From 212979d9fc58baef6f745d3f964c243852e333e2 Mon Sep 17 00:00:00 2001 From: Allen Houchins <32207388+allenhouchins@users.noreply.github.com> Date: Thu, 30 Jan 2025 13:00:43 -0600 Subject: [PATCH] Multiple updates to queries (#25891) Co-authored-by: Harrison Ravazzolo <38767391+harrisonravazzolo@users.noreply.github.com> --- it-and-security/default.yml | 3 ++- .../lib/all/queries/collect-crowdstrike-info.yml | 8 -------- .../queries/collect-fleetd-update-channels.yml | 7 ------- ...collect-known-vulnerable-chrome-extensions.yml | 15 +++++++++++++++ .../all/queries/collect-vs-code-extensions.yml | 12 ------------ .../lib/linux/queries/all-deb-hosts.yml | 13 ++++++++----- .../lib/linux/queries/all-rpm-hosts.yml | 13 ++++++++----- .../lib/macos/policies/update-1password.yml | 6 ++++++ .../lib/macos/policies/update-firefox.yml | 4 ++-- .../lib/macos/queries/check-if-apple-silicon.yml | 6 ------ .../queries/collect-failed-login-attempts.yml | 14 -------------- .../collect-software-permissions-system.yml | 5 ----- .../queries/collect-software-permissions-user.yml | 5 ----- .../macos/queries/detect-apple-intelligence.yml | 9 +++++++++ .../lib/windows/queries/all-arm-hosts.yml | 14 ++++++++------ .../lib/windows/queries/all-x86-hosts.yml | 14 ++++++++------ .../windows/queries/collect-windows-defender.yml | 11 ----------- it-and-security/lib/windows/software/slack.yml | 5 ++--- it-and-security/lib/windows/software/zoom-arm.yml | 5 ++--- it-and-security/lib/windows/software/zoom.yml | 6 +++--- it-and-security/teams/workstations-canary.yml | 7 ++----- it-and-security/teams/workstations.yml | 10 +--------- 22 files changed, 76 insertions(+), 116 deletions(-) delete mode 100644 it-and-security/lib/all/queries/collect-crowdstrike-info.yml delete mode 100644 it-and-security/lib/all/queries/collect-fleetd-update-channels.yml create mode 100644 it-and-security/lib/all/queries/collect-known-vulnerable-chrome-extensions.yml delete mode 100644 it-and-security/lib/all/queries/collect-vs-code-extensions.yml create mode 100644 it-and-security/lib/macos/policies/update-1password.yml delete mode 100644 it-and-security/lib/macos/queries/check-if-apple-silicon.yml delete mode 100644 it-and-security/lib/macos/queries/collect-failed-login-attempts.yml delete mode 100644 it-and-security/lib/macos/queries/collect-software-permissions-system.yml delete mode 100644 it-and-security/lib/macos/queries/collect-software-permissions-user.yml create mode 100644 it-and-security/lib/macos/queries/detect-apple-intelligence.yml delete mode 100644 it-and-security/lib/windows/queries/collect-windows-defender.yml diff --git a/it-and-security/default.yml b/it-and-security/default.yml index 09917ebf95e8..9e65f380d81a 100644 --- a/it-and-security/default.yml +++ b/it-and-security/default.yml @@ -82,8 +82,9 @@ org_settings: enable_activities_webhook: true policies: queries: - - path: ./lib/all/queries/collect-fleetd-update-channels.yml + - path: ./lib/all/queries/collect-fleetd-information.yml - path: ./lib/all/queries/collect-operating-system-information.yml + - path: ./lib/all/queries/collect-known-vulnerable-chrome-extensions.yml controls: enable_disk_encryption: true macos_migration: diff --git a/it-and-security/lib/all/queries/collect-crowdstrike-info.yml b/it-and-security/lib/all/queries/collect-crowdstrike-info.yml deleted file mode 100644 index e68970df5453..000000000000 --- a/it-and-security/lib/all/queries/collect-crowdstrike-info.