Add WIP macOS 13 CIS policy queries (#9497)

#9429
This commit is contained in:
Lucas Manuel Rodriguez 2023-01-25 16:15:12 -03:00 committed by GitHub
parent 0c1ec16dc4
commit 91c93285d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
47 changed files with 2048 additions and 0 deletions

View File

@ -0,0 +1,802 @@
---
# The latest version of CIS Benchmarks for macOS as of January 2023 was used which was benchmark 1.0 for macOS 13.0 https://workbench.cisecurity.org/benchmarks/10541
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure All Apple-provided Software Is Current
platforms: macOS
platform: darwin
description: Checks that the current version of macOS is up to date. This query requires maintenance over time.
resolution: "Go to System Settings/Software Update and install the latest updates manually"
query: SELECT 1 FROM os_version WHERE version >= '13.1';
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Auto Update Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically install updates.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic updates."
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.2
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically download updates.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic update downloads."
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.3
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: Ensure that macOS updates are installed after they are available from Apple.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic install of macOS updates."
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.4
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: Ensure that application updates are installed after they are available from Apple.
resolution: Ask your system administrator to deploy an MDM profile that enables automatic updates of Apple apps.
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.5
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: |
Ensure that system and security updates are installed after they are available from
Apple. This setting enables definition updates for XProtect and Gatekeeper. With this
setting in place, new malware and adware that Apple has added to the list of malware or
untrusted software will not execute.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic critical system and security updates."
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.6
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)
platforms: macOS
platform: darwin
description: |
Apple provides the capability to manage software updates on Apple devices through
mobile device management. Part of those capabilities permit organizations to defer
software updates and allow for testing. Many organizations have specialized software
and configurations that may be negatively impacted by Apple updates. If software
updates are deferred, they should not be deferred for more than 30 days.
This control only verifies that deferred software updates are not deferred for more than 30 days.
resolution: "Ask your system administrator to deploy an MDM profile configures update deferment to a value of 30 days or less."
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='enforcedSoftwareUpdateDelay' AND value <= 30;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS1.7
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: Automated Document synchronization should be planned and controlled to approved storage.
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.applicationaccess.
2. The key to include is allowCloudDesktopAndDocuments.
3. The key must be set to <false/>.
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowCloudDesktopAndDocuments' AND (value = 0 OR value = 'false') LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS2.1.1.3
contributors: zwass
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Firewall Is Enabled
platforms: macOS
platform: darwin
description: A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet.
resolution: "Go to the Network pane in System Settings and ensure Firewall is active."
query: SELECT 1 FROM alf WHERE global_state >= 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.2.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Firewall Stealth Mode Is Enabled
platforms: macOS
platform: darwin
description: |
While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic.
Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.
resolution: |
Perform the following steps to enable firewall stealth mode:
1. Open System Settings
2. Select Network
3. Select Firewall
4. Select Options...
5. Set Enabled stealth mode to enabled
query: SELECT 1 FROM alf WHERE global_state >= 1 AND stealth_enabled = 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.2.2
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure AirDrop Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: |
AirDrop can allow malicious files to be downloaded from unknown sources.
Contacts Only limits may expose personal information to devices in the same area.
resolution: |
Ask your system administrator to deploy an MDM profile that disables AirDrop.
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.applicationaccess
2. The key to include is allowAirDrop
3. The key must be set to <false/>
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowAirDrop' AND (value = 0 OR value = 'false') LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.1.1
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: |
In macOS Monterey (12.0), Apple has added the capability to share content from
another Apple device to the screen of a host Mac. While there are many valuable uses
of this capability, such sharing on a standard Mac user workstation should be enabled
ad hoc as required rather than allowing a continuous sharing service. The feature can
be restricted by Apple ID or network and is configured to use by accepting the
connection on the Mac. Part of the concern is frequent connection requests may
function as a denial-of-service and access control limits may provide too much
information to an attacker.
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.applicationaccess
2. The key to include is allowAirPlayIncomingRequests
3. The key must be set to <false/>
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowAirPlayIncomingRequests' AND (value = 0 OR value = 'false') LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.1.2
