Initial support for CIS 5.1.1

[defensivedepth]

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)
• Added support on fleet's osquery simulator cmd/osquery-perf for new osquery data ingestion features.
• Added/updated tests
• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes
• If database migrations are included, checked table schema to confirm autoupdate
• For database migrations:
  • Checked schema for all modified table for columns that will auto-update timestamps during migration.
  • Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
  • Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).
• Manual QA for all new/changed functionality
• For Orbit and Fleet Desktop changes:
  • Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (runtime.GOOS).
  • Manual QA must be performed in the three main OSs, macOS, Windows and Linux.
  • Auto-update manual QA, from released version of component to new version (see tools/tuf/test).

osquery> SELECT * 
    ...> FROM find_cmd 
    ...> WHERE directory = '/System/Volumes/Data/Users' 
    ...>   AND type = 'd' 
    ...>   AND mindepth = '1' 
    ...>   AND maxdepth = '1' 
    ...>   AND not_perm = '700' 
    ...>   AND path NOT LIKE '%/Shared' 
    ...>   AND path NOT LIKE '%/Guest';
+----------------------------+------+------+----------+----------+----------+-------------------------------------+
| directory                  | type | perm | not_perm | MinDepth | MaxDepth | path                                |
+----------------------------+------+------+----------+----------+----------+-------------------------------------+
| /System/Volumes/Data/Users | d    |      | 700      | 1        | 1        | /System/Volumes/Data/Users/sysadmin |
+----------------------------+------+------+----------+----------+----------+-------------------------------------+

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.59%. Comparing base (cf3a3cf) to head (907aa99).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #24677      +/-   ##
==========================================
+ Coverage   63.54%   63.59%   +0.05%     
==========================================
  Files        1618     1616       -2     
  Lines      154459   154184     -275     
  Branches     4037     3875     -162     
==========================================
- Hits        98152    98060      -92     
+ Misses      48567    48383     -184     
- Partials     7740     7741       +1     

Flag	Coverage Δ
backend	64.39% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[eashaw]

The schema changes look good!
@defensivedepth The schema JSON (https://github.com/fleetdm/fleet/blob/main/schema/osquery_fleet_schema.json) will need to be updated to include the changes to the find_cmd table's documentation. This can be done by running npm install && /node_modules/sails/bin/sails.js run generate-merged-schema in the repo's /website folder.

[eashaw]

Hey @defensivedepth, FYI: I'm going to make a commit to this PR to add the changes to the find_cmd table's documentation to schema/osquery_fleet_schema.json.

[defensivedepth]

Thanks @eashaw I missed the first notification!

[sharon-fdm]

@defensivedepth, I believe the query should make sure there is NO EXISTING folder with those params rather than checking that there is an existing good folder.
I think this should look like this. TMWYT.

SELECT 1 WHERE NOT EXISTS (
    SELECT 1 FROM find_cmd 
        WHERE directory = '/System/Volumes/Data/Users' 
          AND type = 'd' 
          AND mindepth = '1' 
          AND maxdepth = '1' 

         # Only owner can read/write/execute
          AND not_perm != '700' 

          # Others can execute only 
          AND not_perm != '701' 
          AND not_perm != '710' 
          AND not_perm != '711' 

          AND path LIKE '%/Shared' 
          AND path LIKE '%/Guest';
)