CIS Platform Policy Library (Windows/MacOS)

[RachelElysia]

Goal

User story
As a Windows or MacOS admin,
I want to easily [import/sort/view/resolve/modify] Windows 10 Enterprise and MacOS 13 Ventura policies in Fleet
so that I can easily monitor the compliance of my company devices.

Changes

UI Mocks (https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=14781-193816&t=n7GMVqtSv4D1jr1W-0)

This issue's estimation includes completing:

1. UI changes: (Design & Frontend)

   • [x] Add ability to search policies on the policy table #10491
   • [ ] Add ability to sort policies by number of hosts failing on the policy table #7166
   • [ ] Add ability to filter policies by platform
   • [ ] Add ability to view platform type on each row the policy table
   • [ ] (TODO: Verbiage and link URL) Add link in empty UI to website's Platform Policy Library
   • [ ] Consider showing more than 20 policies per page (especially if we're allowing importing ~400+ policies from a single yml)

2. CLI usage changes: (Backend)

   • [ ] Add ability to search policies, filter policies, sort policies if able to do so for queries

3. Outdated documentation changes: (Docs)

   • [ ] In https://fleetdm.com/docs/using-fleet/standard-query-library, include documentation how to use fleetctl apply to import yaml queries/policies to a specific team
   • [ ] In https://fleetdm.com/docs/using-fleet/standard-query-library, add a link (and related information) to www.fleetdm.com/queries
   • [ ] In https://fleetdm.com/docs/using-fleet/standard-query-library, add section for importing Windows 10 Enterprise policies
   • [ ] In https://fleetdm.com/docs/using-fleet/standard-query-library, add section for importing MacOS 13 Ventura policies

4. Website updates to: https://fleetdm.com/queries (Design & Website)

   • [ ] TODO: Create Figma mock how to best present CIS compliance filter for Win 10 Enterprise or MacOS 13 Ventura
   • [ ] Standard query library searchibility includes filter for Windows 10 Enterprise or MacOS 13 Ventura

5. QA

   • [ ] QA complete

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

[zayhanlon]

Will resurface when we see customers starting to deploy CIS benchmarks, but can't commit now

[noahtalerman]

4. Website updates to: https://fleetdm.com/queries

@zayhanlon we prioritized the website portion of this issue during product feature requests.

Rachel and discussed the remaining work left to get this PR merged and the website shipped:

• Make these query fixes: https://github.com/fleetdm/fleet/issues/11014
• Move CIS benchmark queries into same page as standard queries: https://fleetdm.com/queries

We also decided that it's ok to show the SQL query for CIS benchmarks even though they're premium only. This is because the free users that take advantage of these features aren't Fleet's target customers (similar reasoning for showing the queries in the ee/ folder) cc @zwass

[zayhanlon]

Sounds good to me! @noahtalerman Are you able to add an estimation @RachelElysia sometime in the next week or so?

[zhumo]

@noahtalerman @RachelElysia what did you decide to prioritize in PFR last week? The main description is a project which is for managing CIS benchmark policy groups, but your message seems to be about something else.

[noahtalerman]

@zhumo we decided to prioritize just adding the CIS benchmark policies to the fleetdm.com/queries page (number 4 in the issue description).

Rachel has a draft PR that adds the policies to a different page on the website (/cis-benchmarks). My understand is there's remaining work left to move the policies to /queries but we're almost there.

More context is in an earlier comment here.

Happy to hop on a call to discuss further.

[RachelElysia]

Rescoping and reestimating remaining work to a 2

Tasks

1. Allow for sort header and sort direction on name and failing columns of manage policies table
2. Move CIS benchmarks onto https://fleetdm.com/queries instead of it's own separate page (no mock so developer assuming CIS benchmarks will be an option in the dropdown (shown in screenshot)
3. Showing a note that cis benchmark policies are a fleet premium feature and hide the sql query of each policy from the website view

[zayhanlon]

@RachelElysia 

Per the new g-website group, we'd like to pull out item 4 from this issue:
# 4 Website updates to: https://fleetdm.com/queries (Design & Website)

• [ ] TODO: Create Figma mock how to best present CIS compliance filter for Win 10 Enterprise or MacOS 13 Ventura
• [ ] Standard query library searchibility includes filter for Windows 10 Enterprise or MacOS 13 Ventura

Are you able to create a separate issue and tag it g-website, so we can have it go through Mike T for design review?

[zhumo]

Hi @sharon-fdm please don't add the product label if a piece of work is not accepted by the product team. Only issues that are bugs that need design or stories agreed to by the product team should be on this board.