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Set Time and Date Automatically Is Enabled (MDM required)
platforms: macOS
platform: darwin
description:
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.applicationaccess.
2. The key to include is forceAutomaticDateAndTime.
3. The key must be set to <true/>.
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.2.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Time Is Set Within Appropriate Limits (fleetd required)
platforms: macOS
platform: darwin
description: |
Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries.
The time offset compared to time.apple.com must be between -270.x and 270.x seconds.
resolution: Make sure the device can connect to time.apple.com to synchronize time.
query: SELECT * FROM sntp_request WHERE server = 'time.apple.com' AND clock_offset_ms <= 270000 AND clock_offset_ms >= -270000;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.2.2
contributors:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure DVD or CD Sharing Is Disabled
platforms: macOS
platform: darwin
description:
resolution: ""
# Will likely require MDM/managed_policies. Most of the sharing checks that follow will be essentially the same query but looking at different types of sharing.
query: SELECT * from time;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.3.1
contributors:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Screen Sharing Is Disabled
platforms: macOS
platform: darwin
description:
resolution: ""
query: SELECT * from time;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.3.2
contributors:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure File Sharing Is Disabled
platforms: macOS
platform: darwin
description:
resolution: ""
query: SELECT * from time;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.3.3
contributors:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)
platforms: macOS
platform: darwin
description: |
Backup solutions are only effective if the backups run on a regular basis.
The time to check for backups is before the hard drive fails or the computer goes missing.
In order to simplify the user experience so that backups are more likely to occur,
Time Machine should be on and set to Back Up Automatically whenever the target volume is available.
FDA (Full Disk Access) is required to read the /Library/Preferences/com.apple.TimeMachine.plist
file that contains the Time Machine configuration and backup destinations.
resolution: |
Ask your system administrator to deploy an MDM profile that enables automatic backup if Time Machine is enabled.
The system administrator can do one of:
A. Disable Time Machine on the device.
B. Run the following command to enable automatic backup on Time Machine destinations:
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true
query: |
SELECT 'no time machine backups' as output
FROM (SELECT COUNT(*) as c FROM time_machine_backups) t1 WHERE t1.c = 0
UNION
SELECT 'time machine automatic backup set to true' as output
FROM plist WHERE path='/Library/Preferences/com.apple.TimeMachine.plist'
AND key='AutoBackup' AND (value = 1 OR value = 'true');
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS2.3.4.1
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)
platforms: macOS
platform: darwin
description: |
Backup solutions are only effective if the backups run on a regular basis.
The time to check for backups is before the hard drive fails or the computer goes missing.
In order to simplify the user experience so that backups are more likely to occur,
Time Machine should be on and set to Back Up Automatically whenever the target volume is available.
FDA (Full Disk Access) is required to read the /Library/Preferences/com.apple.TimeMachine.plist
file that contains the Time Machine configuration and backup destinations.
resolution: |
Graphical Method:
Perform the following steps to enable encryption on the Time Machine drive:
1. Open `System Settings`.
2. Select `General`.
3. Select `Time Machine`.
4. Select the unencrypted drive.
5. Select `-` to forget that drive as a destination.
6. Select `+` to add a different drive as the destination.
7. Select `Set Up Disk...`.
8. Set Encrypt Backup to enabled.
9. Enter a password in the `New Password` and the same password in the `Re-enter Password` fields.
10. A password hint is required, but it is recommended that you do not use any identifying information for the password
query: |
SELECT 'no time machine destinations configured' as output
FROM (SELECT COUNT(*) as c FROM time_machine_destinations) t1 WHERE t1.c = 0
UNION
SELECT 'time machines destinations with encryption with automatic backup' as output
FROM (SELECT COUNT(*) as c FROM time_machine_destinations WHERE encryption <> 'Encrypted') t2 WHERE t2.c = 0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.3.4.2
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: |
The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled.
If so, the system will scan for available wireless networks in order to connect.
Enabling "Show Wi-Fi status in menu bar" is a security awareness method that helps mitigate public area
wireless exploits by making the user aware of their wireless connectivity status.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that enables the Wi-Fi status in the menu bar.
Create or edit a configuration profile with the following information:
1. The `PayloadType` string is `com.apple.controlcenter`.
2. The key to include is `WiFi`.
3. The key must be set to `<integer>18</integer>`.
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.controlcenter' AND name = 'WiFi' AND value = 18;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.4.1
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: |
Enabling "Show Bluetooth status in menu bar" is a security awareness method that
helps understand the current state of Bluetooth, including whether it is enabled,
discoverable, what paired devices exist, and what paired devices are currently active.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that enables the Bluetooth status in the menu bar.
Create or edit a configuration profile with the following information:
1. The `PayloadType` string is `com.apple.controlcenter`.
2. The key to include is `Bluetooth`.
