Cis 2.12.2 (#9525)

ee/cis/macos-13/cis-policy-queries.yml

@@ -712,6 +712,27 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Guest Access to Shared Folders Is Disabled
+  platforms: macOS
+  platform: darwin
+  description: Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network
+  resolution: |
+    Automated method:
+      Ask your system administrator to deploy the following script which will disable guest users from access to shared folders:
+      /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off
+    Graphical Method:
+      Perform the following steps to no longer allow guest user access to shared folders:
+        1. Open System Settings
+        2. Select Users & Groups
+        3. Select the i next to the Guest User
+        4. Set Allow guests to connect to shared folders to disabled
+  query: SELECT 1 from plist where path = '/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist' AND key = 'AllowGuestAccess' AND value = 0;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS2.12.2
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Automatic Login Is Disabled (MDM Required)
   platforms: macOS

ee/cis/macos-13/test/scripts/CIS_2.10.3.sh

@@ -1 +1,3 @@
+#!/bin/bash
+
 sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Test Message 1"

ee/cis/macos-13/test/scripts/CIS_2.10.4.sh

@@ -1 +1,3 @@
+#!/bin/bash
+
 sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

ee/cis/macos-13/test/scripts/CIS_2.10.5.sh

@@ -1 +1,3 @@
+#!/bin/bash
+
 sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0

ee/cis/macos-13/test/scripts/CIS_2.11.1.sh

@@ -1 +1,3 @@
+#!/bin/bash
+
 sudo dscl . -list /Users hint . -delete /Users/<username>

ee/cis/macos-13/test/scripts/CIS_2.12.1.sh

@@ -1,2 +1,4 @@
+#!/bin/bash
+
 sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
 sudo /usr/bin/defaults write /Library/Preferences/com.apple.MCX DisableGuestAccount  -bool true

ee/cis/macos-13/test/scripts/CIS_2.12.2.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+/usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off
+
+
+# For testing
+# Get Status: /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess status
+# Set to enabled: /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess on
+

ee/cis/macos-13/test/scripts/CIS_2.12.3.sh

@@ -1 +1,3 @@
+#!/bin/bash
+
 sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

ee/cis/macos-13/test/scripts/CIS_2.6.2.sh

@@ -1,3 +1,5 @@
+#!/bin/bash
+
 sudo /usr/bin/defaults write /Library/Application\
 Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false
 

ee/cis/macos-13/test/scripts/CIS_2.6.4.sh

@@ -1 +1,3 @@
+#!/bin/bash
+
 sudo /usr/sbin/spctl --master-enable

ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh

@@ -1,2 +1,4 @@
+#!/bin/bash
+
 #replace username
 sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 1200

ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh

@@ -1,2 +1,4 @@
+#!/bin/bash
+
 sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password>
 sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password>