Multiple updates to queries (#25891)

Co-authored-by: Harrison Ravazzolo <[email protected]>

it-and-security/default.yml

@@ -82,8 +82,9 @@ org_settings:
       enable_activities_webhook: true
 policies:
 queries:
-  - path: ./lib/all/queries/collect-fleetd-update-channels.yml
+  - path: ./lib/all/queries/collect-fleetd-information.yml
   - path: ./lib/all/queries/collect-operating-system-information.yml
+  - path: ./lib/all/queries/collect-known-vulnerable-chrome-extensions.yml
 controls: 
   enable_disk_encryption: true
   macos_migration:

it-and-security/lib/all/queries/collect-known-vulnerable-chrome-extensions.yml

@@ -0,0 +1,15 @@
+- name: Detect known vunerable Chrome extensions
+  description: "Detects if any device enrolled in Fleet has a known vulnerable Chrome extension installed. More info here: https://www.extensiontotal.com/cyberhaven-incident-live"
+  query: 
+    SELECT 
+      u.username, ce.name, ce.description, ce.version, ce.identifier 
+    FROM 
+      users u CROSS JOIN chrome_extensions ce USING (uid) 
+    WHERE 
+      ce.identifier IN 
+      ("nnpnnpemnckcfdebeekibpiijlicmpom", "kkodiihpgodmdankclfibbiphjkfdenh", "oaikpkmjciadfpddlpjjdapglcihgdle", "dpggmcodlahmljkhlmpgpdcffdaoccni", "acmfnomgphggonodopogfbmkneepfgnh", "mnhffkhmpnefgklngfmlndmkimimbphc", "cedgndijpacnfbdggppddacngjfdkaca", "bbdnohkpnbkdkmnkddobeafboooinpla", "egmennebgadmncfjafcemlecimkepcle", "bibjgkidgpfbblifamdlkdlhgihmfohh", "befflofjcniongenjmbkgkoljhgliihe", "pkgciiiancapdlpcbppfkmeaieppikkk", "llimhhconnjiflfimocjggfjdlmlhblm", "oeiomhmbaapihbilkfkhmlajkeegnjhe", "pajkjnmeojmbapicmbpliphjmcekeaac", "ndlbedplllcgconngcnfmkadhokfaaln", "epdjhgbipjpbbhoccdeipghoihibnfja", "cplhlgabfijoiabgkigdafklbhhdkahj", "jiofmdifioeejeilfkpegipdjiopiekl", "hihblcmlaaademjlakdpicchbjnnnkbo", "ekpkdmohpdnebfedjjfklhpefgpgaaji", "epikoohpebngmakjinphfiagogjcnddm", "miglaibdlgminlepgeifekifakochlka", "eanofdhdfbcalhflpbdipkjjkoimeeod", "ogbhbgkiojdollpjbhbamafmedkeockb", "bgejafhieobnfpjlpcjjggoboebonfcg", "igbodamhgjohafcenbcljfegbipdfjpk", "mbindhfolmpijhodmgkloeeppmkhpmhc", "hodiladlefdpcbemnbbcpclbmknkiaem", "lbneaaedflankmgmfbmaplggbmjjmbae", "eaijffijbobmnonfhilihbejadplhddo", "hmiaoahjllhfgebflooeeefeiafpkfde");
+  interval: 3600 # Every 1 hour
+  observer_can_run: true
+  automations_enabled: true
+  logging: differential
+  platform: darwin,linux,windows

it-and-security/lib/linux/queries/all-deb-hosts.yml

@@ -1,6 +1,9 @@
-apiVersion: v1
-kind: query
-spec:
-  name: All debian hosts
+- name: All debian hosts
+  automations_enabled: false
+  description: Collects all debian-based hosts.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: linux
   query: SELECT * FROM os_version WHERE platform_like = 'debian';
-  platform: "darwin"

it-and-security/lib/linux/queries/all-rpm-hosts.yml

@@ -1,6 +1,9 @@
-apiVersion: v1
-kind: query
-spec:
-  name: All rpm hosts
+- name: All rhel-based (rpm) hosts
+  automations_enabled: false
+  description: Collects all rhel-based hosts.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: linux
   query: SELECT * FROM os_version WHERE platform_like = 'rhel';
-  platform: "darwin"

it-and-security/lib/macos/policies/update-1password.yml

@@ -0,0 +1,6 @@
+- name: macOS - 1Password up to date
+  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = '1Password.app') OR EXISTS (SELECT 1 FROM apps WHERE name = '1Password.app' AND version_compare(bundle_short_version, '8.10.58') >= 0);
+  critical: false
+  description: The host may have an outdated version of 1Password, potentially risking security vulnerabilities or compatibility issues.
+  resolution: Check for updates using 1Password's built-in update functionality. You can also delete 1Password if you are no longer using it. 
+  platform: darwin