3. The key must be set to `<integer>18</integer>`.
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.controlcenter' AND name = 'Bluetooth' AND value = 18;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.4.2
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Location Services Is Enabled
platforms: macOS
platform: darwin
description: Checks that Location Services option is enabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that enables automatic updates of Apple apps.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Privacy & Security
3. Select Location Services
4. Verify Location Services is enabled
query: SELECT 1 FROM location_services where enabled=1;
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS2.6.1.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Location Services Is in the Menu Bar
platforms: macOS
platform: darwin
description: Checks that Location Services option is presented in the Menu Bar.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that enables the "location services" icon in menu bar when System Services request your location.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Privacy & Security
3. Select Location Services
4. Select Details...
5. Verify Show location icon in menu bar when System Services request your
location is set to your organization's parameters
query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.locationmenu.plist' AND key='ShowSystemServices' AND value=1;
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS2.6.1.2
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: Checks that Ensure Limit Ad Tracking Is Enabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that disables apple personalized advertising.
Graphical method:
Perform the following steps to enable Location Services:
1. Open Privacy & Security
2. Select Apple Advertising
3. Verify that Personalized Ads is not enabled
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowApplePersonalizedAdvertising' AND value=0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.6.3
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Screen Saver Corners Are Secure (FDA Required)
platforms: macOS
platform: darwin
description: |
Setting a hot corner to disable the screen saver poses a potential security risk since an
unauthorized person could use this to bypass the login screen and gain access to the system.
FDA (Full Disk Access) is required to read the configuration of all the users in the device
('/Users/*/Library/Preferences/com.apple.dock.plist')
resolution: |
Ask your system administrator to deploy a script that will configure
`wvous-tl-corner`, `wvous-bl-corner`, `wvous-tr-corner`, and `wvous-br-corner` in
domain `com.apple.dock` to a value that is not 6 (for all users of the device).
Graphical Method:
Perform the following steps to ensure that a Hot Corner is not set to Disable Screen Saver:
1. Open System Settings
2. Select Desktop & Dock
3. Select`Hot Corners...`
4. Verify that `Disable Screen Saver` is not set to any of the corners.
query: |
SELECT 1 WHERE NOT EXISTS(
SELECT 1 FROM plist
WHERE path LIKE '/Users/%/Library/Preferences/com.apple.dock.plist' AND (
key = 'wvous-br-corner' OR
key = 'wvous-bl-corner' OR
key = 'wvous-tr-corner' OR
key = 'wvous-tl-corner'
) AND value = 6);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS2.7.1
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: Checks that Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Lock Screen
3. Verify that Require password after screensaver begins or display is turned
off is set with After 0 seconds or After 5 seconds
query: |
SELECT 1 WHERE EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1) AND EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPasswordDelay' AND value <= 5)
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.10.2
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Gatekeeper Is Enabled
platforms: macOS
platform: darwin
description: |
Checks that Gatekeeper Is Enabled. Gatekeeper is Apples application that utilizes allowlisting to restrict downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. In an update to Gatekeeper in macOS 13 Ventura, Gatekeeper checks every application on every launch, not just quarantined apps.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that Ensure Gatekeeper Is Enabled
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Privacy & Security
3. Verify that 'Allow apps downloaded from' is set to' App Store and identified developers'
query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1 AND dev_id_enabled = 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.6.4
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: Checks that Sending Diagnostic and Usage Data to Apple Is Disabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that disables Sending Diagnostic and Usage Data to Apple.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Privacy & Security
3. Select Analytics & Improvements
4. Verify that Share Mac Analytics is not enabled
5. Verify that Share with App Developers is not enabled
6. Verify that Improve Siri & Dictation is not enabled
query: |
SELECT 1 WHERE
EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.SubmitDiagInfo' AND name='AutoSubmit' AND value = 0)
AND
EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowDiagnosticSubmission' AND value = 0)
AND
EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='Siri Data Sharing Opt-In Status' AND value = 2);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS2.6.2
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop- down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver to be Enabled.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Lock Screen
3. Verify that Start Screen Saver when inactive is set for 20 minutes or less (≤1200 seconds)
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='idleTime' AND value <= 1200;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.10.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure a Custom Message for the Login Screen Is Enabled
platforms: macOS
platform: darwin
description: An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored
resolution: |
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Lock Screen
3. Verify Show message when locked is enabled
4. Select Set
5. Verify that the message displayed is configured to your organization's required text
query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='LoginwindowText' AND value != "";
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.10.3
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure FileVault Is Enabled (MDM required)
platforms: macOS
platform: darwin
description: Checks that FileVault Is Enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that enables FileVault and disables turning it off.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Privacy & Privacy
3. Verify that FileVault states FileVault is turned on for the disk "<disk name>"
4. Select Privacy & Security
5. Select Profile
6. Verify that an installed profile has FileVault Can't Disable set to True
query: |
SELECT 1 WHERE
EXISTS(SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='dontAllowFDEDisable' AND value=1)
AND
EXISTS(SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.6.5
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM required)
platforms: macOS
platform: darwin
description: Checks Login Window Displays as Name and Password Is Enabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that Ensure Login Window Displays as Name and Password Is Enabled.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Lock Screen
3. Verify that Login window shows is set to Name and Password
query: SELECT 1 FROM managed_policies where domain='com.apple.loginwindow' AND name='SHOWFULLNAME' AND value=1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.10.4
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Show Password Hints Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: Checks Show Password Hints Is Disabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that Ensures Show Password Hints Is Disabled.
Graphical method:
Perform the following steps to enable Location Services:
1. OpenSystemSettings
2. Select Lock Screen
3. Verify that Show password hints is disabled
query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'RetriesUntilHint' AND value = 0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.10.5
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Users' Accounts Do Not Have a Password Hint (fleetd required)
platforms: macOS
platform: darwin
description: |
Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that disables apple personalized advertising.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Touch ID & Passwords (or Login Password on non-Touch ID Macs)
3. Select Change...
4. Change the password and ensure that no text is entered in the Password hint box
query: SELECT 1 FROM user_login_settings WHERE password_hint_enabled = 0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.11.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Guest Account Is Disabled
platforms: macOS
platform: darwin
description: Checks that Guest Account Is Disabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that disables Guest Account.
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Users & Groups
3. Select the i next to the Guest User
4. Verify that Allow guests to log in to this computer is disable
query: |
SELECT 1 WHERE
EXISTS(SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0)
OR
EXISTS(select 1 FROM plist WHERE path='/Library/Preferences/com.apple.MCX.plist' AND key='DisableGuestAccount' AND value = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.12.1
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Automatic Login Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: |
The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that Ensure Automatic Login Is Disabled
Graphical method:
Perform the following steps to enable Location Services:
1. Open System Settings
2. Select Users & Groups
3. Set Automatic login in as... to Off
Profile Method:
Create or edit a configuration profile with the following information:
1. The Payload Type string is com.apple.loginwindow
2. The key to include is com.apple.login.mcx.DisableAutoLoginClient
3. The key must be set to <true/>
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='com.apple.login.mcx.DisableAutoLoginClient' AND value = 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS2.12.3
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
platforms: macOS
platform: darwin
description: |
Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet.
DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that disables Bonjour advertising service.
Profile Method:
Create or edit a configuration profile with the following information:
1. The Payload Type string is `com.apple.mDNSResponder`.
2. The key to include is `NoMulticastAdvertisements`.
3. The key must be set to `<true/>`.
query: SELECT 1 FROM managed_policies WHERE domain='com.apple.mDNSResponder' AND name='NoMulticastAdvertisements' AND value = 1;
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS4.1
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure HTTP Server Is Disabled
platforms: macOS
platform: darwin
description: |
Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer.
Apache is still part of the Operating System and can be easily turned on to share files and provide remote connectivity
to an end-user computer. Web serving should not be done from a user desktop. Open ports make it easier to exploit the computer.
resolution: |
Automated method:
Ask your system administrator to deploy the following script which will disable the Apache service:
/usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
query: SELECT 1 WHERE NOT EXISTS(SELECT * FROM processes WHERE path = '/usr/sbin/httpd');
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS4.2
contributors: lucasmrod
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure NFS Server Is Disabled
platforms: macOS
platform: darwin
description: |
MacOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount
shares and gain access to information from the user's computer.
resolution: |
Automated method:
Ask your system administrator to deploy the following script which will disable the NFS service
and its directory listing:
/usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
/usr/bin/sudo /bin/rm /etc/exports
query: |
SELECT 1 WHERE
NOT EXISTS(SELECT 1 FROM processes WHERE path = '/sbin/nfsd')
AND
NOT EXISTS(SELECT 1 FROM file WHERE path = '/etc/exports');
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS4.3
contributors: lucasmrod

