Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial support for CIS 5.1.1 #24677

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
+173 −9
Draft

Initial support for CIS 5.1.1 #24677

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b0f911c
Initial support for CIS 5.1.1
defensivedepth Dec 11, 2024
9b257cc
Refactor for table changes (#24781)
defensivedepth Jan 8, 2025
17b1aeb
Merge branch 'main' into feature-cis511
lukeheath Jan 10, 2025
907aa99
Add required schema changes to branch for #24677 (#25357)
eashaw Jan 10, 2025
3d02d4d
Merge branch 'main' into feature-cis511
sharon-fdm Jan 15, 2025
da97f60
Fix query (Sharon)
sharon-fdm Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions ee/cis/macos-15/cis-policy-queries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2529,15 +2529,15 @@ spec:
/usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
Or like this if there is a need for excutable access:
/usr/bin/sudo /bin/chmod -R og-rw /Users/<username>
query: SELECT 1 WHERE NOT EXISTS (
SELECT 1 FROM file WHERE (
path LIKE '/Users/%'
AND path != '/Users/Shared/'
AND mode != "0700"
AND mode !="0701"
AND mode !="0710"
AND mode !="0711"
));
query: |
SELECT 1 FROM find_cmd
WHERE directory = '/System/Volumes/Data/Users'
AND type = 'd'
AND mindepth = '1'
AND maxdepth = '1'
AND not_perm = '700'
AND path NOT LIKE '%/Shared'
AND path NOT LIKE '%/Guest';
Copy link
Collaborator

@sharon-fdm sharon-fdm Jan 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@defensivedepth, I believe the query should make sure there is NO EXISTING folder with those params rather than checking that there is an existing good folder.
I think this should look like this. TMWYT.

SELECT 1 WHERE NOT EXISTS (
    SELECT 1 FROM find_cmd 
        WHERE directory = '/System/Volumes/Data/Users' 
          AND type = 'd' 
          AND mindepth = '1' 
          AND maxdepth = '1' 

         # Only owner can read/write/execute
          AND not_perm != '700' 

          # Others can execute only 
          AND not_perm != '701' 
          AND not_perm != '710' 
          AND not_perm != '711' 

          AND path LIKE '%/Shared' 
          AND path LIKE '%/Guest';
)

purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: sharon-fdm
Expand Down
28 changes: 28 additions & 0 deletions orbit/pkg/table/find_cmd/find_cmd_darwin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ func Columns() []table.ColumnDefinition {
table.TextColumn("type"),
// perm allows setting find's '-perm' argument.
table.TextColumn("perm"),
// not_perm allows setting find's '-not -perm' argument.
table.TextColumn("not_perm"),
// mindepth allows setting find's '-mindepth' argument.
table.TextColumn("mindepth"),
// maxdepth allows setting find's '-maxdepth' argument.
table.TextColumn("maxdepth"),
// path are the found directories.
table.TextColumn("path"),
}
Expand Down Expand Up @@ -84,13 +90,32 @@ func Generate(ctx context.Context, queryContext table.QueryContext) ([]map[strin
}
}

notPerm := getArgumentOpEqual("not_perm")
if notPerm != "" {
if !permRegexp.Match([]byte(notPerm)) {
return nil, fmt.Errorf("not_perm must be of the form: %s", permRegexp)
}
}

minDepth := getArgumentOpEqual("mindepth")
maxDepth := getArgumentOpEqual("maxdepth")

args := []string{directory}
if findType != "" {
args = append(args, "-type", findType)
}
if perm != "" {
args = append(args, "-perm", perm)
}
if notPerm != "" {
args = append(args, "-not", "-perm", notPerm)
}
if minDepth != "" {
args = append(args, "-mindepth", minDepth)
}
if maxDepth != "" {
args = append(args, "-maxdepth", maxDepth)
}

cmd := exec.Command("/usr/bin/find", args...)
stdoutPipe, err := cmd.StdoutPipe()
Expand Down Expand Up @@ -138,7 +163,10 @@ func Generate(ctx context.Context, queryContext table.QueryContext) ([]map[strin
rows = append(rows, map[string]string{
"directory": directory,
"perm": perm,
"not_perm": notPerm,
"type": findType,
"mindepth": minDepth,
"maxdepth": maxDepth,
"path": outDir,
})
}
Expand Down
92 changes: 92 additions & 0 deletions orbit/pkg/table/find_cmd/find_cmd_darwin_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,4 +185,96 @@ func TestGenerate(t *testing.T) {
require.NoError(t, err)
require.Len(t, rows, 1)
require.Equal(t, rows[0]["path"], filepath.Join(testDir, "zoo"))

// Test with not_perm argument
rows, err = Generate(context.Background(), table.QueryContext{
Constraints: map[string]table.ConstraintList{
"directory": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: testDir,
},
},
},
"not_perm": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: "-2",
},
},
},
},
})
require.NoError(t, err)
require.Len(t, rows, 1)
require.Equal(t, rows[0]["path"], testDir)

// Test with invalid not_perm argument
_, err = Generate(context.Background(), table.QueryContext{
Constraints: map[string]table.ConstraintList{
"directory": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: testDir,
},
},
},
"not_perm": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: "invalid",
},
},
},
},
})
require.Error(t, err)

// Test with mindepth and maxdepth
err = os.MkdirAll(filepath.Join(testDir, "a/b/c"), os.ModePerm)
require.NoError(t, err)

rows, err = Generate(context.Background(), table.QueryContext{
Constraints: map[string]table.ConstraintList{
"directory": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: testDir,
},
},
},
"mindepth": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: "2",
},
},
},
"maxdepth": {
Affinity: table.ColumnTypeText,
Constraints: []table.Constraint{
{
Operator: table.OperatorEquals,
Expression: "3",
},
},
},
},
})
require.NoError(t, err)
require.Len(t, rows, 2)
require.Equal(t, rows[0]["path"], filepath.Join(testDir, "a/b"))
require.Equal(t, rows[1]["path"], filepath.Join(testDir, "a/b/c"))
}
18 changes: 18 additions & 0 deletions schema/osquery_fleet_schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10812,6 +10812,24 @@
"required": false,
"description": "Sets the value of the `-perm` flag."
},
{
"name": "not_perm",
"type": "text",
"required": false,
"description": "Sets the value of the `-not -perm` flag to find files that do NOT have the specified permissions."
},
{
"name": "mindepth",
"type": "text",
"required": false,
"description": "Sets the value of the `-mindepth` flag to specify the minimum directory depth."
},
{
"name": "maxdepth",
"type": "text",
"required": false,
"description": "Sets the value of the `-maxdepth` flag to specify the maximum directory depth."
},
{
"name": "path",
"type": "text",
Expand Down
15 changes: 15 additions & 0 deletions schema/tables/find_cmd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,21 @@ columns:
required: false
description: |-
Sets the value of the `-perm` flag.
- name: not_perm
type: text
required: false
description: |-
Sets the value of the `-not -perm` flag to find files that do NOT have the specified permissions.
- name: mindepth
type: text
required: false
description: |-
Sets the value of the `-mindepth` flag to specify the minimum directory depth.
- name: maxdepth
type: text
required: false
description: |-
Sets the value of the `-maxdepth` flag to specify the maximum directory depth.
- name: path
type: text
required: false
Expand Down
Loading