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Get Crowdstrike Falcon network content filter status - description: "Collects crowdstrike information" - query: | - /* Load up the plist */ WITH extensions_plist AS (SELECT *, rowid FROM plist WHERE path = '/Library/Preferences/com.apple.networkextension.plist') /* Find the first "Enabled" key after the key indicating the crowdstrike app */ SELECT value AS enabled FROM extensions_plist WHERE subkey = 'Enabled' AND rowid > (SELECT rowid FROM extensions_plist WHERE value = 'com.crowdstrike.falcon.App') LIMIT 1; - interval: 300 # 5 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux,windows diff --git a/it-and-security/lib/all/queries/collect-fleetd-update-channels.yml b/it-and-security/lib/all/queries/collect-fleetd-update-channels.yml deleted file mode 100644 index a90ea083ab53..000000000000 --- a/it-and-security/lib/all/queries/collect-fleetd-update-channels.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect fleetd update channels - description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." - query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; - interval: 300 # 5 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux,windows diff --git a/it-and-security/lib/all/queries/collect-known-vulnerable-chrome-extensions.yml b/it-and-security/lib/all/queries/collect-known-vulnerable-chrome-extensions.yml new file mode 100644 index 000000000000..c501d9bb825d --- /dev/null +++ b/it-and-security/lib/all/queries/collect-known-vulnerable-chrome-extensions.yml @@ -0,0 +1,15 @@ +- name: Detect known vunerable Chrome extensions + description: "Detects if any device enrolled in Fleet has a known vulnerable Chrome extension installed. More info here: https://www.extensiontotal.com/cyberhaven-incident-live" + query: + SELECT + u.username, ce.name, ce.description, ce.version, ce.identifier + FROM + users u CROSS JOIN chrome_extensions ce USING (uid) + WHERE + ce.identifier IN + ("nnpnnpemnckcfdebeekibpiijlicmpom", "kkodiihpgodmdankclfibbiphjkfdenh", "oaikpkmjciadfpddlpjjdapglcihgdle", "dpggmcodlahmljkhlmpgpdcffdaoccni", "acmfnomgphggonodopogfbmkneepfgnh", "mnhffkhmpnefgklngfmlndmkimimbphc", "cedgndijpacnfbdggppddacngjfdkaca", "bbdnohkpnbkdkmnkddobeafboooinpla", "egmennebgadmncfjafcemlecimkepcle", "bibjgkidgpfbblifamdlkdlhgihmfohh", "befflofjcniongenjmbkgkoljhgliihe", "pkgciiiancapdlpcbppfkmeaieppikkk", "llimhhconnjiflfimocjggfjdlmlhblm", "oeiomhmbaapihbilkfkhmlajkeegnjhe", "pajkjnmeojmbapicmbpliphjmcekeaac", "ndlbedplllcgconngcnfmkadhokfaaln", "epdjhgbipjpbbhoccdeipghoihibnfja", "cplhlgabfijoiabgkigdafklbhhdkahj", "jiofmdifioeejeilfkpegipdjiopiekl", "hihblcmlaaademjlakdpicchbjnnnkbo", "ekpkdmohpdnebfedjjfklhpefgpgaaji", "epikoohpebngmakjinphfiagogjcnddm", "miglaibdlgminlepgeifekifakochlka", "eanofdhdfbcalhflpbdipkjjkoimeeod", "ogbhbgkiojdollpjbhbamafmedkeockb", "bgejafhieobnfpjlpcjjggoboebonfcg", "igbodamhgjohafcenbcljfegbipdfjpk", "mbindhfolmpijhodmgkloeeppmkhpmhc", "hodiladlefdpcbemnbbcpclbmknkiaem", "lbneaaedflankmgmfbmaplggbmjjmbae", "eaijffijbobmnonfhilihbejadplhddo", "hmiaoahjllhfgebflooeeefeiafpkfde"); + interval: 3600 # Every 1 hour + observer_can_run: true + automations_enabled: true + logging: differential + platform: darwin,linux,windows diff --git a/it-and-security/lib/all/queries/collect-vs-code-extensions.yml b/it-and-security/lib/all/queries/collect-vs-code-extensions.yml deleted file mode 100644 index 36aae9159920..000000000000 --- a/it-and-security/lib/all/queries/collect-vs-code-extensions.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: Collect Visual Studio (VS) Code extensions - automations_enabled: false - description: Collects the name, publisher, and version of the VS Code extensions - installed on hosts. - discard_data: false - interval: 3600 - logging: snapshot - min_osquery_version: "" - observer_can_run: false - platform: darwin,linux,windows - query: SELECT extension.name, extension.publisher, extension.version FROM users - JOIN vscode_extensions extension USING (uid); diff --git a/it-and-security/lib/linux/queries/all-deb-hosts.yml b/it-and-security/lib/linux/queries/all-deb-hosts.yml index c744d81c2e8f..21f53ec9eebf 100644 --- a/it-and-security/lib/linux/queries/all-deb-hosts.yml +++ b/it-and-security/lib/linux/queries/all-deb-hosts.yml @@ -1,6 +1,9 @@ -apiVersion: v1 -kind: query -spec: - name: All debian hosts +- name: All debian hosts + automations_enabled: false + description: Collects all debian-based hosts. + discard_data: false + interval: 300 + logging: snapshot + observer_can_run: true + platform: linux query: SELECT * FROM os_version WHERE platform_like = 'debian'; - platform: "darwin" diff --git a/it-and-security/lib/linux/queries/all-rpm-hosts.yml b/it-and-security/lib/linux/queries/all-rpm-hosts.yml index 1b8ee8186631..e222b59d5255 100644 --- a/it-and-security/lib/linux/queries/all-rpm-hosts.yml +++ b/it-and-security/lib/linux/queries/all-rpm-hosts.yml @@ -1,6 +1,9 @@ -apiVersion: v1 -kind: query -spec: - name: All rpm hosts +- name: All rhel-based (rpm) hosts + automations_enabled: false + description: Collects all rhel-based hosts. + discard_data: false + interval: 300 + logging: snapshot + observer_can_run: true + platform: linux query: SELECT * FROM os_version WHERE platform_like = 'rhel'; - platform: "darwin" diff --git a/it-and-security/lib/macos/policies/update-1password.yml b/it-and-security/lib/macos/policies/update-1password.yml new file mode 100644 index 000000000000..bcd53f7ef873 --- /dev/null +++ b/it-and-security/lib/macos/policies/update-1password.yml @@ -0,0 +1,6 @@ +- name: macOS - 1Password up to date + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = '1Password.app') OR EXISTS (SELECT 1 FROM apps WHERE name = '1Password.app' AND version_compare(bundle_short_version, '8.10.58') >= 0); + critical: false + description: The host may have an outdated version of 1Password, potentially risking security vulnerabilities or compatibility issues. + resolution: Check for updates using 1Password's built-in update functionality. You can also delete 1Password if you are no longer using it. + platform: darwin diff --git a/it-and-security/lib/macos/policies/update-firefox.yml b/it-and-security/lib/macos/policies/update-firefox.yml index d1c38c73cd70..91c7904ec2be 100644 --- a/it-and-security/lib/macos/policies/update-firefox.yml +++ b/it-and-security/lib/macos/policies/update-firefox.yml @@ -1,6 +1,6 @@ - name: macOS - Firefox up to date query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = 'Firefox.app') OR EXISTS (SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '134.0.2') >= 0); critical: false - description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues. - resolution: Download the latest version from self-service or check for updates using Firefox's built-in update functionality. + description: The host may have an outdated version of Firefox, potentially risking security vulnerabilities or compatibility issues. + resolution: Download the latest version from self-service or check for updates using Firefox's built-in update functionality. You can also delete Firefox if you are no longer using it. platform: darwin diff --git a/it-and-security/lib/macos/queries/check-if-apple-silicon.yml b/it-and-security/lib/macos/queries/check-if-apple-silicon.yml deleted file mode 100644 index 841d30f56574..000000000000 --- a/it-and-security/lib/macos/queries/check-if-apple-silicon.yml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: query -spec: - name: Check if Mac has Apple silicon - query: SELECT 1 FROM system_info WHERE cpu_type = "arm64e"; - platform: "darwin" diff --git a/it-and-security/lib/macos/queries/collect-failed-login-attempts.yml b/it-and-security/lib/macos/queries/collect-failed-login-attempts.yml deleted file mode 100644 index 2adfb7982b98..000000000000 --- a/it-and-security/lib/macos/queries/collect-failed-login-attempts.