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.2.check</string>
<key>PayloadUUID</key>
<string>4DC539B5-837E-4DC3-B60B-43A8C556A8F0</string>
<key>AutomaticCheckEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Auto Update Is Enabled </string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>03E69A02-02CE-4CA0-8F17-3BAAD5D3852F</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.3.check</string>
<key>PayloadUUID</key>
<string>5FDE6D58-79CD-447A-AFB0-BA32D889C396</string>
<key>AutomaticDownload</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Download New Updates When Available Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.3</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0A1C2F97-D6FA-4CDB-ABB6-47DF2B151F4F</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.4.check</string>
<key>PayloadUUID</key>
<string>15BF7634-276A-411B-8C4E-52D89B4ED82C</string>
<key>AutomaticallyInstallMacOSUpdates</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Install of macOS Updates Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.4</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>7DB8733E-BD11-4E88-9AE0-273EF2D0974B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.5.check</string>
<key>PayloadUUID</key>
<string>6B0285F8-5DB8-4F68-AA6E-2333CCD6CE04</string>
<key>AutomaticallyInstallAppUpdates</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Install Application Updates from the App Store Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.5</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>1C4C0EC4-64A7-4AF0-8807-A3DD44A6DC76</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.6.check</string>
<key>PayloadUUID</key>
<string>0D8F676A-A705-4F57-8FF8-3118360EFDEB</string>
<key>ConfigDataInstall</key>
<true/>
<key>CriticalUpdateInstall</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Install Security Responses and System Files Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.6</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>EBEE9B81-9D33-477F-AFBE-9691360B7A74</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.7.check</string>
<key>PayloadUUID</key>
<string>123FD592-D1C3-41FD-BC41-F91F3E1E2CF4</string>
<key>enforcedSoftwareUpdateDelay</key>
<integer>29</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Software Update Deferment Is Less Than or Equal to 30 Days</string>
<key>PayloadIdentifier</key>
<string>com.zwass.cis-1.7</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>385A0C13-2472-41B3-851C-1311FA12EB49</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.1.1.3.check</string>
<key>PayloadUUID</key>
<string>5F0EF767-200C-4E10-A43D-04204A4A8E06</string>
<key>allowCloudDesktopAndDocuments</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure iCloud Drive Document and Desktop Sync Is Disabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.1.1.3</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2EAF168E-3DC9-4375-AA37-501EDB3C8422</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.loginwindow</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.3.check</string>
<key>PayloadUUID</key>
<string>3E4C4ED8-ADB6-4EFB-8198-58027B94DF86</string>
<key>LoginwindowText</key>
<string>Some Test Message</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure a Custom Message for the Login Screen Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.3</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9359CA59-D3C1-4A0D-8595-9E5F1F0CAE12</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.loginwindow</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.12.3.check</string>
<key>PayloadUUID</key>
<string>CB576629-19E2-4649-84FC-C007826732A0</string>
<key>com.apple.login.mcx.DisableAutoLoginClient</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Automatic Login Is Disabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.12.3</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0AEDE730-9466-47D1-B322-3C6F325B3737</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.security.firewall</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.2.1.check</string>
<key>PayloadUUID</key>
<string>D12965C1-12BD-4CAD-A55A-E7F020B0DAAF</string>
<key>EnableFirewall</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Firewall Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.2.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>F0BFF592-1CB7-4922-B2D4-583415DC4A0B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.security.firewall</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.2.2.check</string>
<key>PayloadUUID</key>
<string>2D2A07FB-3700-4ED8-AF06-6A2213F4C634</string>
<key>EnableFirewall</key>
<true/>
<key>EnableStealthMode</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Firewall Stealth Mode Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.2.2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>E0B831D6-F214-4F1F-967C-B75B38B26708</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.1.1.check</string>
<key>PayloadUUID</key>
<string>22F2E52E-E593-40F7-8635-E067EDEE4F60</string>
<key>allowAirDrop</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure AirDrop Is Disabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.1.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>55DC048E-1490-4A26-8A97-4A4EA91A7302</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.1.2.check</string>
<key>PayloadUUID</key>
<string>BF58FD50-E4EC-4427-A549-1BCD7B88FCEB</string>
<key>allowAirPlayIncomingRequests</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure AirPlay Receiver Is Disabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.1.2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>633BD4E3-849E-485E-A784-AA80D86E83A3</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.2.1.check</string>
<key>PayloadUUID</key>
<string>C5CFF95F-7E77-4B0E-8136-2729A481D60A</string>
<key>forceAutomaticDateAndTime</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Set Time and Date Automatically Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.2.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>CEA7E3A6-E5DF-4A93-ABB7-45F36BF3D3E8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.controlcenter</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.4.1.check</string>
