diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml new file mode 100644 index 000000000..1b9fd4c4f --- /dev/null +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -0,0 +1,802 @@ +--- +# The latest version of CIS Benchmarks for macOS as of January 2023 was used which was benchmark 1.0 for macOS 13.0 https://workbench.cisecurity.org/benchmarks/10541 +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure All Apple-provided Software Is Current + platforms: macOS + platform: darwin + description: Checks that the current version of macOS is up to date. This query requires maintenance over time. + resolution: "Go to System Settings/Software Update and install the latest updates manually" + query: SELECT 1 FROM os_version WHERE version >= '13.1'; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Auto Update Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: Checks that the system is configured via MDM to automatically install updates. + resolution: "Ask your system administrator to deploy an MDM profile that enables automatic updates." + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.2 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Download New Updates When Available Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: Checks that the system is configured via MDM to automatically download updates. + resolution: "Ask your system administrator to deploy an MDM profile that enables automatic update downloads." + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.3 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Install of macOS Updates Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: Ensure that macOS updates are installed after they are available from Apple. + resolution: "Ask your system administrator to deploy an MDM profile that enables automatic install of macOS updates." + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.4 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: Ensure that application updates are installed after they are available from Apple. + resolution: Ask your system administrator to deploy an MDM profile that enables automatic updates of Apple apps. + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.5 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: | + Ensure that system and security updates are installed after they are available from + Apple. This setting enables definition updates for XProtect and Gatekeeper. With this + setting in place, new malware and adware that Apple has added to the list of malware or + untrusted software will not execute. + resolution: "Ask your system administrator to deploy an MDM profile that enables automatic critical system and security updates." + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.6 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required) + platforms: macOS + platform: darwin + description: | + Apple provides the capability to manage software updates on Apple devices through + mobile device management. Part of those capabilities permit organizations to defer + software updates and allow for testing. Many organizations have specialized software + and configurations that may be negatively impacted by Apple updates. If software + updates are deferred, they should not be deferred for more than 30 days. + This control only verifies that deferred software updates are not deferred for more than 30 days. + resolution: "Ask your system administrator to deploy an MDM profile configures update deferment to a value of 30 days or less." + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='enforcedSoftwareUpdateDelay' AND value <= 30; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS1.7 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: Automated Document synchronization should be planned and controlled to approved storage. + resolution: | + The administrator should configure this via MDM profile. + Create or edit a configuration profile with the following information: + 1. The PayloadType string is com.apple.applicationaccess. + 2. The key to include is allowCloudDesktopAndDocuments. + 3. The key must be set to . + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowCloudDesktopAndDocuments' AND (value = 0 OR value = 'false') LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS2.1.1.3 + contributors: zwass +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Firewall Is Enabled + platforms: macOS + platform: darwin + description: A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet. + resolution: "Go to the Network pane in System Settings and ensure Firewall is active." + query: SELECT 1 FROM alf WHERE global_state >= 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.2.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Firewall Stealth Mode Is Enabled + platforms: macOS + platform: darwin + description: | + While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic. + Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet. + resolution: | + Perform the following steps to enable firewall stealth mode: + 1. Open System Settings + 2. Select Network + 3. Select Firewall + 4. Select Options... + 5. Set Enabled stealth mode to enabled + query: SELECT 1 FROM alf WHERE global_state >= 1 AND stealth_enabled = 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.2.2 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure AirDrop Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: | + AirDrop can allow malicious files to be downloaded from unknown sources. + Contacts Only limits may expose personal information to devices in the same area. + resolution: | + Ask your system administrator to deploy an MDM profile that disables AirDrop. + Create or edit a configuration profile with the following information: + 1. The PayloadType string is com.apple.applicationaccess + 2. The key to include is allowAirDrop + 3. The key must be set to + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowAirDrop' AND (value = 0 OR value = 'false') LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.1.1 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure AirPlay Receiver Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: | + In macOS Monterey (12.0), Apple has added the capability to share content from + another Apple device to the screen of a host Mac. While there are many valuable uses + of this capability, such sharing on a standard Mac user workstation should be enabled + ad hoc as required rather than allowing a continuous sharing service. The feature can + be restricted by Apple ID or network and is configured to use by accepting the + connection on the Mac. Part of the concern is frequent connection requests may + function as a denial-of-service and access control limits may provide too much + information to an attacker. + resolution: | + The administrator should configure this via MDM profile. + Create or edit a configuration profile with the following information: + 1. The PayloadType string is com.apple.applicationaccess + 2. The key to include is allowAirPlayIncomingRequests + 3. The key must be set to + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowAirPlayIncomingRequests' AND (value = 0 OR value = 'false') LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.1.2 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Set Time and Date Automatically Is Enabled (MDM required) + platforms: macOS + platform: darwin + description: + resolution: | + The administrator should configure this via MDM profile. + Create or edit a configuration profile with the following information: + 1. The PayloadType string is com.apple.applicationaccess. + 2. The key to include is forceAutomaticDateAndTime. + 3. The key must be set to . + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.2.