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Collect failed login attempts - automations_enabled: true - description: Lists the users at least one failed login attempt and timestamp of - failed login. Number of failed login attempts reset to zero after a user successfully - logs in. - discard_data: false - interval: 300 - logging: snapshot - min_osquery_version: "" - observer_can_run: false - platform: "darwin" - query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp - FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count - > 0; diff --git a/it-and-security/lib/macos/queries/collect-software-permissions-system.yml b/it-and-security/lib/macos/queries/collect-software-permissions-system.yml deleted file mode 100644 index ac3b848bd195..000000000000 --- a/it-and-security/lib/macos/queries/collect-software-permissions-system.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Collect software permissions (system) - description: "Research for #16899" - query: SELECT * from tcc_system; - interval: 3600 # 1 hour - platform: darwin diff --git a/it-and-security/lib/macos/queries/collect-software-permissions-user.yml b/it-and-security/lib/macos/queries/collect-software-permissions-user.yml deleted file mode 100644 index 93e112a5a6da..000000000000 --- a/it-and-security/lib/macos/queries/collect-software-permissions-user.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Collect software permissions (user) - description: "Research for #16899" - query: SELECT * from tcc_user; - interval: 3600 # 1 hour - platform: darwin diff --git a/it-and-security/lib/macos/queries/detect-apple-intelligence.yml b/it-and-security/lib/macos/queries/detect-apple-intelligence.yml new file mode 100644 index 000000000000..4c86ace1d06c --- /dev/null +++ b/it-and-security/lib/macos/queries/detect-apple-intelligence.yml @@ -0,0 +1,9 @@ +- name: Detect if Apple Intelligence is enabled + automations_enabled: true + description: Detects if Apple Intelligence has been enabled. + discard_data: false + interval: 300 + logging: snapshot + observer_can_run: true + platform: "darwin" + query: SELECT * FROM plist WHERE path LIKE '/Users/%/Library/Preferences/com.apple.CloudSubscriptionFeatures.optIn.plist'; diff --git a/it-and-security/lib/windows/queries/all-arm-hosts.yml b/it-and-security/lib/windows/queries/all-arm-hosts.yml index a9968eb3420e..e9b4b558b3f5 100644 --- a/it-and-security/lib/windows/queries/all-arm-hosts.yml +++ b/it-and-security/lib/windows/queries/all-arm-hosts.yml @@ -1,7 +1,9 @@ -apiVersion: v1 -kind: query -spec: - name: All ARM hosts +- name: All ARM hosts + automations_enabled: false + description: Collects all ARM-based hosts. + discard_data: false + interval: 300 + logging: snapshot + observer_can_run: true + platform: windows query: SELECT * FROM os_version WHERE arch LIKE 'ARM%'; - platform: "windows" - \ No newline at end of file diff --git a/it-and-security/lib/windows/queries/all-x86-hosts.yml b/it-and-security/lib/windows/queries/all-x86-hosts.yml index ba0b8bbf0c61..fd6a15636bbb 100644 --- a/it-and-security/lib/windows/queries/all-x86-hosts.yml +++ b/it-and-security/lib/windows/queries/all-x86-hosts.yml @@ -1,7 +1,9 @@ -apiVersion: v1 -kind: query -spec: - name: All ARM hosts +- name: All x86 hosts + automations_enabled: false + description: Collects all x86-based hosts. + discard_data: false + interval: 300 + logging: snapshot + observer_can_run: true + platform: windows query: SELECT * FROM os_version WHERE arch NOT LIKE 'ARM%'; - platform: "windows" - \ No newline at end of file diff --git a/it-and-security/lib/windows/queries/collect-windows-defender.yml b/it-and-security/lib/windows/queries/collect-windows-defender.yml deleted file mode 100644 index cfa2aa85f13d..000000000000 --- a/it-and-security/lib/windows/queries/collect-windows-defender.