Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Another question for Fleet staff/the community at large: on the website Fleet indicates that “Fleet includes out-of-the-box support for all <https://fleetdm.com/pricing|CIS benchmarks for macOS and Windows>.” What does that mean, exactly?

As in policies/queries exist to check for compliance with all of the CIS Benchmark policies (or, the ones that are automatable)? I’m definitely seeing partial coverage, but not full coverage (e.g. there are hundreds of recs for Windows 11 in the CIS benchmark, but not hundreds of queries/policies).

Hi Evan! Sorry for any confusion. We have written and tested hundreds of policies that are directly checking the CIS Benchmarks. These policies are included with a Fleet license. I'll go ahead and file a ticket for this to be more clear.

Oh great - just to confirm, these policies are included in a Premium license?

Great - is there any way to review the policies included with the Premium license if I’m looking to test it out? Or (assuming we’re self-hosting) do I need to deploy Fleet on e.g. AWS with a premium license to see those policies/queries?

Yeah, our fleet EE License directory is <https://github.com/fleetdm/fleet/tree/main/ee> where you can find `yml` files of policies in the `/cis` subdirectory

Thanks much <@U01T0F0MH0V>! A follow-up here. I see in <https://fleetdm.com/docs/using-fleet/cis-benchmarks#performance-testing|Fleet’s docs on CIS benchmarks>:
&gt; These benchmarks are intended to gauge your organization’s security posture, rather than the current state of a given host. A host may fail a CIS Benchmark policy despite having the correct settings enabled if there is not a specific policy in place to enforce that setting.
Part of the reason we’re interested in Fleet is that osquery can serve as a middle ground between full MDM and unmanaged BYOD. Curious if you know of queries folks have developed that are explicitly focused on current status of devices instead of status _and_ MDM policies

&gt; if there is not a specific policy in place to enforce that setting
--I'm not quite sure which policies fail if it's not enforced through MDM. I personally written and tested a lot of the Windows 10 CIS policies without MDM and they all worked.

Fleet is a great flexible, middle ground solution between full MDM and unmanaged BYOD. Our product goal is to provide a robust MDM solution with starting with our rollout for MacOS and Windows.

Great - that’s good to hear. I’ll look through the CIS .yml files to see if there are policies we need to edit to support no-MDM. Much appreciated Rachel!