Added multi-platform software to Workstations (canary) team (#24864)

it-and-security/lib/all/queries/collect-usb-devices.yml

@@ -7,4 +7,4 @@
   min_osquery_version: ""
   observer_can_run: true
   platform: darwin,linux
-  query: SELECT model, vendor FROM usb_devices;
+  query: SELECT model, vendor FROM usb_devices;

it-and-security/lib/all/queries/collect-vs-code-extensions.yml

@@ -9,4 +9,4 @@
   observer_can_run: false
   platform: darwin,linux,windows
   query: SELECT extension.name, extension.publisher, extension.version FROM users
-    JOIN vscode_extensions extension USING (uid);
+    JOIN vscode_extensions extension USING (uid);

it-and-security/lib/linux/queries/all-debian-hosts.yml → it-and-security/lib/linux/queries/all-deb-hosts.yml

@@ -3,4 +3,4 @@ kind: query
 spec:
   name: All debian hosts
   query: SELECT * FROM os_version WHERE platform_like = 'debian';
-  platform: "darwin"
+  platform: "darwin"

it-and-security/lib/linux/queries/all-rpm-hosts.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: query
+spec:
+  name: All rpm hosts
+  query: SELECT * FROM os_version WHERE platform_like = 'rhel';
+  platform: "darwin"

it-and-security/lib/linux/software/slack-deb.yml

@@ -0,0 +1,4 @@
+url: https://downloads.slack-edge.com/desktop-releases/linux/x64/4.41.105/slack-desktop-4.41.105-amd64.deb
+self-service: true
+pre_install_query:
+  path: ../queries/all-deb-hosts.yml

it-and-security/lib/linux/software/slack-rpm.yml

@@ -0,0 +1,4 @@
+url: https://downloads.slack-edge.com/desktop-releases/linux/x64/4.41.105/slack-4.41.105-0.1.el8.x86_64.rpm
+self-service: true
+pre_install_query:
+  path: ../queries/all-rpm-hosts.yml

it-and-security/lib/linux/software/zoom.yml → it-and-security/lib/linux/software/zoom-deb.yml

@@ -1,4 +1,4 @@
 url: https://zoom.us/client/6.2.11.5069/zoom_amd64.deb
 self-service: true
 pre_install_query:
-  path: ../queries/all-debian-hosts.yml
+  path: ../queries/all-deb-hosts.yml

it-and-security/lib/linux/software/zoom-rpm.yml

@@ -0,0 +1,4 @@
+url: https://zoom.us/client/6.3.0.5527/zoom_x86_64.rpm
+self-service: true
+pre_install_query:
+  path: ../queries/all-rpm-hosts.yml

it-and-security/lib/macos/queries/check-if-apple-silicon.yml

@@ -3,4 +3,4 @@ kind: query
 spec:
   name: Check if Mac has Apple silicon
   query: SELECT 1 FROM system_info WHERE cpu_type = "arm64e";
-  platform: "darwin"
+  platform: "darwin"

it-and-security/lib/macos/queries/collect-failed-login-attempts.yml

@@ -11,4 +11,4 @@
   platform: "darwin"
   query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp
     FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count
-    > 0;
+    > 0;

it-and-security/lib/macos/queries/collect-software-permissions-system.yml

@@ -2,4 +2,4 @@
   description: "Research for #16899"
   query: SELECT * from tcc_system;
   interval: 3600 # 1 hour
-  platform: darwin
+  platform: darwin

it-and-security/lib/macos/queries/collect-software-permissions-user.yml

@@ -2,4 +2,4 @@
   description: "Research for #16899"
   query: SELECT * from tcc_user;
   interval: 3600 # 1 hour
-  platform: darwin
+  platform: darwin