it-and-security/lib/macos/policies/update-firefox.yml

@@ -1,6 +1,6 @@
 - name: macOS - Firefox up to date
   query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = 'Firefox.app') OR EXISTS (SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '134.0.2') >= 0);
   critical: false
-  description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues.
-  resolution: Download the latest version from self-service or check for updates using Firefox's built-in update functionality.
+  description: The host may have an outdated version of Firefox, potentially risking security vulnerabilities or compatibility issues.
+  resolution: Download the latest version from self-service or check for updates using Firefox's built-in update functionality. You can also delete Firefox if you are no longer using it. 
   platform: darwin

it-and-security/lib/macos/queries/detect-apple-intelligence.yml

@@ -0,0 +1,9 @@
+- name: Detect if Apple Intelligence is enabled
+  automations_enabled: true
+  description: Detects if Apple Intelligence has been enabled.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: "darwin"
+  query: SELECT * FROM plist WHERE path LIKE '/Users/%/Library/Preferences/com.apple.CloudSubscriptionFeatures.optIn.plist';

it-and-security/lib/windows/queries/all-arm-hosts.yml

@@ -1,7 +1,9 @@
-apiVersion: v1
-kind: query
-spec:
-  name: All ARM hosts
+- name: All ARM hosts
+  automations_enabled: false
+  description: Collects all ARM-based hosts.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: windows
   query: SELECT * FROM os_version WHERE arch LIKE 'ARM%';
-  platform: "windows"
-

it-and-security/lib/windows/queries/all-x86-hosts.yml

@@ -1,7 +1,9 @@
-apiVersion: v1
-kind: query
-spec:
-  name: All ARM hosts
+- name: All x86 hosts
+  automations_enabled: false
+  description: Collects all x86-based hosts.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: windows
   query: SELECT * FROM os_version WHERE arch NOT LIKE 'ARM%';
-  platform: "windows"
-

it-and-security/lib/windows/software/slack.yml

@@ -1,5 +1,4 @@
 url: https://downloads.slack-edge.com/desktop-releases/windows/x64/4.41.105/SlackSetup.exe
 self_service: true
-pre_install_query:
-  path: ../queries/all-x86-hosts.yml
-
+labels_include_any:
+  - "x86-based Windows hosts"

it-and-security/lib/windows/software/zoom-arm.yml

@@ -1,5 +1,4 @@
 url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=winarm64
 self-service: true
-pre_install_query:
-  path: ../queries/all-arm-hosts.yml
-
+labels_include_any:
+  - "ARM-based Windows hosts"

it-and-security/lib/windows/software/zoom.yml

@@ -1,5 +1,5 @@
 url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=x64
 self-service: true
-pre_install_query:
-  path: ../queries/all-x86-hosts.yml
-  
+labels_include_any:
+  - "x86-based Windows hosts"
+

it-and-security/teams/workstations-canary.yml

@@ -126,16 +126,13 @@ policies:
   - path: ../lib/macos/policies/update-firefox.yml
   - path: ../lib/macos/policies/update-slack.yml
   - path: ../lib/macos/policies/latest-macos.yml
+  - path: ../lib/macos/policies/update-1password.yml
   - path: ../lib/windows/policies/windows-device-health.yml
   - path: ../lib/linux/policies/disk-encryption-check.yml
 queries:
-  - path: ../lib/macos/queries/collect-failed-login-attempts.yml
   - path: ../lib/all/queries/collect-fleetd-information.yml
   - path: ../lib/all/queries/collect-usb-devices.yml
-  - path: ../lib/all/queries/collect-vs-code-extensions.yml
-  - path: ../lib/macos/queries/collect-software-permissions-system.yml
-  - path: ../lib/macos/queries/collect-software-permissions-user.yml
-  - path: ../lib/all/queries/collect-crowdstrike-info.yml
+  - path: ../lib/macos/queries/detect-apple-intelligence.yml
 software:
   packages:
     - path: ../lib/macos/software/mozilla-firefox.yml # Mozilla Firefox for MacOS (universal)

it-and-security/teams/workstations.yml

@@ -90,16 +90,8 @@ policies:
   - path: ../lib/linux/policies/disk-encryption-check.yml
   - path: ../lib/macos/policies/update-slack.yml
 queries:
-  - path: ../lib/macos/queries/collect-failed-login-attempts.yml
   - path: ../lib/all/queries/collect-usb-devices.yml
-  - path: ../lib/all/queries/collect-vs-code-extensions.yml
-  - name: Collect expiration date for MDM SCEP certificates
-    description: "For the following issue: https://github.com/fleetdm/confidential/issues/4518. Returns expiration date for macOS hosts's MDM SCEP certs."
-    query: "SELECT common_name, datetime(not_valid_after,'unixepoch') AS expires FROM certificates WHERE 'common_name' LIKE '%FleetDM Identity%';"
-    platform: darwin
-    interval: 300
-    automations_enabled: false
-    observer_can_run: true
+  - path: ../lib/macos/queries/detect-apple-intelligence.yml
 software:
   packages:
     - path: ../lib/macos/software/zoom.yml # Zoom for macOS