason why Windows considers the volume unprotected."
platform: windows
tags: compliance, hardening, built-in, critical
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: Full disk encryption enabled (macOS)
query: SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1;
description: Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.
resolution: To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.
tags: compliance, hardening, built-in, CIS, CIS2.5.1.1, critical
platform: darwin
contributors: groob
---
apiVersion: v1
kind: policy
spec:
name: Full disk encryption enabled (Linux)
query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';
description: Checks if the root drive is encrypted. There are many ways to encrypt Linux systems. This is the default on distributions such as Ubuntu.
resolution: "Ensure the image deployed to your Linux workstation includes full disk encryption."
platform: linux
tags: compliance, hardening, built-in, critical
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: System Integrity Protection enabled (macOS)
query: SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;
description: Checks to make sure that the System Integrity Protection feature is enabled.
resolution: "To enable System Integrity Protection, on the failing device, run the following command in the Terminal app: /usr/sbin/spctl --master-enable."
tags: compliance, malware, hardening, built-in, CIS, CIS5.1.2
platform: darwin
contributors: groob
---
apiVersion: v1
kind: policy
spec:
name: Automatic login disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent login in without a password."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables automatic login."
tags: MDM required, compliance, hardening, built-in, critical
platform: darwin
contributors: groob
---
apiVersion: v1
kind: policy
spec:
name: Secure keyboard entry for Terminal application enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Terminal' AND name = 'SecureKeyboardEntry' AND value = 1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to enabled secure keyboard entry for the Terminal application."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables secure keyboard entry for the Terminal application."
tags: MDM required, compliance, hardening, built-in
platform: darwin
contributors: groob
---
apiVersion: v1
kind: query
spec:
name: Get built-in antivirus status on macOS
platform: darwin
query: SELECT path, value AS version FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist') OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist');
description: Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists
purpose: Informational
tags: compliance, malware, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
kind: query
spec:
name: Get antivirus status from the Windows Security Center
platform: windows
query: SELECT antivirus, signatures_up_to_date from windows_security_center CROSS JOIN windows_security_products WHERE type = 'Antivirus';
description: Selects the antivirus and signatures status from Windows Security Center.
purpose: Informational
tags: compliance, malware, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
kind: query
spec:
name: Get antivirus (ClamAV/clamd) and updater (freshclam) process status
platform: linux
query: SELECT pid, state, cmdline, name FROM processes WHERE name='clamd' OR name='freshclam';
description: Selects the clamd and freshclam processes to ensure AV and its updater are running
purpose: Informational
tags: compliance, malware, hardening, built-in
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Antivirus healthy (macOS)
query: SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM plist WHERE (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist' AND value>=2162) OR (key = 'CFBundleShortVersionString' AND path = '/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist' and value>=1.93)) WHERE score == 1;
description: Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with the latest version regularly.
resolution:
To enable automatic security definition updates, on the failing device, select System
Preferences > Software Update > Advanced > Turn on Install system data files and security
updates.
tags: compliance, malware, hardening, built-in, template
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Antivirus healthy (Windows)
query: SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;
description: Checks the status of antivirus and signature updates from the Windows Security Center.
resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center."
tags: compliance, malware, hardening, built-in
platform: windows
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Antivirus healthy (Linux)
query: SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;
description: Checks that both ClamAV's daemon and its updater service (freshclam) are running.
resolution: "Ensure ClamAV and Freshclam are installed and running."
tags: compliance, malware, hardening, built-in
platform: linux
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: MDM enrolled (macOS)
query: SELECT 1 from mdm WHERE enrolled='true';
description: "Required: osquery deployed with Orbit, or manual installation of macadmins/osquery-extension. Checks that a mac is enrolled to MDM. Add a AND on identity_certificate_uuid to check for a specific MDM."
resolution: "Enroll device to MDM"
tags: compliance, hardening, built-in, critical
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Docker application is up to date or not present (macOS)
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM apps a1 WHERE a1.bundle_identifier = 'com.electron.dockerdesktop' AND a1.bundle_short_version>='4.6.1') OR NOT EXISTS (SELECT 1 FROM apps a2 WHERE a2.bundle_identifier = 'com.electron.dockerdesktop');
description: "Checks if the application (Docker Desktop example) is installed and up to date, or not installed. Fails if the application is installed and on a lower version. You can copy this query and replace the bundle_identifier and bundle_version values to apply the same type of policy to other applications."
resolution: "Update Docker or remove it if not used."
tags: inventory, vulnerability, built-in
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: SSH keys encrypted
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM users CROSS JOIN user_ssh_keys USING (uid) WHERE encrypted='0');
description: "Required: osquery must have Full Disk Access. Policy passes if all keys are encrypted, including if no keys are present."
