CIS 5.2.x queries (#9501)

2024-11-06 08:55:24 +00:00 · 2023-01-26 16:22:21 -05:00 · 2023-01-26 16:22:21 -05:00 · 3aa2a607e7
commit 3aa2a607e7
parent d30ac394ae
5 changed files with 242 additions and 0 deletions
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@ -800,3 +800,97 @@ spec:
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS4.3
  contributors: lucasmrod
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy an MDM profile that Ensure Password Account Lockout Threshold.
+    Profile Method:
+    Create or edit a configuration profile with the following information:
+      1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 
+      2. The key to include is maxFailedAttempts
+      3. The key must be set to <integer><value≤5></integer>
+  query: SELECT 1 FROM  pwd_policy where maxFailedAttempts <= 5;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS5.2.1
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure Password Minimum Length Is Configured
+  platforms: macOS
+  platform: darwin
+  description: |
+    A minimum password length is the fewest number of characters a password can contain to meet a system's requirements. Ensure that a minimum of a 15-character password is part of the password policy on the computer. Where the confidentiality of encrypted information in FileVault is more of a concern, requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy an MDM profile that disables Guest Account.
+    Profile Method:
+    Create or edit a configuration profile with the following information:
+      1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 
+      2. The key to include is minLength
+      3. The key must be set to <integer><value≥15></integer>
+  query: |
+    SELECT 1 
+    FROM (
+    SELECT cast(lengthtxt as integer(2)) minlength 
+    FROM (
+    SELECT SUBSTRING(length, 1, 2) AS lengthtxt 
+    FROM (
+    SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length 
+    FROM password_policy 
+    WHERE policy_identifier LIKE '%minLength')) 
+    WHERE minlength >= 15);
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS5.2.2
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure Password Age Is Configured (fleetd required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy an MDM profile that disables Guest Account.
+    Profile Method:
+    Create or edit a configuration profile with the following information:
+      1. The Payload Type string is com.apple.mobiledevice.passwordpolicy 
+      2. The key to include is maxPINAgeInDays
+      3. The key must be set to <integer><value<=365></integer>
+  query: |
+    SELECT 1 WHERE
+    EXISTS(SELECT 1 FROM pwd_policy WHERE expiresEveryNDays <= 365)
+    OR
+    EXISTS(SELECT 1 FROM pwd_policy WHERE daysToExpiration <= 365);
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS5.2.7
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure Password History Is Configured (fleetd required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15. The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy an MDM profile that disables Guest Account.
+    Profile Method:
+    Create or edit a configuration profile with the following information:
+      1. The Payload Type string is com.apple.mobiledevice.passwordpolicy 
+      2. The key to include is pinHistory
+      3. The key must be set to <integer><value≥15></integer>
+  query: SELECT 1 FROM  pwd_policy where historyDepth >= 15;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS5.2.8
--- a/ee/cis/macos-13/test/profiles/5.2.1.mobileconfig
+++ b/ee/cis/macos-13/test/profiles/5.2.1.mobileconfig
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDisplayName</key>
+			<string>test</string>
+			<key>PayloadType</key>
+			<string>com.apple.mobiledevice.passwordpolicy</string>
+			<key>PayloadIdentifier</key>
+			<string>com.fleetdm.cis-5.2.1.check</string>
+			<key>PayloadUUID</key>
+			<string>749F9F38-7AD2-4FC6-8F88-672F3AB79F82</string>
+			<key>maxFailedAttempts</key>
+			<integer>5</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>test</string>
+	<key>PayloadDisplayName</key>
+	<string>Ensure Password Account Lockout Threshold Is Configured</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.cis-5.2.1</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>F886BF2C-12D2-428B-BCF0-55823908F426</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
--- a/ee/cis/macos-13/test/profiles/5.2.2.mobileconfig
+++ b/ee/cis/macos-13/test/profiles/5.2.2.mobileconfig
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDisplayName</key>
+			<string>test</string>
+			<key>PayloadType</key>
+			<string>com.apple.mobiledevice.passwordpolicy</string>
+			<key>PayloadIdentifier</key>
+			<string>com.fleetdm.cis-5.2.2.check</string>
+			<key>PayloadUUID</key>
+			<string>A7C54C32-6519-4335-A673-B20D3015B432</string>
+			<key>minLength</key>
+			<integer>15</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>test</string>
+	<key>PayloadDisplayName</key>
+	<string>Ensure Password Minimum Length Is Configured</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.cis-5.2.2</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>415F567D-83F4-4AB5-BCFA-7AC8B707DCFD</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
--- a/ee/cis/macos-13/test/profiles/5.2.7.mobileconfig
+++ b/ee/cis/macos-13/test/profiles/5.2.7.mobileconfig
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDisplayName</key>
+			<string>test</string>
+			<key>PayloadType</key>
+			<string>com.apple.mobiledevice.passwordpolicy</string>
+			<key>PayloadIdentifier</key>
+			<string>com.fleetdm.cis-5.2.7.check</string>
+			<key>PayloadUUID</key>
+			<string>F5515451-97EC-4CCB-B442-CDF0C546BC27</string>
+			<key>maxPINAgeInDays</key>
+			<integer>365</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>test</string>
+	<key>PayloadDisplayName</key>
+	<string>Ensure Password Age Is Configured</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.cis-5.2.7</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>AEF56396-50CC-4E5A-9C6D-CBAE6A5E13B5</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
--- a/ee/cis/macos-13/test/profiles/5.2.8.mobileconfig
+++ b/ee/cis/macos-13/test/profiles/5.2.8.mobileconfig
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDisplayName</key>
+			<string>test</string>
+			<key>PayloadType</key>
+			<string>com.apple.mobiledevice.passwordpolicy</string>
+			<key>PayloadIdentifier</key>
+			<string>com.fleetdm.cis-5.2.8.check</string>
+			<key>PayloadUUID</key>
+			<string>5227E361-F971-44B3-B706-B04BA0D3B186</string>
+			<key>pinHistory</key>
+			<integer>15</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>test</string>
+	<key>PayloadDisplayName</key>
+	<string>Ensure Password History Is Configured</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.cis-5.2.8</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>0AD34391-5C19-4229-AA10-EB6A169D15EB</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>