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Time Is Set Within Appropriate Limits (fleetd required) + platforms: macOS + platform: darwin + description: | + Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. + The time offset compared to time.apple.com must be between -270.x and 270.x seconds. + resolution: Make sure the device can connect to time.apple.com to synchronize time. + query: SELECT * FROM sntp_request WHERE server = 'time.apple.com' AND clock_offset_ms <= 270000 AND clock_offset_ms >= -270000; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.2.2 + contributors: +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure DVD or CD Sharing Is Disabled + platforms: macOS + platform: darwin + description: + resolution: "" + # Will likely require MDM/managed_policies. Most of the sharing checks that follow will be essentially the same query but looking at different types of sharing. + query: SELECT * from time; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.3.1 + contributors: +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Screen Sharing Is Disabled + platforms: macOS + platform: darwin + description: + resolution: "" + query: SELECT * from time; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.3.2 + contributors: +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure File Sharing Is Disabled + platforms: macOS + platform: darwin + description: + resolution: "" + query: SELECT * from time; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.3.3 + contributors: +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required) + platforms: macOS + platform: darwin + description: | + Backup solutions are only effective if the backups run on a regular basis. + The time to check for backups is before the hard drive fails or the computer goes missing. + In order to simplify the user experience so that backups are more likely to occur, + Time Machine should be on and set to Back Up Automatically whenever the target volume is available. + + FDA (Full Disk Access) is required to read the /Library/Preferences/com.apple.TimeMachine.plist + file that contains the Time Machine configuration and backup destinations. + resolution: | + Ask your system administrator to deploy an MDM profile that enables automatic backup if Time Machine is enabled. + The system administrator can do one of: + A. Disable Time Machine on the device. + B. Run the following command to enable automatic backup on Time Machine destinations: + /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true + query: | + SELECT 'no time machine backups' as output + FROM (SELECT COUNT(*) as c FROM time_machine_backups) t1 WHERE t1.c = 0 + UNION + SELECT 'time machine automatic backup set to true' as output + FROM plist WHERE path='/Library/Preferences/com.apple.TimeMachine.plist' + AND key='AutoBackup' AND (value = 1 OR value = 'true'); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS2.3.4.1 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required) + platforms: macOS + platform: darwin + description: | + Backup solutions are only effective if the backups run on a regular basis. + The time to check for backups is before the hard drive fails or the computer goes missing. + In order to simplify the user experience so that backups are more likely to occur, + Time Machine should be on and set to Back Up Automatically whenever the target volume is available. + + FDA (Full Disk Access) is required to read the /Library/Preferences/com.apple.TimeMachine.plist + file that contains the Time Machine configuration and backup destinations. + resolution: | + Graphical Method: + Perform the following steps to enable encryption on the Time Machine drive: + 1. Open `System Settings`. + 2. Select `General`. + 3. Select `Time Machine`. + 4. Select the unencrypted drive. + 5. Select `-` to forget that drive as a destination. + 6. Select `+` to add a different drive as the destination. + 7. Select `Set Up Disk...`. + 8. Set Encrypt Backup to enabled. + 9. Enter a password in the `New Password` and the same password in the `Re-enter Password` fields. + 10. A password hint is required, but it is recommended that you do not use any identifying information for the password + query: | + SELECT 'no time machine destinations configured' as output + FROM (SELECT COUNT(*) as c FROM time_machine_destinations) t1 WHERE t1.c = 0 + UNION + SELECT 'time machines destinations with encryption with automatic backup' as output + FROM (SELECT COUNT(*) as c FROM time_machine_destinations WHERE encryption <> 'Encrypted') t2 WHERE t2.c = 0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.3.4.2 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: | + The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. + If so, the system will scan for available wireless networks in order to connect. + Enabling "Show Wi-Fi status in menu bar" is a security awareness method that helps mitigate public area + wireless exploits by making the user aware of their wireless connectivity status. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that enables the Wi-Fi status in the menu bar. + Create or edit a configuration profile with the following information: + 1. The `PayloadType` string is `com.apple.controlcenter`. + 2. The key to include is `WiFi`. + 3. The key must be set to `18`. + query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.controlcenter' AND name = 'WiFi' AND value = 18; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.4.1 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: | + Enabling "Show Bluetooth status in menu bar" is a security awareness method that + helps understand the current state of Bluetooth, including whether it is enabled, + discoverable, what paired devices exist, and what paired devices are currently active. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that enables the Bluetooth status in the menu bar. + Create or edit a configuration profile with the following information: + 1. The `PayloadType` string is `com.apple.controlcenter`. + 2. The key to include is `Bluetooth`. + 3. The key must be set to `18`. + query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.controlcenter' AND name = 'Bluetooth' AND value = 18; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.4.2 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Location Services Is Enabled + platforms: macOS + platform: darwin + description: Checks that Location Services option is enabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that enables automatic updates of Apple apps. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Privacy & Security + 3. Select Location Services + 4. Verify Location Services is enabled + query: SELECT 1 FROM location_services where enabled=1; + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS2.6.1.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Location Services Is in the Menu Bar + platforms: macOS + platform: darwin + description: Checks that Location Services option is presented in the Menu Bar. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that enables the "location services" icon in menu bar when System Services request your location. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Privacy & Security + 3. Select Location Services + 4. Select Details... + 5. Verify Show location icon in menu bar when System Services request your + location is set to your organization's parameters + query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.locationmenu.plist' AND key='ShowSystemServices' AND value=1; + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS2.6.1.2 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: Checks that Ensure Limit Ad Tracking Is Enabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that disables apple personalized advertising. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open Privacy & Security + 2. Select Apple Advertising + 3. Verify that Personalized Ads is not enabled + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowApplePersonalizedAdvertising' AND value=0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.6.3 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Screen Saver Corners Are Secure (FDA Required) + platforms: macOS + platform: darwin + description: | + Setting a hot corner to disable the screen saver poses a potential security risk since an + unauthorized person could use this to bypass the login screen and gain access to the system. + + FDA (Full Disk Access) is required to read the configuration of all the users in the device + ('/Users/*/Library/Preferences/com.apple.dock.plist') + resolution: | + Ask your system administrator to deploy a script that will configure + `wvous-tl-corner`, `wvous-bl-corner`, `wvous-tr-corner`, and `wvous-br-corner` in + domain `com.apple.dock` to a value that is not 6 (for all users of the device). + + Graphical Method: + Perform the following steps to ensure that a Hot Corner is not set to Disable Screen Saver: + 1. Open System Settings + 2. Select Desktop & Dock + 3. Select`Hot Corners...` + 4. Verify that `Disable Screen Saver` is not set to any of the corners. + query: | + SELECT 1 WHERE NOT EXISTS( + SELECT 1 FROM plist + WHERE path LIKE '/Users/%/Library/Preferences/com.apple.dock.plist' AND ( + key = 'wvous-br-corner' OR + key = 'wvous-bl-corner' OR + key = 'wvous-tr-corner' OR + key = 'wvous-tl-corner' + ) AND value = 6); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS2.7.1 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: Checks that Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Lock Screen + 3. Verify that Require password after screensaver begins or display is turned + off is set with After 0 seconds or After 5 seconds + query: | + SELECT 1 WHERE EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1) AND EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPasswordDelay' AND value <= 5) + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.10.2 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Gatekeeper Is Enabled + platforms: macOS + platform: darwin + description: | + Checks that Gatekeeper Is Enabled. Gatekeeper is Apple’s application that utilizes allowlisting to restrict downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. In an update to Gatekeeper in macOS 13 Ventura, Gatekeeper checks every application on every launch, not just quarantined apps. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that Ensure Gatekeeper Is Enabled + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Privacy & Security + 3. Verify that 'Allow apps downloaded from' is set to' App Store and identified developers' + query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1 AND dev_id_enabled = 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.6.4 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: Checks that Sending Diagnostic and Usage Data to Apple Is Disabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that disables Sending Diagnostic and Usage Data to Apple. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Privacy & Security + 3. Select Analytics & Improvements + 4. Verify that Share Mac Analytics is not enabled + 5. Verify that Share with App Developers is not enabled + 6. Verify that Improve Siri & Dictation is not enabled + query: | + SELECT 1 WHERE + EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.SubmitDiagInfo' AND name='AutoSubmit' AND value = 0) + AND + EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowDiagnosticSubmission' AND value = 0) + AND + EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='Siri Data Sharing Opt-In Status' AND value = 2); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS2.6.2 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop- down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver to be Enabled. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Lock Screen + 3. Verify that Start Screen Saver when inactive is set for 20 minutes or less (≤1200 seconds) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='idleTime' AND value <= 1200; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.10.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure a Custom Message for the Login Screen Is Enabled + platforms: macOS + platform: darwin + description: An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored + resolution: | + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Lock Screen + 3. Verify Show message when locked is enabled + 4. Select Set + 5. Verify that the message displayed is configured to your organization's required text + query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='LoginwindowText' AND value != ""; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.10.3 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure FileVault Is Enabled (MDM required) + platforms: macOS + platform: darwin + description: Checks that FileVault Is Enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that enables FileVault and disables turning it off. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Privacy & Privacy + 3. Verify that FileVault states FileVault is turned on for the disk "" + 4. Select Privacy & Security + 5. Select Profile + 6. Verify that an installed profile has FileVault Can't Disable set to True + query: | + SELECT 1 WHERE + EXISTS(SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='dontAllowFDEDisable' AND value=1) + AND + EXISTS(SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.6.5 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM required) + platforms: macOS + platform: darwin + description: Checks Login Window Displays as Name and Password Is Enabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that Ensure Login Window Displays as Name and Password Is Enabled. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Lock Screen + 3. Verify that Login window shows is set to Name and Password + query: SELECT 1 FROM managed_policies where domain='com.apple.loginwindow' AND name='SHOWFULLNAME' AND value=1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.10.4 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Show Password Hints Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: Checks Show Password Hints Is Disabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that Ensures Show Password Hints Is Disabled. + Graphical method: + Perform the following steps to enable Location Services: + 1. OpenSystemSettings + 2. Select Lock Screen + 3. Verify that Show password hints is disabled + query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'RetriesUntilHint' AND value = 0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.10.5 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Users' Accounts Do Not Have a Password Hint (fleetd required) + platforms: macOS + platform: darwin + description: | + Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that disables apple personalized advertising. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Touch ID & Passwords (or Login Password on non-Touch ID Macs) + 3. Select Change... + 4. Change the password and ensure that no text is entered in the Password hint box + query: SELECT 1 FROM user_login_settings WHERE password_hint_enabled = 0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.11.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Guest Account Is Disabled + platforms: macOS + platform: darwin + description: Checks that Guest Account Is Disabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that disables Guest Account. + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Users & Groups + 3. Select the i next to the Guest User + 4. Verify that Allow guests to log in to this computer is disable + query: | + SELECT 1 WHERE + EXISTS(SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0) + OR + EXISTS(select 1 FROM plist WHERE path='/Library/Preferences/com.apple.MCX.plist' AND key='DisableGuestAccount' AND value = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.12.1 +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Automatic Login Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: | + The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that Ensure Automatic Login Is Disabled + Graphical method: + Perform the following steps to enable Location Services: + 1. Open System Settings + 2. Select Users & Groups + 3. Set Automatic login in as... to Off + Profile Method: + Create or edit a configuration profile with the following information: + 1. The Payload Type string is com.apple.loginwindow + 2. The key to include is com.apple.login.mcx.DisableAutoLoginClient + 3. The key must be set to + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='com.apple.login.mcx.DisableAutoLoginClient' AND value = 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.12.3 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required) + platforms: macOS + platform: darwin + description: | + Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. + DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled. + resolution: | + Automated method: + Ask your system administrator to deploy an MDM profile that disables Bonjour advertising service. + Profile Method: + Create or edit a configuration profile with the following information: + 1. The Payload Type string is `com.apple.mDNSResponder`. + 2. The key to include is `NoMulticastAdvertisements`. + 3. The key must be set to ``. + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.mDNSResponder' AND name='NoMulticastAdvertisements' AND value = 1; + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS4.1 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure HTTP Server Is Disabled + platforms: macOS + platform: darwin + description: | + Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. + Apache is still part of the Operating System and can be easily turned on to share files and provide remote connectivity + to an end-user computer. Web serving should not be done from a user desktop. Open ports make it easier to exploit the computer. + resolution: | + Automated method: + Ask your system administrator to deploy the following script which will disable the Apache service: + /usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist + query: SELECT 1 WHERE NOT EXISTS(SELECT * FROM processes WHERE path = '/usr/sbin/httpd'); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS4.2 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure NFS Server Is Disabled + platforms: macOS + platform: darwin + description: | + MacOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount + shares and gain access to information from the user's computer. + resolution: | + Automated method: + Ask your system administrator to deploy the following script which will disable the NFS service + and its directory listing: + /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd + /usr/bin/sudo /bin/rm /etc/exports + query: | + SELECT 1 WHERE + NOT EXISTS(SELECT 1 FROM processes WHERE path = '/sbin/nfsd') + AND + NOT EXISTS(SELECT 1 FROM file WHERE path = '/etc/exports'); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS4.3 + contributors: lucasmrod diff --git a/ee/cis/macos-13/test/profiles/1.2.mobileconfig b/ee/cis/macos-13/test/profiles/1.2.mobileconfig new file mode 100644 index 000000000..9b4fe7550 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/1.2.