From d36e89a0efa4650f44565bba40039bc0cd0f5821 Mon Sep 17 00:00:00 2001
From: Artemis Tosini <artemis@fleetdm.com>
Date: Thu, 9 Feb 2023 13:46:42 -0500
Subject: [PATCH] Add macOS CIS 6.3.3 (Safari Safe Browsing) (#9778)

---
 ee/cis/macos-13/cis-policy-queries.yml        | 25 ++++++++++++-
 .../macos-13/test/profiles/6.3.3.mobileconfig | 37 +++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 ee/cis/macos-13/test/profiles/6.3.3.mobileconfig

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 0b12e5af5..062debc9b 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -1983,6 +1983,29 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    Apple uses the Google Safe Browsing API to check for fraudulent websites and report them to the
+    user attempting visit one. Attackers use crafted web pages to social engineer users to load
+    unwanted content. Warning users prior to loading the content enables better security.
+  resolution: |
+    Payload Method:
+    Ask your administrator to deploy a profile which enableds WarnAboutFraudulentWebsites in Safari
+  query: |
+    SELECT 1 FROM managed_policies WHERE
+      domain = 'com.apple.Safari' AND
+      name = 'WarnAboutFraudulentWebsites' AND
+      value = '1'
+      LIMIT 1;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS6.3.3
+  contributors: artemist-work
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)
   platforms: macOS
@@ -2099,4 +2122,4 @@ spec:
       AND value == 1;
   purpose: Informational
   tags: compliance, CIS, CIS_Level1, CIS6.4.1
-  contributors: sharon-fdm
\ No newline at end of file
+  contributors: sharon-fdm
diff --git a/ee/cis/macos-13/test/profiles/6.3.3.mobileconfig b/ee/cis/macos-13/test/profiles/6.3.3.mobileconfig
new file mode 100644
index 000000000..250550d14
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/6.3.3.mobileconfig
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>PayloadContent</key>
+		<array>
+			<dict>
+				<key>PayloadDisplayName</key>
+				<string>test</string>
+				<key>PayloadType</key>
+				<string>com.apple.Safari</string>
+				<key>PayloadIdentifier</key>
+				<string>com.fleetdm.cis-6.3.3.check</string>
+				<key>PayloadUUID</key>
+				<string>AA1CF4AE-446C-41B0-8B06-ADEAEF9F0505</string>
+				<key>WarnAboutFraudulentWebsites</key>
+				<true/>
+			</dict>
+		</array>
+		<key>PayloadDescription</key>
+		<string>test</string>
+		<key>PayloadDisplayName</key>
+		<string>Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled</string>
+		<key>PayloadIdentifier</key>
+		<string>com.fleetdm.cis-6.3.3</string>
+		<key>PayloadRemovalDisallowed</key>
+		<false/>
+		<key>PayloadScope</key>
+		<string>System</string>
+		<key>PayloadType</key>
+		<string>Configuration</string>
+		<key>PayloadUUID</key>
+		<string>130308F8-916A-449D-9711-34A31DCCD39D</string>
+		<key>PayloadVersion</key>
+		<integer>1</integer>
+	</dict>
+</plist>