<key>PayloadUUID</key>
<string>B97CBDF6-1EB7-424C-86DE-E11892B223F3</string>
<key>WiFi</key>
<integer>18</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Show Wi-Fi status in Menu Bar Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.4.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2357BB9E-FD15-4E1D-A1CC-12C7798E1483</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.controlcenter</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.4.2.check</string>
<key>PayloadUUID</key>
<string>FC6045C3-FFD7-4C0A-A3D5-ED0ADB9FF391</string>
<key>Bluetooth</key>
<integer>18</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Show Bluetooth Status in Menu Bar Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.4.2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>F997FFD6-7E39-48C7-A451-B12A79B6FA22</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.locationd</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.1.1.check</string>
<key>PayloadUUID</key>
<string>25D6B210-E8BB-465F-94D7-474073F4A892</string>
<key>LocationServicesEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Location Services Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.1.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8FC698D7-9EF8-427E-8E52-4B928A7437B0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.2-part1.check</string>
<key>PayloadUUID</key>
<string>9A6BF497-B715-453A-A7F7-D27C325EB5B3</string>
<key>allowDiagnosticSubmission</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.2-part1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>7D03459B-AA53-41AB-85C4-AAED7CE95EE9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.SubmitDiagInfo</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.2-part2.check</string>
<key>PayloadUUID</key>
<string>756EF527-5F37-4685-9A0F-21B596D1F895</string>
<key>AutoSubmit</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.2-part2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C720744B-BBF2-4FE2-B8A9-4638CECC8BB2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.2-part3.check</string>
<key>PayloadUUID</key>
<string>0FD378F2-B497-42D9-AEAE-C58D855E56FD</string>
<key>Siri Data Sharing Opt-In Status</key>
<integer>2</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.2-part3</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>49A101C5-3401-47E7-90AF-9071D4D65E5D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.3.check</string>
<key>PayloadUUID</key>
<string>6C5400FF-BBB3-471F-B139-59D86ADA9A3A</string>
<key>allowApplePersonalizedAdvertising</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Limit Ad Tracking Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.3</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C215AA26-C3D0-4A77-B884-8B8C918FD197</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.systempolicy.control</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.4.check</string>
<key>PayloadUUID</key>
<string>D9E7B5EA-8DA3-4AF1-99CD-30ED18EF47F1</string>
<key>EnableAssessment</key>
<true/>
<key>AllowIdentifiedDevelopers</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Gatekeeper Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.4</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>1991574F-155E-4FC1-AD47-FDC4DC3B07B4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.MCX</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.5.check</string>
<key>PayloadUUID</key>
<string>D56F90DC-6F90-4BEB-8D0F-263D062EC612</string>
<key>dontAllowFDEDisable</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure FileVault Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.5</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>804CCF1F-2814-4B73-95EE-DB0B4FF67103</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.mDNSResponder</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-4.1.check</string>
<key>PayloadUUID</key>
<string>08FEA43B-CE9B-4098-804C-11459D109992</string>
<key>NoMulticastAdvertisements</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Bonjour Advertising Services Is Disabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-4.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>25BD1312-2B79-40C7-99FA-E60B49A1883E</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,64 @@
# CIS Profiles
On this directory we store the profiles for each CIS benchmark check that will allow us to apply them automatically on macOS VMs.
## How to create one
Let's assume you are creating a profile for CIS 1.6, "Ensure Install Security Responses and System Files Is Enabled".
1. Copy an existing profile:
```sh
cp compliance/profiles/2.1.1.3.mobileconfig compliance/profiles/1.6.mobileconfig
```
2. Generate two unique UUIDs:
```sh
$ uuidgen
380B8EF9-B5E8-4967-A102-52F78EA03AB9
$ uuidgen
3C4F942C-C716-48F3-A2E9-52AD7DBE55E0
```
3. Open the created copy with a text editor and modify the following fields:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string><!--- Domain of the setting, e.g. com.apple.SoftwareUpdate --></string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.6.check <!--- This must be unique and a sub domain of the main profile, thus we add the cis number at the end + ".check" --></string>
<key>PayloadUUID</key>
<string><!--- Paste one of the generated UUID here, in this case 380B8EF9-B5E8-4967-A102-52F78EA03AB9 --></string>
<key><!--- Setting, e.g. CriticalUpdateInstall --></key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string><!-- Title of the CIS here, e.g. Ensure Install Security Responses and System Files Is Enabled --></string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-1.6</string> <!--- This must be unique, thus we add the cis number at the end -->
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string><!--- Paste the other generated UUID here, in this case 3C4F942C-C716-48F3-A2E9-52AD7DBE55E0 --></string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
4. Place the `.mobileconfig` on the VM and double click the profile.
5. Go to `System Settings > Profiles` and then install the profile.