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.SoftwareUpdate + PayloadIdentifier + com.fleetdm.cis-1.2.check + PayloadUUID + 4DC539B5-837E-4DC3-B60B-43A8C556A8F0 + AutomaticCheckEnabled + + + + PayloadDescription + test + PayloadDisplayName + Ensure Auto Update Is Enabled + PayloadIdentifier + com.fleetdm.cis-1.2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 03E69A02-02CE-4CA0-8F17-3BAAD5D3852F + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/1.3.mobileconfig b/ee/cis/macos-13/test/profiles/1.3.mobileconfig new file mode 100644 index 000000000..a2bd6671e --- /dev/null +++ b/ee/cis/macos-13/test/profiles/1.3.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.SoftwareUpdate + PayloadIdentifier + com.fleetdm.cis-1.3.check + PayloadUUID + 5FDE6D58-79CD-447A-AFB0-BA32D889C396 + AutomaticDownload + + + + PayloadDescription + test + PayloadDisplayName + Ensure Download New Updates When Available Is Enabled + PayloadIdentifier + com.fleetdm.cis-1.3 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 0A1C2F97-D6FA-4CDB-ABB6-47DF2B151F4F + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/1.4.mobileconfig b/ee/cis/macos-13/test/profiles/1.4.mobileconfig new file mode 100644 index 000000000..bee74453b --- /dev/null +++ b/ee/cis/macos-13/test/profiles/1.4.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.SoftwareUpdate + PayloadIdentifier + com.fleetdm.cis-1.4.check + PayloadUUID + 15BF7634-276A-411B-8C4E-52D89B4ED82C + AutomaticallyInstallMacOSUpdates + + + + PayloadDescription + test + PayloadDisplayName + Ensure Install of macOS Updates Is Enabled + PayloadIdentifier + com.fleetdm.cis-1.4 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 7DB8733E-BD11-4E88-9AE0-273EF2D0974B + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/1.5.mobileconfig b/ee/cis/macos-13/test/profiles/1.5.mobileconfig new file mode 100644 index 000000000..416b7a0d8 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/1.5.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.SoftwareUpdate + PayloadIdentifier + com.fleetdm.cis-1.5.check + PayloadUUID + 6B0285F8-5DB8-4F68-AA6E-2333CCD6CE04 + AutomaticallyInstallAppUpdates + + + + PayloadDescription + test + PayloadDisplayName + Ensure Install Application Updates from the App Store Is Enabled + PayloadIdentifier + com.fleetdm.cis-1.5 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 1C4C0EC4-64A7-4AF0-8807-A3DD44A6DC76 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/1.6.mobileconfig b/ee/cis/macos-13/test/profiles/1.6.mobileconfig new file mode 100644 index 000000000..263f12fcb --- /dev/null +++ b/ee/cis/macos-13/test/profiles/1.6.mobileconfig @@ -0,0 +1,39 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.SoftwareUpdate + PayloadIdentifier + com.fleetdm.cis-1.6.check + PayloadUUID + 0D8F676A-A705-4F57-8FF8-3118360EFDEB + ConfigDataInstall + + CriticalUpdateInstall + + + + PayloadDescription + test + PayloadDisplayName + Ensure Install Security Responses and System Files Is Enabled + PayloadIdentifier + com.fleetdm.cis-1.6 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + EBEE9B81-9D33-477F-AFBE-9691360B7A74 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/1.7.mobileconfig b/ee/cis/macos-13/test/profiles/1.7.mobileconfig new file mode 100644 index 000000000..1dcca5b3b --- /dev/null +++ b/ee/cis/macos-13/test/profiles/1.7.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-1.7.check + PayloadUUID + 123FD592-D1C3-41FD-BC41-F91F3E1E2CF4 + enforcedSoftwareUpdateDelay + 29 + + + PayloadDescription + test + PayloadDisplayName + Ensure Software Update Deferment Is Less Than or Equal to 30 Days + PayloadIdentifier + com.zwass.cis-1.7 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 385A0C13-2472-41B3-851C-1311FA12EB49 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.1.1.3.mobileconfig b/ee/cis/macos-13/test/profiles/2.1.1.3.mobileconfig new file mode 100644 index 000000000..a210df0a0 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.1.1.3.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.1.1.3.check + PayloadUUID + 5F0EF767-200C-4E10-A43D-04204A4A8E06 + allowCloudDesktopAndDocuments + + + + PayloadDescription + test + PayloadDisplayName + Ensure iCloud Drive Document and Desktop Sync Is Disabled + PayloadIdentifier + com.fleetdm.cis-2.1.1.3 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 2EAF168E-3DC9-4375-AA37-501EDB3C8422 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.10.3.mobileconfig b/ee/cis/macos-13/test/profiles/2.10.3.mobileconfig new file mode 100644 index 000000000..c9ecbd26d --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.10.3.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.loginwindow + PayloadIdentifier + com.fleetdm.cis-2.10.3.check + PayloadUUID + 3E4C4ED8-ADB6-4EFB-8198-58027B94DF86 + LoginwindowText + Some Test Message + + + PayloadDescription + test + PayloadDisplayName + Ensure a Custom Message for the Login Screen Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.10.3 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 9359CA59-D3C1-4A0D-8595-9E5F1F0CAE12 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.12.3.mobileconfig b/ee/cis/macos-13/test/profiles/2.12.3.mobileconfig new file mode 100644 index 000000000..217b1d5eb --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.12.3.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.loginwindow + PayloadIdentifier + com.fleetdm.cis-2.12.3.check + PayloadUUID + CB576629-19E2-4649-84FC-C007826732A0 + com.apple.login.mcx.DisableAutoLoginClient + + + + PayloadDescription + test + PayloadDisplayName + Ensure Automatic Login Is Disabled + PayloadIdentifier + com.fleetdm.cis-2.12.3 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 0AEDE730-9466-47D1-B322-3C6F325B3737 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.2.1.mobileconfig b/ee/cis/macos-13/test/profiles/2.2.1.mobileconfig new file mode 100644 index 000000000..8f9d75683 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.2.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.security.firewall + PayloadIdentifier + com.fleetdm.cis-2.2.1.check + PayloadUUID + D12965C1-12BD-4CAD-A55A-E7F020B0DAAF + EnableFirewall + + + + PayloadDescription + test + PayloadDisplayName + Ensure Firewall Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.2.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + F0BFF592-1CB7-4922-B2D4-583415DC4A0B + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.2.2.mobileconfig b/ee/cis/macos-13/test/profiles/2.2.2.mobileconfig new file mode 100644 index 000000000..c9c16ef88 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.2.2.mobileconfig @@ -0,0 +1,39 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.security.firewall + PayloadIdentifier + com.fleetdm.cis-2.2.2.check + PayloadUUID + 2D2A07FB-3700-4ED8-AF06-6A2213F4C634 + EnableFirewall + + EnableStealthMode + + + + PayloadDescription + test + PayloadDisplayName + Ensure Firewall Stealth Mode Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.2.2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + E0B831D6-F214-4F1F-967C-B75B38B26708 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.3.1.1.mobileconfig b/ee/cis/macos-13/test/profiles/2.3.1.1.mobileconfig new file mode 100644 index 000000000..5453a36d7 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.3.1.