-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathosquery_compliance_checks.tf
37 lines (36 loc) · 1.39 KB
/
osquery_compliance_checks.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
resource "zentral_osquery_pack" "compliance-checks" {
name = "Compliance checks"
description = "The compliance checks for our macOS client"
}
resource "zentral_osquery_query" "santa-sysext-cc" {
name = "Santa system extension check"
description = "Check if the Santa system extension is activated, running and up-to-date"
sql = trimspace(<<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
)
platforms = ["darwin"]
compliance_check_enabled = true
scheduling = {
pack_id = zentral_osquery_pack.compliance-checks.id,
interval = var.osquery_default_compliance_check_interval,
log_removed_actions = false,
snapshot_mode = true
}
}