resolution: "Use this command to encrypt existing SSH keys by providing the path to the file: ssh-keygen -o -p -f /path/to/file"
tags: compliance, ssh, built-in
contributors: GuillaumeRoss
platform: darwin,linux,windows
---
apiVersion: v1
kind: policy
spec:
name: Suspicious autostart (Windows)
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM startup_items WHERE path = "regsvr32" AND args LIKE "%http%");
description: "Checks for an autostart that is attempting to load a dynamic link library (DLL) from the internet."
resolution: "Remove the suspicious startup entry."
tags: malware, hunting
platform: windows
contributors: kswagler-rh
---
apiVersion: v1
kind: policy
spec:
name: Firewall enabled (macOS)
query: SELECT 1 FROM alf WHERE global_state >= 1;
description: "Checks if the firewall is enabled."
resolution: "In System Preferences, open Security & Privacy, navigate to the Firewall tab and click Turn On Firewall."
tags: hardening, compliance, built-in, CIS, CIS2.5.2.2
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Screen lock enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE name='askForPassword' AND value='1';
description: "Checks that a mobile device management (MDM) solution configures the Mac to enable screen lock."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables screen lock."
tags: MDM required, compliance, hardening, built-in
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Screen lock enabled (Windows)
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs' AND CAST(data as INTEGER) <= 1800;
description: "Checks if the screen lock is enabled and configured to lock the system within 30 minutes or less."
resolution: "Contact your IT administrator to enable the Interactive Logon: Machine inactivity limit setting with a value of 1800 seconds or lower."
tags: compliance, hardening, built-in
platform: windows
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Password requires 10 or more characters (macOS)
query: SELECT 1 FROM (SELECT cast(lengthtxt as integer(2)) minlength FROM (SELECT SUBSTRING(length, 1, 2) AS lengthtxt FROM (SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length FROM password_policy WHERE policy_identifier LIKE '%minLength')) WHERE minlength >= 10);
description: "Checks that the password policy requires at least 10 characters. Requires osquery 5.4.0 or newer."
resolution: "Contact your IT administrator to make sure your Mac is receiving configuration profiles for password length."
platform: darwin
tags: compliance, hardening, built-in, CIS, CIS5.2.2
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Operating system up to date (macOS)
query: SELECT 1 FROM os_version WHERE version >= '14.1.1';
description: "Checks that the operating system is up to date."
resolution: "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password."
tags: compliance, CIS, template, CIS1.1, critical
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic updates enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically check for updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates."
tags: MDM required, compliance, CIS, CIS1.2
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic update downloads enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads."
tags: MDM required, compliance, CIS, CIS1.3
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic installation of application updates is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically install updates to App Store applications."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates."
tags: MDM required, compliance, CIS, CIS1.4
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic security and data file updates is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically download updates to built-in macOS security tools such as malware removal tools."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic security and data update installation."
tags: MDM required, compliance, CIS, CIS1.5
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Automatic installation of operating system updates is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically install operating system updates."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates."
tags: MDM required, compliance, CIS, CIS1.6
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Time and date are configured to be updated automatically (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to automatically update the time and date."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic time and date configuration."
tags: MDM required, compliance, CIS, CIS2.2.1
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Lock screen after inactivity of 20 minutes or less (macOS)
query: SELECT 1 WHERE EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'askForPasswordDelay' AND valueint <= 60 LIMIT 1) AND EXISTS (SELECT CAST(value as integer(4)) valueint from managed_policies WHERE domain = 'com.apple.screensaver' AND name = 'idleTime' AND valueint <= 1140 LIMIT 1) AND EXISTS (SELECT 1 from managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1 LIMIT 1);
description: "Checks that a mobile device management (MDM) solution configures the Mac to lock the screen after 20 minutes or less."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables the screen saver after inactivity of 20 minutes or less."
tags: MDM required, compliance, CIS, CIS2.3.1, CIS5.8
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Internet sharing is blocked (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='forceInternetSharingOff' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent Internet sharing."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents Internet sharing."
tags: MDM required, compliance, CIS, CIS2.4.2
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Content caching is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowContentCaching' AND value='0' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to disable content caching."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables content caching."
tags: MDM required, compliance, CIS, CIS2.4.10
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Ad tracking is limited (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AdLib' AND name='forceLimitAdTracking' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to limit advertisement tracking."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking."
tags: MDM required, compliance, CIS, CIS2.5.6
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: iCloud Desktop and Document sync is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.icloud.managed' AND name='DisableCloudSync' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent iCloud Desktop and Documents sync."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile to prevent iCloud Desktop and Documents sync."
tags: MDM required, compliance, CIS, CIS2.6.1.4
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Firewall logging is enabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to log firewall activity."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables firewall logging."
tags: MDM required, compliance, CIS, CIS3.6
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Guest account disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='DisableGuestAccount' AND value='1' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent the use of a guest account."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that disables the guest account."
tags: MDM required, compliance, CIS, CIS6.1.3
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: Guest access to shared folders is disabled (macOS)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.AppleFileServer' AND name='guestAccess' AND value='0' LIMIT 1;
description: "Checks that a mobile device management (MDM) solution configures the Mac to prevent guest access to shared folders."
resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that prevents guest access to shared folders."
tags: MDM required, compliance, CIS, CIS6.1.4
platform: darwin
contributors: GuillaumeRoss
---
apiVersion: v1
kind: policy
spec:
name: No 1Password emergency kit stored in desktop, documents, or downloads folders (macOS)
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%'));
description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders."
resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location."
platform: darwin
tags: compliance, built-in
contributors: nonpunctual
---
apiVersion: v1
kind: query
spec:
name: Discover TLS certificates
platform: linux, windows, darwin
description: Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.
query: SELECT * FROM curl_certificate WHERE hostname IN (SELECT DISTINCT 'localhost:'||port FROM listening_ports WHERE protocol=6 AND address!='127.0.0.1' AND address!='::1');
purpose: Informational
tags: network, tls
contributors: nabilschear
---
apiVersion: v1
kind: query
spec:
name: Discover Python Packages from Running Python Interpreters
platform: linux, darwin
description: Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments.
query: SELECT * FROM python_packages WHERE directory IN (SELECT DISTINCT directory FROM (SELECT SUBSTR(path,0,INSTR(path,'/bin/'))||'/lib' AS directory FROM processes WHERE path LIKE '%/bin/%' AND path LIKE '%python%' UNION SELECT SUBSTR(cmdline,0,INSTR(cmdline,'/bin/'))||'/lib' AS directory FROM processes WHERE cmdline LIKE '%python%' AND cmdline LIKE '%/bin/%' AND path LIKE '%python%' UNION SELECT cwd||'/lib' AS directory FROM processes WHERE path LIKE '%python%'));
purpose: Informational
tags: compliance, hunting
contributors: nabilschear
---
apiVersion: v1
kind: query
spec:
name: Identify the default mail, http and ftp applications
platforms: macOS
platform: darwin
description: Lists the currently enabled applications configured to handle mailto, http and ftp schemes.
query: SELECT * FROM app_schemes WHERE (scheme='mailto' OR scheme='http' OR scheme='ftp') AND enabled='1';
purpose: Informational
tags: compliance, hunting
contributors: brunerd
---
apiVersion: v1
kind: policy
spec:
name: Firewall enabled, domain profile (Windows)
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall' AND CAST(data as integer) = 1;
description: "Checks if a Group Policy configures the computer to enable the domain profile for Windows Firewall. The domain profile applies to networks where the host system can authenticate to a domain controller. Some auditors requires that this setting is configured by a Group Policy."
resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that enables the domain profile for Windows Firewall."
platforms: Windows
tags: compliance, CIS, CIS9.1.1
platform: windows
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: Firewall enabled, private profile (Windows)
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall' AND CAST(data as integer) = 1;
description: "Checks if a Group Policy configures the computer to enable the private profile for Windows Firewall. The private profile applies to networks where the host system is connected to a private or home network. Some auditors requires that this setting is configured by a Group Policy."
resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that enables the private profile for Windows Firewall."
platforms: Windows
tags: compliance, CIS, CIS9.2.1
platform: windows
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: Firewall enabled, public profile (Windows)
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall' AND CAST(data as integer) = 1;
description: "Checks if a Group Policy configures the computer to enable the public profile for Windows Firewall. The public profile applies to networks where the host system is connected to public networks such as Wi-Fi hotspots at coffee shops and airports. Some auditors requires that this setting is configured by a Group Policy."
resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that enables the public profile for Windows Firewall."
platforms: Windows
tags: compliance, CIS, CIS9.3.1
platform: windows
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: SMBv1 client driver disabled (Windows)
query: SELECT 1 FROM windows_optional_features WHERE name = 'SMB1Protocol-Client' AND state != 1;
description: "Checks that the SMBv1 client is disabled."
resolution: "Contact your IT administrator to discuss disabling SMBv1 on your system."
platforms: Windows
tags: compliance, CIS, CIS18.3.2, built-in
platform: windows
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: SMBv1 server disabled (Windows)
query: SELECT 1 FROM windows_optional_features WHERE name = 'SMB1Protocol-Server' AND state != 1
description: "Checks that the SMBv1 server is disabled."
resolution: "Contact your IT administrator to discuss disabling SMBv1 on your system."
platforms: Windows
tags: compliance, CIS, CIS18.3.3, built-in
platform: windows
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: Link-Local Multicast Name Resolution (LLMNR) disabled (Windows)
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast' AND CAST(data as integer) = 0;
description: "Checks if a Group Policy configures the computer to disable LLMNR. Disabling LLMNR can prevent malicious actors from gaining access to the computer's credentials. Some auditors require that this setting is configured by a Group Policy."
resolution: "Contact your IT administrator to ensure your computer is receiving a Group Policy that disables LLMNR on your system."
platforms: Windows
tags: compliance, CIS, CIS18.5.4.2
platform: windows
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: Automatic updates enabled (Windows)
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate' AND CAST(data as integer) = 0;