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.3.1.1.check + PayloadUUID + 22F2E52E-E593-40F7-8635-E067EDEE4F60 + allowAirDrop + + + + PayloadDescription + test + PayloadDisplayName + Ensure AirDrop Is Disabled + PayloadIdentifier + com.fleetdm.cis-2.3.1.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 55DC048E-1490-4A26-8A97-4A4EA91A7302 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.3.1.2.mobileconfig b/ee/cis/macos-13/test/profiles/2.3.1.2.mobileconfig new file mode 100644 index 000000000..707f9c26c --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.3.1.2.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.3.1.2.check + PayloadUUID + BF58FD50-E4EC-4427-A549-1BCD7B88FCEB + allowAirPlayIncomingRequests + + + + PayloadDescription + test + PayloadDisplayName + Ensure AirPlay Receiver Is Disabled + PayloadIdentifier + com.fleetdm.cis-2.3.1.2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 633BD4E3-849E-485E-A784-AA80D86E83A3 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.3.2.1.mobileconfig b/ee/cis/macos-13/test/profiles/2.3.2.1.mobileconfig new file mode 100644 index 000000000..f299a44c1 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.3.2.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.3.2.1.check + PayloadUUID + C5CFF95F-7E77-4B0E-8136-2729A481D60A + forceAutomaticDateAndTime + + + + PayloadDescription + test + PayloadDisplayName + Ensure Set Time and Date Automatically Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.3.2.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + CEA7E3A6-E5DF-4A93-ABB7-45F36BF3D3E8 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.4.1.mobileconfig b/ee/cis/macos-13/test/profiles/2.4.1.mobileconfig new file mode 100644 index 000000000..528cd219b --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.4.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.controlcenter + PayloadIdentifier + com.fleetdm.cis-2.4.1.check + PayloadUUID + B97CBDF6-1EB7-424C-86DE-E11892B223F3 + WiFi + 18 + + + PayloadDescription + test + PayloadDisplayName + Ensure Show Wi-Fi status in Menu Bar Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.4.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 2357BB9E-FD15-4E1D-A1CC-12C7798E1483 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.4.2.mobileconfig b/ee/cis/macos-13/test/profiles/2.4.2.mobileconfig new file mode 100644 index 000000000..0d0349d04 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.4.2.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.controlcenter + PayloadIdentifier + com.fleetdm.cis-2.4.2.check + PayloadUUID + FC6045C3-FFD7-4C0A-A3D5-ED0ADB9FF391 + Bluetooth + 18 + + + PayloadDescription + test + PayloadDisplayName + Ensure Show Bluetooth Status in Menu Bar Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.4.2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + F997FFD6-7E39-48C7-A451-B12A79B6FA22 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.1.1.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.1.1.mobileconfig new file mode 100644 index 000000000..097323330 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.1.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.locationd + PayloadIdentifier + com.fleetdm.cis-2.6.1.1.check + PayloadUUID + 25D6B210-E8BB-465F-94D7-474073F4A892 + LocationServicesEnabled + + + + PayloadDescription + test + PayloadDisplayName + Ensure Location Services Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.6.1.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 8FC698D7-9EF8-427E-8E52-4B928A7437B0 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.2-part1.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.2-part1.mobileconfig new file mode 100644 index 000000000..c57d32092 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.2-part1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.6.2-part1.check + PayloadUUID + 9A6BF497-B715-453A-A7F7-D27C325EB5B3 + allowDiagnosticSubmission + + + + PayloadDescription + test + PayloadDisplayName + Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1) + PayloadIdentifier + com.fleetdm.cis-2.6.2-part1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 7D03459B-AA53-41AB-85C4-AAED7CE95EE9 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.2-part2.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.2-part2.mobileconfig new file mode 100644 index 000000000..363a447e5 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.2-part2.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.SubmitDiagInfo + PayloadIdentifier + com.fleetdm.cis-2.6.2-part2.check + PayloadUUID + 756EF527-5F37-4685-9A0F-21B596D1F895 + AutoSubmit + + + + PayloadDescription + test + PayloadDisplayName + Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2) + PayloadIdentifier + com.fleetdm.cis-2.6.2-part2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + C720744B-BBF2-4FE2-B8A9-4638CECC8BB2 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.2-part3.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.2-part3.mobileconfig new file mode 100644 index 000000000..c0e551443 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.2-part3.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.6.2-part3.check + PayloadUUID + 0FD378F2-B497-42D9-AEAE-C58D855E56FD + Siri Data Sharing Opt-In Status + 2 + + + PayloadDescription + test + PayloadDisplayName + Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3) + PayloadIdentifier + com.fleetdm.cis-2.6.2-part3 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 49A101C5-3401-47E7-90AF-9071D4D65E5D + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.3.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.3.mobileconfig new file mode 100644 index 000000000..2bed86338 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.3.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.applicationaccess + PayloadIdentifier + com.fleetdm.cis-2.6.3.check + PayloadUUID + 6C5400FF-BBB3-471F-B139-59D86ADA9A3A + allowApplePersonalizedAdvertising + + + + PayloadDescription + test + PayloadDisplayName + Ensure Limit Ad Tracking Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.6.3 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + C215AA26-C3D0-4A77-B884-8B8C918FD197 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.4.