Lesson 7

markkenny · markkenny · commit 325a69352b62 · 2025-10-13T16:45:52.000+02:00
diff --git a/lib/macos/policies/dns-resolvers.policies.yml b/lib/macos/policies/dns-resolvers.policies.yml
@@ -0,0 +1,8 @@
+- name: Ensure Cloudflare DNS is used
+  query: SELECT 1 FROM dns_resolvers WHERE type='nameserver' AND address = '1.1.1.1' 
+  critical: false
+  description: This device is not using Cloudflare DNS, which may lead to slower DNS resolution times and potential security risks.
+  resolution: Change the DNS resolver to Cloudflare at 1.1.1.1
+  platform: darwin
+  run_script:
+    path: ../scripts/set-dns-cloudflare.sh
diff --git a/lib/macos/scripts/set-dns-cloudflare.sh b/lib/macos/scripts/set-dns-cloudflare.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Script to set DNS to 1.1.1.1 on macOS
+
+# Function to set DNS for a network service
+set_dns() {
+    local service=$1
+    echo "Setting DNS for $service..."
+    
+    # Set DNS servers to 1.1.1.1 and 1.0.0.1 (primary and secondary)
+    sudo networksetup -setdnsservers "$service" 1.1.1.1 1.0.0.1
+    
+    # Show the current DNS settings
+    echo "DNS servers for $service:"
+    networksetup -getdnsservers "$service"
+    echo ""
+}
+
+# Get all network services
+services=$(networksetup -listallnetworkservices | tail -n +2)
+
+# Set DNS for each active network service
+while IFS= read -r service; do
+    # Skip services with asterisk (disabled)
+    if [[ $service != *"*"* ]]; then
+        set_dns "$service"
+    fi
+done <<< "$services"
+
+echo "DNS configuration complete!"
+echo ""
+echo "To verify your DNS settings:"
+echo "1. System Preferences > Network > Advanced > DNS"
+echo "2. Or run: scutil --dns"
diff --git a/lib/windows/policies/all-windows-updates-installed.policies.yml b/lib/windows/policies/all-windows-updates-installed.policies.yml
@@ -0,0 +1,7 @@
+- name: Windows - All available updates installed
+  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM windows_updates);
+  critical: true
+  description: This Windows device may have outdated system software, which could lead to security vulnerabilities, performance issues, and incompatibility with other systems.
+  resolution: Run all available Windows updates.
+  platform: windows
+  
diff --git a/teams/engineering.yml b/teams/engineering.yml
@@ -10,6 +10,7 @@
 name: Engingeering
 policies:
   - path: ../lib/macos/policies/macos-device-health.policies.yml
+  - path: ../lib/windows/policies/all-windows-updates-installed.policies.yml
 queries:
   - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml
 agent_options:
@@ -30,4 +31,12 @@ team_settings:
   features:
     enable_host_users: true
     enable_software_inventory: true
+  webhook_settings:
+    failing_policies_webhook:
+      enable_failing_policies_webhook: true
+      destination_url: https://webhook.site/a63689d4-1c00-4293-b502-37b9b471d56e
+      host_batch_size: 0
+      policy_ids:
+        - 1
+        - 2
 software:
diff --git a/teams/new-hires.yml b/teams/new-hires.yml
@@ -10,6 +10,7 @@
 name: New Hires
 policies:
   - path: ../lib/macos/policies/macos-device-health.policies.yml
+  - path: ../lib/macos/policies/dns-resolvers.policies.yml
 queries:
   - path: ../lib/all/queries/collect-usb-devices.queries.yml
   - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml