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.1.check</string>
<key>PayloadUUID</key>
<string>7A3B69E3-9E7D-4797-88A7-1043AE70E7DC</string>
<key>idleTime</key>
<integer>1200</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B5B76088-248C-4755-BF2F-73BA6C05B5E9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.2.check</string>
<key>PayloadUUID</key>
<string>A33F821F-A138-42A0-B657-9F25A0F5ABD5</string>
<key>askForPassword</key>
<true/>
<key>askForPasswordDelay</key>
<integer>5</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>BF81079A-0A4A-476B-9318-F4105F3745D9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.loginwindow</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.4.check</string>
<key>PayloadUUID</key>
<string>C8D63845-92B8-421D-AD17-00D25DEF626A</string>
<key>SHOWFULLNAME</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Login Window Displays as Name and Password Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.4</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>43D5AAB6-F9DB-4F7F-A665-43DF4915C7E1</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.loginwindow</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.5.check</string>
<key>PayloadUUID</key>
<string>21BB3EDD-BE67-42DC-B8CE-C493D01C0296</string>
<key>RetriesUntilHint</key>
<integer>0</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Show Password Hints Is Disabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.10.5</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>22FEDF5B-8D93-48F7-AE71-E1E2F8C96C30</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.locationmenu</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.1.2.check</string>
<key>PayloadUUID</key>
<string>25D6B210-E8BB-465F-94D7-474073F4A892</string>
<key>ShowSystemServices</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Location Services Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.6.1.2</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8FC698D7-9EF8-427E-8E52-4B928A7437B0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>test</string>
<key>PayloadType</key>
<string>com.apple.TimeMachine</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.4.1.check</string>
<key>PayloadUUID</key>
<string>D884A50B-C73C-4955-B042-9B6DAF23FAF0</string>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AutoBackup</key>
<true/>
</dict>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>test</string>
<key>PayloadDisplayName</key>
<string>Ensure Backup Automatically is Enabled If Time Machine Is Enabled</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.cis-2.3.4.1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>582492F2-34C8-4C1C-A264-1885955A3E19</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View File

@ -0,0 +1 @@
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Test Message 1"

View File

@ -0,0 +1 @@
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

View File

@ -0,0 +1 @@
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0

View File

@ -0,0 +1 @@
sudo dscl . -list /Users hint . -delete /Users/<username>

View File

@ -0,0 +1,2 @@
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
sudo /usr/bin/defaults write /Library/Preferences/com.apple.MCX DisableGuestAccount -bool true

View File

@ -0,0 +1 @@
sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

View File

@ -0,0 +1,8 @@
#!/bin/bash
# NOTE(lucas): I was not able to set `com.apple.TimeMachine`'s `AutoBackup` via a configuration profile.
# I tried the profile method documented on the CIS Benchmarks document and after applying it successfully
# it did not update the value of `AutoBackup`.
#
# So for now we are using the following shell command to enable automatic backup of Time Machine destinations.
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true

View File

@ -0,0 +1 @@
sudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true

View File

@ -0,0 +1,19 @@
sudo /usr/bin/defaults write /Library/Application\
Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false
sudo /usr/bin/defaults write /Library/Application\
Support/CrashReporter/DiagnosticMessagesHistory.plist ThirdPartyDataSubmit -bool false
sudo /bin/chmod 644 /Library/Application\
Support/CrashReporter/DiagnosticMessagesHistory.plist
sudo /usr/sbin/chgrp admin /Library/Application\
Support/CrashReporter/DiagnosticMessagesHistory.plist
echo "This needs modification"
sudo -u <username> /usr/bin/defaults write
/Users/<username>/Library/Preferences/com.apple.assistant.support "Siri DataSharing Opt-In Status" -int 2
# Example:
# sudo -u sharonkatz /usr/bin/defaults write /Users/sharonkatz/Library/Preferences/com.apple.assistant.support "Siri Data Sharing Opt-In Status" -int 2

View File

@ -0,0 +1 @@
sudo /usr/sbin/spctl --master-enable

View File

@ -0,0 +1,9 @@
#!/bin/bash
# Set corner action to 0 (no-op).
# If you wish to not comply with the policy, set any of them to 6.
/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-br-corner -integer 0
/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-bl-corner -integer 0
/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-tr-corner -integer 0
/usr/bin/sudo -u $USER /usr/bin/defaults write com.apple.dock wvous-tl-corner -integer 0

View File

@ -0,0 +1,3 @@
#!/bin/bash
/usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

View File

@ -0,0 +1,4 @@
#!/bin/bash
/usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
/usr/bin/sudo /bin/rm /etc/exports

View File

@ -0,0 +1,2 @@
#replace username
sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 1200

View File

@ -0,0 +1,2 @@
sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password>
sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password>