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.4.mobileconfig new file mode 100644 index 000000000..9cc87eaab --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.4.mobileconfig @@ -0,0 +1,39 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.systempolicy.control + PayloadIdentifier + com.fleetdm.cis-2.6.4.check + PayloadUUID + D9E7B5EA-8DA3-4AF1-99CD-30ED18EF47F1 + EnableAssessment + + AllowIdentifiedDevelopers + + + + PayloadDescription + test + PayloadDisplayName + Ensure Gatekeeper Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.6.4 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 1991574F-155E-4FC1-AD47-FDC4DC3B07B4 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/2.6.5.mobileconfig b/ee/cis/macos-13/test/profiles/2.6.5.mobileconfig new file mode 100644 index 000000000..da7247ad2 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/2.6.5.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.MCX + PayloadIdentifier + com.fleetdm.cis-2.6.5.check + PayloadUUID + D56F90DC-6F90-4BEB-8D0F-263D062EC612 + dontAllowFDEDisable + + + + PayloadDescription + test + PayloadDisplayName + Ensure FileVault Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.6.5 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 804CCF1F-2814-4B73-95EE-DB0B4FF67103 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/4.1.mobileconfig b/ee/cis/macos-13/test/profiles/4.1.mobileconfig new file mode 100644 index 000000000..ceecc1482 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/4.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.mDNSResponder + PayloadIdentifier + com.fleetdm.cis-4.1.check + PayloadUUID + 08FEA43B-CE9B-4098-804C-11459D109992 + NoMulticastAdvertisements + + + + PayloadDescription + test + PayloadDisplayName + Ensure Bonjour Advertising Services Is Disabled + PayloadIdentifier + com.fleetdm.cis-4.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 25BD1312-2B79-40C7-99FA-E60B49A1883E + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/README.md b/ee/cis/macos-13/test/profiles/README.md new file mode 100644 index 000000000..66f35a86c --- /dev/null +++ b/ee/cis/macos-13/test/profiles/README.md @@ -0,0 +1,64 @@ +# CIS Profiles + +On this directory we store the profiles for each CIS benchmark check that will allow us to apply them automatically on macOS VMs. + +## How to create one + +Let's assume you are creating a profile for CIS 1.6, "Ensure Install Security Responses and System Files Is Enabled". + +1. Copy an existing profile: +```sh +cp compliance/profiles/2.1.1.3.mobileconfig compliance/profiles/1.6.mobileconfig +``` + +2. Generate two unique UUIDs: +```sh +$ uuidgen +380B8EF9-B5E8-4967-A102-52F78EA03AB9 +$ uuidgen +3C4F942C-C716-48F3-A2E9-52AD7DBE55E0 +``` + +3. Open the created copy with a text editor and modify the following fields: +```xml + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + + PayloadIdentifier + com.fleetdm.cis-1.6.check + PayloadUUID + + + + + + PayloadDescription + test + PayloadDisplayName + + PayloadIdentifier + com.fleetdm.cis-1.6 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + + PayloadVersion + 1 + + +``` + +4. Place the `.mobileconfig` on the VM and double click the profile. +5. Go to `System Settings > Profiles` and then install the profile. \ No newline at end of file diff --git a/ee/cis/macos-13/test/profiles/not_always_working_2.10.1.mobileconfig b/ee/cis/macos-13/test/profiles/not_always_working_2.10.1.mobileconfig new file mode 100644 index 000000000..1324d58b6 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/not_always_working_2.10.1.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.screensaver + PayloadIdentifier + com.fleetdm.cis-2.10.1.check + PayloadUUID + 7A3B69E3-9E7D-4797-88A7-1043AE70E7DC + idleTime + 1200 + + + PayloadDescription + test + PayloadDisplayName + Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.10.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + B5B76088-248C-4755-BF2F-73BA6C05B5E9 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/not_always_working_2.10.2.mobileconfig b/ee/cis/macos-13/test/profiles/not_always_working_2.10.2.mobileconfig new file mode 100644 index 000000000..cb3754f69 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/not_always_working_2.10.2.mobileconfig @@ -0,0 +1,39 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.screensaver + PayloadIdentifier + com.fleetdm.cis-2.10.2.check + PayloadUUID + A33F821F-A138-42A0-B657-9F25A0F5ABD5 + askForPassword + + askForPasswordDelay + 5 + + + PayloadDescription + test + PayloadDisplayName + Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.10.2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + BF81079A-0A4A-476B-9318-F4105F3745D9 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/not_always_working_2.10.4.mobileconfig b/ee/cis/macos-13/test/profiles/not_always_working_2.10.4.mobileconfig new file mode 100644 index 000000000..660179648 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/not_always_working_2.10.4.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.loginwindow + PayloadIdentifier + com.fleetdm.cis-2.10.4.check + PayloadUUID + C8D63845-92B8-421D-AD17-00D25DEF626A + SHOWFULLNAME + + + + PayloadDescription + test + PayloadDisplayName + Ensure Login Window Displays as Name and Password Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.10.4 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 43D5AAB6-F9DB-4F7F-A665-43DF4915C7E1 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/not_always_working_2.10.5.mobileconfig b/ee/cis/macos-13/test/profiles/not_always_working_2.10.5.mobileconfig new file mode 100644 index 000000000..99e435ae3 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/not_always_working_2.10.5.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.loginwindow + PayloadIdentifier + com.fleetdm.cis-2.10.5.check + PayloadUUID + 21BB3EDD-BE67-42DC-B8CE-C493D01C0296 + RetriesUntilHint + 0 + + + PayloadDescription + test + PayloadDisplayName + Ensure Show Password Hints Is Disabled + PayloadIdentifier + com.fleetdm.cis-2.10.5 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 22FEDF5B-8D93-48F7-AE71-E1E2F8C96C30 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/not_always_working_2.6.1.2.mobileconfig b/ee/cis/macos-13/test/profiles/not_always_working_2.6.1.2.mobileconfig new file mode 100644 index 000000000..cea11e433 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/not_always_working_2.6.1.2.mobileconfig @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.locationmenu + PayloadIdentifier + com.fleetdm.cis-2.6.1.2.check + PayloadUUID + 25D6B210-E8BB-465F-94D7-474073F4A892 + ShowSystemServices + + + + PayloadDescription + test + PayloadDisplayName + Ensure Location Services Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.6.1.2 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 