Skip to content

Commit

Permalink
Move policy back to workstations
Browse files Browse the repository at this point in the history
  • Loading branch information
lukeheath committed May 20, 2024
1 parent 13ebe3b commit 4df850b
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 9 deletions.
88 changes: 88 additions & 0 deletions .github/workflows/validate-fleetd-base-checksums.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
name: Validate fleetd base checksums

on:
schedule:
- cron: '0 0 * * *' # Runs every 24 hours
workflow_dispatch: # Allows manual trigger

jobs:
check-files:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v2

- name: Install dependencies
run: sudo apt-get update

- name: Download files from Cloudflare R2
env:
R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
R2_BUCKET: your-r2-bucket-name
R2_REGION: your-r2-region
run: |
mkdir -p downloads
cat << 'EOF' > download_files.sh
#!/bin/bash
set -e
ENDPOINT_URL="https://<R2_ENDPOINT_URL>"
FILES=("fleetd-base-manifest.plist" "fleetd-base.msi" "fleetd-base.pkg" "meta.json")
for FILE in "${FILES[@]}"; do
aws s3 cp s3://$R2_BUCKET/$FILE downloads/$FILE --endpoint-url $ENDPOINT_URL
done
EOF

chmod +x download_files.sh
./download_files.sh

- name: Validate checksums
run: |
cat << 'EOF' > validate_checksums.sh
#!/bin/bash
set -e
validate_checksum() {
local file_path=$1
local expected_checksum=$2
local actual_checksum=$(shasum -a 256 "$file_path" | awk '{ print $1 }')
if [ "$actual_checksum" != "$expected_checksum" ]; then
echo "Checksum mismatch for $file_path: expected $expected_checksum, got $actual_checksum"
return 1
fi
}
declare -A checksums
checksums["downloads/fleetd-base-manifest.plist"]="expected_checksum_1"
checksums["downloads/fleetd-base.msi"]="expected_checksum_2"
checksums["downloads/fleetd-base.pkg"]="expected_checksum_3"
checksums["downloads/meta.json"]="expected_checksum_4"
all_valid=true
for file_path in "${!checksums[@]}"; do
expected_checksum=${checksums[$file_path]}
if ! validate_checksum "$file_path" "$expected_checksum"; then
all_valid=false
fi
done
if [ "$all_valid" = false ]; then
exit 1
fi
EOF

chmod +x validate_checksums.sh
./validate_checksums.sh

- name: Notify Slack on failure
if: failure()
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"File validation failed in the GitHub workflow!"}' $SLACK_WEBHOOK_URL
7 changes: 0 additions & 7 deletions it-and-security/lib/macos-device-health.policies.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
- name: macOS - Check if latest version
query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
critical: false
description: This policy check if macOS version is most recent version available.
resolution: From the Apple menu, select System Settings. Navigate to General > Software Update.
platform: darwin
calendar_events_enabled: true
- name: macOS - Enable FileVault
query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.';
critical: false
Expand Down
11 changes: 9 additions & 2 deletions it-and-security/teams/workstations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ controls:
enable_end_user_authentication: true
macos_setup_assistant: null
macos_updates:
deadline: "2024-05-31"
minimum_version: "14.5"
deadline: ""
minimum_version: ""
windows_settings:
custom_settings: null
windows_updates:
Expand All @@ -61,6 +61,13 @@ policies:
- path: ../lib/macos-device-health.policies.yml
- path: ../lib/windows-device-health.policies.yml
- path: ../lib/linux-device-health.policies.yml
- name: macOS - Check if latest version
query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
critical: false
description: This policy check if macOS version is most recent version available.
resolution: From the Apple menu, select System Settings. Navigate to General > Software Update.
platform: darwin
calendar_events_enabled: true
queries:
- path: ../lib/collect-failed-login-attempts.queries.yml
- path: ../lib/collect-usb-devices.queries.yml
Expand Down

0 comments on commit 4df850b

Please sign in to comment.