Cleaning up policies

it-and-security/lib/all/queries/collect-operating-system-information.yaml

@@ -0,0 +1,8 @@
+- name: Collect operating system information
+  description: "Collects operating system information from all devices enrolled in Fleet"
+  query: SELECT * FROM os_version;
+  interval: 3600 # Every 1 hour
+  observer_can_run: true
+  automations_enabled: true
+  logging: snapshot
+  platform: darwin,linux,windows,chrome

it-and-security/lib/linux/policies/linux-device-health.yml → it-and-security/lib/linux/policies/disk-encryption-check.yml

@@ -1,6 +1,6 @@
-- name: Linux - Enable disk encryption
+- name: Linux - Disk encryption enabled
   query: SELECT 1 FROM mounts m, disk_encryption d WHERE m.device_alias = d.name AND d.encrypted = 1 AND m.path = '/';
   critical: false
   description: This policy checks if disk encryption is enabled.
-  resolution: As an IT admin, deploy an image that includes disk encryption.
+  resolution: Disk encryption can only be configured during initial operating system install. Please re-install your operating system ensuring disk encryption is enabled.
   platform: linux

it-and-security/lib/macos/policies/1password-emergency-kit-check.yml

@@ -0,0 +1,12 @@
+- name: macOS - No 1Password emergency kit stored in desktop, documents, or downloads folders
+  query: SELECT 1 WHERE 
+    NOT EXISTS (
+      SELECT 1 FROM file WHERE 
+        filename LIKE '%Emergency Kit%.pdf' AND 
+        (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%')
+    );
+  critical: false
+  description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.
+  resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location.
+  platform: darwin
+

it-and-security/lib/macos/policies/update-firefox.yml

@@ -1,4 +1,4 @@
-- name: macOS - Update Firefox
+- name: macOS - Firefox up to date
   query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = 'Firefox.app') OR EXISTS (SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '134.0.2') >= 0);
   critical: false
   description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues.

it-and-security/lib/macos/policies/update-slack.yml

@@ -1,4 +1,4 @@
-- name: macOS - Update Slack
+- name: macOS - Slack up to date
   query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = 'Slack.app') OR EXISTS (SELECT 1 FROM apps WHERE name = 'Slack.app' AND version_compare(bundle_short_version, '4.42.116') >= 0);
   critical: false
   description: The host may be running an outdated version of Slack, which could pose security vulnerabilities or compatibility issues.

it-and-security/lib/windows/policies/windows-device-health.yml

@@ -0,0 +1,7 @@
+- name: Windows - Antivirus signatures up to date
+  query: SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;
+  critical: false
+  description: Checks the status of antivirus and signature updates from the Windows Security Center.
+  resolution: "Run all available Windows updates."
+  platform: windows
+

it-and-security/teams/workstations-canary.yml

@@ -121,12 +121,12 @@ controls:
     - path: ../lib/windows/scripts/install-bitdefender.ps1
     - path: ../lib/windows/scripts/enable-ms-defender.ps1
 policies:
-  - path: ../lib/macos/policies/device-health.yml
+  - path: ../lib/macos/policies/1password-emergency-kit-check.yml
   - path: ../lib/macos/policies/update-firefox.yml
   - path: ../lib/macos/policies/update-slack.yml
   - path: ../lib/macos/policies/latest-macos.yml
-  - path: ../lib/windows/policies/device-health.yml
-  - path: ../lib/linux/policies/linux-device-health.yml
+  - path: ../lib/windows/policies/windows-device-health.yml
+  - path: ../lib/linux/policies/disk-encryption-check.yml
 queries:
   - path: ../lib/macos/queries/collect-failed-login-attempts.yml
   - path: ../lib/all/queries/collect-fleetd-information.yml

it-and-security/teams/workstations.yml

@@ -83,13 +83,11 @@ controls:
     - path: ../lib/windows/scripts/remove-fleetd.ps1
     - path: ../lib/windows/scripts/turn-off-mdm.ps1
 policies:
-  - path: ../lib/macos/policies/device-health.yml
+  - path: ../lib/macos/policies/1password-emergency-kit-check.yml
   - path: ../lib/macos/policies/update-firefox.yml
-  - path: ../lib/macos/policies/cis.yml
   - path: ../lib/macos/policies/latest-macos.yml
-  - path: ../lib/windows/policies/device-health.yml
-  - path: ../lib/windows/policies/cis.yml
-  - path: ../lib/linux/policies/linux-device-health.yml
+  - path: ../lib/windows/policies/windows-device-health.yml
+  - path: ../lib/linux/policies/disk-encryption-check.yml
 queries:
   - path: ../lib/macos/queries/collect-failed-login-attempts.yml
   - path: ../lib/all/queries/collect-usb-devices.yml