8FC698D7-9EF8-427E-8E52-4B928A7437B0 + PayloadVersion + 1 + + diff --git a/ee/cis/macos-13/test/profiles/not_working_2.3.4.1.mobileconfig b/ee/cis/macos-13/test/profiles/not_working_2.3.4.1.mobileconfig new file mode 100644 index 000000000..ae032529f --- /dev/null +++ b/ee/cis/macos-13/test/profiles/not_working_2.3.4.1.mobileconfig @@ -0,0 +1,45 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.TimeMachine + PayloadIdentifier + com.fleetdm.cis-2.3.4.1.check + PayloadUUID + D884A50B-C73C-4955-B042-9B6DAF23FAF0 + Forced + + + mcx_preference_settings + + AutoBackup + + + + + + + PayloadDescription + test + PayloadDisplayName + Ensure Backup Automatically is Enabled If Time Machine Is Enabled + PayloadIdentifier + com.fleetdm.cis-2.3.4.1 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + 582492F2-34C8-4C1C-A264-1885955A3E19 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh b/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh new file mode 100755 index 000000000..bc6ca6801 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh @@ -0,0 +1 @@ +sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Test Message 1" \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh b/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh new file mode 100755 index 000000000..64ee7db1b --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh @@ -0,0 +1 @@ +sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh b/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh new file mode 100755 index 000000000..0dae15497 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh @@ -0,0 +1 @@ +sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh b/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh new file mode 100755 index 000000000..67b775aba --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh @@ -0,0 +1 @@ +sudo dscl . -list /Users hint . -delete /Users/ \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh b/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh new file mode 100755 index 000000000..c324af99c --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh @@ -0,0 +1,2 @@ +sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false +sudo /usr/bin/defaults write /Library/Preferences/com.apple.MCX DisableGuestAccount -bool true \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh b/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh new file mode 100755 index 000000000..a9620cc8e --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh @@ -0,0 +1 @@ +sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.3.4.1.sh b/ee/cis/macos-13/test/scripts/CIS_2.3.4.1.sh new file mode 100755 index 000000000..e6b78d308 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.3.4.1.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# NOTE(lucas): I was not able to set `com.apple.TimeMachine`'s `AutoBackup` via a configuration profile. +# I tried the profile method documented on the CIS Benchmarks document and after applying it successfully +# it did not update the value of `AutoBackup`. +# +# So for now we are using the following shell command to enable automatic backup of Time Machine destinations. +/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true diff --git a/ee/cis/macos-13/test/scripts/CIS_2.6.1.2.sh b/ee/cis/macos-13/test/scripts/CIS_2.6.1.2.sh new file mode 100755 index 000000000..2eb66f24f --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.6.1.2.sh @@ -0,0 +1 @@ +sudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true diff --git a/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh b/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh new file mode 100644 index 000000000..e6f46b209 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh @@ -0,0 +1,19 @@ +sudo /usr/bin/defaults write /Library/Application\ +Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false + +sudo /usr/bin/defaults write /Library/Application\ +Support/CrashReporter/DiagnosticMessagesHistory.plist ThirdPartyDataSubmit -bool false + +sudo /bin/chmod 644 /Library/Application\ +Support/CrashReporter/DiagnosticMessagesHistory.plist + +sudo /usr/sbin/chgrp admin /Library/Application\ +Support/CrashReporter/DiagnosticMessagesHistory.plist + + +echo "This needs modification" +sudo -u /usr/bin/defaults write +/Users//Library/Preferences/com.apple.assistant.support "Siri DataSharing Opt-In Status" -int 2 + +# Example: +# sudo -u sharonkatz /usr/bin/defaults write /Users/sharonkatz/Library/Preferences/com.apple.assistant.support "Siri Data Sharing Opt-In Status" -int 2 \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh b/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh new file mode 100755 index 000000000..fdc670807 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh @@ -0,0 +1 @@ +sudo /usr/sbin/spctl --master-enable diff --git a/ee/cis/macos-13/test/scripts/CIS_2.7.1.sh b/ee/cis/macos-13/test/scripts/CIS_2.7.1.sh new file mode 100644 index 000000000..fccd6fd89 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.7.1.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Set corner action to 0 (no-op). +# If you wish to not comply with the policy, set any of them to 6. + +/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-br-corner -integer 0 +/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-bl-corner -integer 0 +/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-tr-corner -integer 0 +/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-tl-corner -integer 0 \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_4.2.sh b/ee/cis/macos-13/test/scripts/CIS_4.2.sh new file mode 100644 index 000000000..c9fe75751 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_4.2.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +/usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist diff --git a/ee/cis/macos-13/test/scripts/CIS_4.3.sh b/ee/cis/macos-13/test/scripts/CIS_4.3.sh new file mode 100755 index 000000000..ce62d02ac --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_4.3.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +/usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd +/usr/bin/sudo /bin/rm /etc/exports diff --git a/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh new file mode 100755 index 000000000..3ac450c53 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh @@ -0,0 +1,2 @@ +#replace username +sudo -u /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 1200 \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh new file mode 100755 index 000000000..00e00f63d --- /dev/null +++ b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh @@ -0,0 +1,2 @@ +sudo /usr/sbin/sysadminctl -screenLock immediate -password +sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password \ No newline at end of file