it-and-security/lib/macos/software/google-chrome.yml

@@ -1,2 +1,2 @@
 url: https://dl.google.com/chrome/mac/stable/accept_tos%3Dhttps%253A%252F%252Fwww.google.com%252Fintl%252Fen_ph%252Fchrome%252Fterms%252F%26_and_accept_tos%3Dhttps%253A%252F%252Fpolicies.google.com%252Fterms/googlechrome.pkg
-self_service: true
+self_service: true

it-and-security/lib/macos/software/zoom.yml

@@ -1,2 +1,2 @@
 url: https://zoom.us/client/6.2.10.43047/ZoomInstallerIT.pkg
-self_service: true
+self_service: true

it-and-security/lib/windows/policies/device-health.yml

@@ -28,4 +28,4 @@
   description: Checks the status of antivirus and signature updates from the Windows Security Center.
   resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center."
   platform: windows
-
+

it-and-security/lib/windows/queries/all-arm-hosts.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: query
+spec:
+  name: All ARM hosts
+  query: SELECT * FROM os_version WHERE arch LIKE 'ARM%';
+  platform: "windows"
+

it-and-security/lib/windows/queries/all-x86-hosts.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: query
+spec:
+  name: All ARM hosts
+  query: SELECT * FROM os_version WHERE arch NOT LIKE 'ARM%';
+  platform: "windows"
+

it-and-security/lib/windows/queries/collect-windows-defender.yml

@@ -7,4 +7,5 @@
   min_osquery_version: ""
   observer_can_run: true
   platform: "windows"
-  query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
+  query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
+

it-and-security/lib/windows/software/google-chrome.yml

@@ -0,0 +1,2 @@
+url: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B53CCDE8D-FD40-46DE-67E7-61E96CFEFCAA%7D%26lang%3Den%26browser%3D4%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dtrue%26ap%3Dx64-stable-statsdef_0%26brand%3DGCEA/dl/chrome/install/googlechromestandaloneenterprise64.msi
+self-service: true

it-and-security/lib/windows/software/slack.yml

@@ -0,0 +1,5 @@
+url: https://downloads.slack-edge.com/desktop-releases/windows/x64/4.41.105/SlackSetup.exe
+self_service: true
+pre_install_query:
+  path: ../queries/all-x86-hosts.yml
+

it-and-security/lib/windows/software/zoom-arm.yml

@@ -0,0 +1,5 @@
+url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=winarm64
+self-service: true
+pre_install_query:
+  path: ../queries/all-arm-hosts.yml
+

it-and-security/lib/windows/software/zoom.yml

@@ -0,0 +1,5 @@
+url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=x64
+self-service: true
+pre_install_query:
+  path: ../queries/all-x86-hosts.yml
+

it-and-security/teams/compliance-exclusions.yml

@@ -32,4 +32,7 @@ policies:
 queries:
 software:
   packages:
-    - path: ../lib/linux/software/zoom.yml # Zoom for Ubuntu
+    - path: ../lib/linux/software/zoom-deb.yml # Zoom for Ubuntu
+    - path: ../lib/linux/software/zoom-rpm.yml # Zoom for RHEL
+    - path: ../lib/linux/software/slack-deb.yml # Zoom for Ubuntu
+    - path: ../lib/linux/software/slack-rpm.yml # Zoom for RHEL

it-and-security/teams/workstations-canary.yml

@@ -151,7 +151,10 @@ queries:
 software:
   packages:
     - path: ../lib/macos/software/mozilla-firefox.yml # Mozilla Firefox for MacOS (universal)
-    - path: ../lib/linux/software/zoom.yml # Zoom for Ubuntu
+    - path: ../lib/linux/software/zoom-deb.yml # Zoom for Ubuntu
+    - path: ../lib/linux/software/zoom-rpm.yml # Zoom for RedHat
+    - path: ../lib/linux/software/slack-deb.yml # Slack for Ubuntu
+    - path: ../lib/linux/software/slack-rpm.yml # Slack for RedHat
   app_store_apps:
       - app_store_id: '803453959' # Slack Desktop
       - app_store_id: '1333542190' # 1Password 7 Desktop