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Collect Windows Defender - automations_enabled: false - description: Collects the pid, process name, user, path and command line for Windows Defender installed on hosts. - discard_data: false - interval: 3600 - logging: snapshot - min_osquery_version: "" - observer_can_run: true - platform: "windows" - query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe'; - \ No newline at end of file diff --git a/it-and-security/lib/windows/software/slack.yml b/it-and-security/lib/windows/software/slack.yml index ee4ce40d532d..66b33266669f 100644 --- a/it-and-security/lib/windows/software/slack.yml +++ b/it-and-security/lib/windows/software/slack.yml @@ -1,5 +1,4 @@ url: https://downloads.slack-edge.com/desktop-releases/windows/x64/4.41.105/SlackSetup.exe self_service: true -pre_install_query: - path: ../queries/all-x86-hosts.yml - \ No newline at end of file +labels_include_any: + - "x86-based Windows hosts" diff --git a/it-and-security/lib/windows/software/zoom-arm.yml b/it-and-security/lib/windows/software/zoom-arm.yml index 3a8db75bdf5e..f5d6ff0365b2 100644 --- a/it-and-security/lib/windows/software/zoom-arm.yml +++ b/it-and-security/lib/windows/software/zoom-arm.yml @@ -1,5 +1,4 @@ url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=winarm64 self-service: true -pre_install_query: - path: ../queries/all-arm-hosts.yml - \ No newline at end of file +labels_include_any: + - "ARM-based Windows hosts" diff --git a/it-and-security/lib/windows/software/zoom.yml b/it-and-security/lib/windows/software/zoom.yml index 0c51190a79d3..8605d8459702 100644 --- a/it-and-security/lib/windows/software/zoom.yml +++ b/it-and-security/lib/windows/software/zoom.yml @@ -1,5 +1,5 @@ url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=x64 self-service: true -pre_install_query: - path: ../queries/all-x86-hosts.yml - \ No newline at end of file +labels_include_any: + - "x86-based Windows hosts" + \ No newline at end of file diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index 84792d49d075..577957c02d43 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -126,16 +126,13 @@ policies: - path: ../lib/macos/policies/update-firefox.yml - path: ../lib/macos/policies/update-slack.yml - path: ../lib/macos/policies/latest-macos.yml + - path: ../lib/macos/policies/update-1password.yml - path: ../lib/windows/policies/windows-device-health.yml - path: ../lib/linux/policies/disk-encryption-check.yml queries: - - path: ../lib/macos/queries/collect-failed-login-attempts.yml - path: ../lib/all/queries/collect-fleetd-information.yml - path: ../lib/all/queries/collect-usb-devices.yml - - path: ../lib/all/queries/collect-vs-code-extensions.yml - - path: ../lib/macos/queries/collect-software-permissions-system.yml - - path: ../lib/macos/queries/collect-software-permissions-user.yml - - path: ../lib/all/queries/collect-crowdstrike-info.yml + - path: ../lib/macos/queries/detect-apple-intelligence.yml software: packages: - path: ../lib/macos/software/mozilla-firefox.yml # Mozilla Firefox for MacOS (universal) diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml index 40203d4830e3..1b997506a7b8 100644 --- a/it-and-security/teams/workstations.yml +++ b/it-and-security/teams/workstations.yml @@ -90,16 +90,8 @@ policies: - path: ../lib/linux/policies/disk-encryption-check.yml - path: ../lib/macos/policies/update-slack.yml queries: - - path: ../lib/macos/queries/collect-failed-login-attempts.yml - path: ../lib/all/queries/collect-usb-devices.yml - - path: ../lib/all/queries/collect-vs-code-extensions.yml - - name: Collect expiration date for MDM SCEP certificates - description: "For the following issue: https://github.com/fleetdm/confidential/issues/4518. Returns expiration date for macOS hosts's MDM SCEP certs." - query: "SELECT common_name, datetime(not_valid_after,'unixepoch') AS expires FROM certificates WHERE 'common_name' LIKE '%FleetDM Identity%';" - platform: darwin - interval: 300 - automations_enabled: false - observer_can_run: true + - path: ../lib/macos/queries/detect-apple-intelligence.yml software: packages: - path: ../lib/macos/software/zoom.yml # Zoom for macOS