Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup no-team.yml, implement host expiry on servers, add Windows CSPs #24916

Merged
merged 4 commits into from
Dec 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<Replace>
<!-- Powershell configs, modify the admx keys as needed for your env -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging</LocURI>
</Target>
<Data>
<![CDATA[<enabled/><data id="ExecutionPolicy" value="AllSigned"/>
<data id="Listbox_ModuleNames" value="*"/>
<data id="OutputDirectory" value="false"/>
<data id="EnableScriptBlockInvocationLogging" value="true"/>
<data id="SourcePathForUpdateHelp" value="false"/>]]>
</Data>
</Item>
</Replace>
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<Replace>
<!-- Disallows the user to change date and time settings -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Settings/AllowDateTime</LocURI>
</Target>
<Data>0</Data>
</Item>
</Replace>
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<Replace>
<!-- Disable OneDrive -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync</LocURI>
</Target>
<Data>1</Data>
</Item>
</Replace>
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
<Replace>
<!-- Enable Firewall for Domain Profile -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall</LocURI>
</Target>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<!-- Disable ability for user to override at domain level -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge</LocURI>
</Target>
<Data>false</Data>
</Item>
</Replace>
<Replace>
<!-- Enable Firewall for Private Profile -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall</LocURI>
</Target>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<!-- Disable ability for user to override at private profile level -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge</LocURI>
</Target>
<Data>false</Data>
</Item>
</Replace>
<Replace>
<!-- Enable Firewall for Public Profile -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall</LocURI>
</Target>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<!-- Disable ability for user to override at public profile level -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge</LocURI>
</Target>
<Data>false</Data>
</Item>
</Replace>

This file was deleted.

2 changes: 0 additions & 2 deletions it-and-security/lib/windows/software/google-chrome.yml

This file was deleted.

1 change: 0 additions & 1 deletion it-and-security/teams/no-team.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
name: No team
policies:
queries:
software:
4 changes: 2 additions & 2 deletions it-and-security/teams/servers-canary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ team_settings:
enable_host_users: true
enable_software_inventory: true
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 0
host_expiry_enabled: true
host_expiry_window: 30
secrets:
- secret: $DOGFOOD_SERVERS_CANARY_ENROLL_SECRET
agent_options:
Expand Down
4 changes: 2 additions & 2 deletions it-and-security/teams/servers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ team_settings:
enable_host_users: true
enable_software_inventory: true
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 0
host_expiry_enabled: true
host_expiry_window: 30
secrets:
- secret: $DOGFOOD_SERVERS_ENROLL_SECRET
agent_options:
Expand Down
12 changes: 9 additions & 3 deletions it-and-security/teams/workstations-canary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,9 +97,12 @@ controls:
minimum_version: "15.2"
windows_settings:
custom_settings:
- path: ../lib/windows/configuration-profiles/windows-firewall.xml
- path: ../lib/windows/configuration-profiles/windows-password.xml
- path: ../lib/windows/configuration-profiles/windows-screen-lock.xml
- path: ../lib/windows/configuration-profiles/enable-firewall-all-domains.xml
- path: ../lib/windows/configuration-profiles/password.xml
- path: ../lib/windows/configuration-profiles/screen-lock.xml
- path: ../lib/windows/configuration-profiles/advanced-logging-powershell.xml
- path: ../lib/windows/configuration-profiles/autoset-time-date.xml
- path: ../lib/windows/configuration-profiles/disable-onedrive.xml
windows_updates:
deadline_days: 7
grace_period_days: 2
Expand Down Expand Up @@ -155,6 +158,9 @@ software:
- path: ../lib/linux/software/zoom-rpm.yml # Zoom for RedHat
- path: ../lib/linux/software/slack-deb.yml # Slack for Ubuntu
- path: ../lib/linux/software/slack-rpm.yml # Slack for RedHat
- path: ../lib/windows/software/slack.yml # Slack for Windows
- path: ../lib/windows/software/zoom-arm.yml # Zoom for Windows (ARM)
- path: ../lib/windows/software/zoom.yml # Zoom for Windows (x86)
app_store_apps:
- app_store_id: '803453959' # Slack Desktop
- app_store_id: '1333542190' # 1Password 7 Desktop
4 changes: 0 additions & 4 deletions it-and-security/teams/workstations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@ controls:
- package_path: ../lib/macos/software/google-chrome.yml # Google Chrome for macOS
- package_path: ../lib/macos/software/zoom.yml # Zoom for macOS
- app_store_id: '803453959' # Slack Desktop
- app_store_id: '1333542190' # 1Password 7 Desktop
macos_updates:
deadline: "2025-01-03"
minimum_version: "15.2"
Expand Down Expand Up @@ -110,6 +109,3 @@ software:
- path: ../lib/macos/software/google-chrome.yml # Google Chrome for macOS
app_store_apps:
- app_store_id: '803453959' # Slack Desktop
- app_store_id: '1333542190' # 1Password 7 Desktop
- app_store_id: '1477376905' # GitHub
- app_store_id: '1152747299' # Figma
Loading