Last active
July 26, 2016 13:40
-
-
Save arubdesu/0002f5d3de38101175715cd485669608 to your computer and use it in GitHub Desktop.
query pack (v1) for https://github.com/SummitRoute/osxlockdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "packs": { | |
| "osxlockdown": { | |
| "platform": "darwin", | |
| "version": ".1", | |
| "queries": { | |
| "OS Updates": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' and key = 'LastSuccessfulDate';", | |
| "interval": "86400", | |
| "description": "Verify all Apple OS-bundled software has checked it's configured server recently", | |
| "value": "Should be a recent date in unix epoch format, e.g. with `date -r $TIMESTAMP`" | |
| }, | |
| "Disable Bluetooth": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.Bluetooth.plist' and key = 'ControllerPowerState';", | |
| "interval": "86400", | |
| "description": "Assuming you don't need it for peripherals...", | |
| "value": "Should be 0 to indicate off" | |
| }, | |
| "Disable infrared receiver": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.driver.AppleIRController.plist' and key = 'DeviceEnabled';", | |
| "interval": "86400", | |
| "description": "Assuming you are using a mac that still has one... only MacMini at this point", | |
| "value": "Should be 0 to indicate off" | |
| }, | |
| "Disable AirDrop": { | |
| "query": "select value, path from preferences where (path = '/private/var/root/Library/Preferences/com.apple.NetworkBrowser.plist' or path = '/Library/Managed Preferences/com.apple.NetworkBrowser.plist') and key = 'DisableAirDrop';", | |
| "interval": "86400", | |
| "description": "Could lead to sharing via ShadowIT cloud services... some folks prefer leaving this on", | |
| "value": "Should be 0 to indicate off, may be at different path based on whether enforced by profile or adhoc defaults command" | |
| }, | |
| "Require a password to wake the computer from sleep or screen saver": { | |
| "query": "select path, value from (select * from users where directory like '/Users/%') u, preferences p where key = 'askForPassword' and p.path = u.directory || '/Library/Preferences/com.apple.screensaver.plist';", | |
| "interval": "86400", | |
| "description": "Still requires actual screensaver/screen lock/power/auto-logout settings to go into effect", | |
| "value": "Should be 1 to indicate enabled" | |
| }, | |
| "Ensure screen locks immediately when requested": { | |
| "query": "select path, value from (select * from users where directory like '/Users/%') u, preferences p where key = 'askForPasswordDelay' and p.path = u.directory || '/Library/Preferences/com.apple.screensaver.plist';", | |
| "interval": "86400", | |
| "description": "Time after screensaver/sleep begins, some allow a value of 300 seconds rather than zero", | |
| "value": "Would be 0 to indicate password is required immediately" | |
| }, | |
| "Disable Internet Sharing": { | |
| "query": "select key from preferences where path = '/Library/Preferences/SystemConfiguration/com.apple.nat.plist' and value = 'en0';", | |
| "interval": "86400", | |
| "description": "Because Apple makes teh top networking gear", | |
| "value": "Should be null/empty output to indicate off unless something is very wrong with the BSD interface names..." | |
| }, | |
| "Disable Screen Sharing": { | |
| "query": "select value from preferences where path = '/System/Library/LaunchDaemons/com.apple.screensharing.plist' and key = 'Disabled';", | |
| "interval": "86400", | |
| "description": "Doesn't apply to 'Remote Management' Apple Remote Desktop configuration", | |
| "value": "Should be 1 to indicate boolean true, that it is disabled. As double-negatives go" | |
| }, | |
| "Disable Remote Management": { | |
| "query": "select pid from processes where name like '%ARDAgent%';", | |
| "interval": "86400", | |
| "description": "Assuming you don't want it for y'know, management...", | |
| "value": "Should be null/empty to indicate not running" | |
| }, | |
| "Enable FileVault 2": { | |
| "query": "select encrypted from disk_encryption join mounts on disk_encryption.name = mounts.device where mounts.path = '/';", | |
| "interval": "86400", | |
| "description": "Specifically checks the currently configured startup disk (read = partition) for FV2", | |
| "value": "Should be 1 to indicate boolean true" | |
| }, | |
| "Enable Firewall": { | |
| "query": "select global_state from alf;", | |
| "interval": "86400", | |
| "description": "In specific this is the application-layer firewall, ipfw was not built-in as of 10.9 (use pf instead)", | |
| "value": "Should be 1 to indicate enabled" | |
| }, | |
| "Enable Firewall Stealth Mode": { | |
| "query": "select stealth_enabled from alf;", | |
| "interval": "86400", | |
| "description": "Purports to block ICMP on all interfaces", | |
| "value": "Should be 1 to indicate enabled, otherwise would be -1" | |
| }, | |
| "Disable signed apps from being auto-permitted to listen through firewall": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.alf.plist' and key = 'allowsignedenabled';", | |
| "interval": "86400", | |
| "description": "Trust no one", | |
| "value": "Should be 0 to indicate every app must explicitly show a GUI dialog for permission" | |
| }, | |
| "Enable logging": { | |
| "query": "select logging_enabled from alf;", | |
| "interval": "86400", | |
| "description": "This is on by default, not sure why it's being checked", | |
| "value": "Should be 1 to indicate enabled" | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment