Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 42

CIS Update - macOS 14, CIS v1.1.0 (#21478)

Browse source 
Changelog

ADD:

    ADD - 2.3.3.2 Ensure the Time Service Is Enabled
    ADD - 6.3.10 Ensure Show Status Bar Is Enabled

REMOVE:

    REMOVE - 2.3.2.2 Ensure Time Is Set Within Appropriate Limits


UPDATE:

    UPDATE - 2.6.1.2  Ensure Location Services Is in the Menu Bar
    UPDATE - 3.1 Ensure Security Auditing Is Enabled 
UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System
Folder
UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session
UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby
(Intel)
UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon)

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
This commit is contained in:
Josh Brower 2024-10-21 15:24:36 -04:00 committed by GitHub
parent 8d27835976
commit 16afe9f7c0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 58 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ee/cis/macos-14/README.md
View file

@ -1,6 +1,6 @@
# macOS 14.0 Sonoma benchmark
# macOS 14 Sonoma benchmark
Fleet's policies have been written against v1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
Fleet's policies have been written against v1.1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.

79
ee/cis/macos-14/cis-policy-queries.yml
View file

@ -1,5 +1,5 @@
---
# The latest version of CIS Benchmarks for macOS as of January 2024 for macOS 14.
# The latest version of CIS Benchmarks for macOS as of August 2024 for macOS 14.
apiVersion: v1
kind: policy
spec:
@ -518,17 +518,19 @@ spec:
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Time Is Set Within Appropriate Limits (Fleetd Required)
name: CIS - Ensure the Time Service Is Enabled
platforms: macOS
platform: darwin
description: |
Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries.
The time offset compared to time.apple.com must be between -270.x and 270.x seconds.
resolution: Make sure the device can connect to time.apple.com to synchronize time.
query: SELECT * FROM sntp_request WHERE server = 'time.apple.com' AND clock_offset_ms <= 270000 AND clock_offset_ms >= -270000;
In macOS 10.14, Apple replace ntp with timed for time services, and is used to ensure correct time is kept. Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries.
resolution: |
Ask your system administrator to deploy a script that will configure:
/usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist
query: |
SELECT 1 WHERE EXISTS(SELECT * FROM processes WHERE path = '/usr/libexec/timed');
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: lucasmrod
contributors: defensivedepth
---
apiVersion: v1
kind: policy
@ -1366,10 +1368,10 @@ spec:
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Location Services Is in the Menu Bar
name: CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
platforms: macOS
platform: darwin
description: Checks that Location Services option is presented in the Menu Bar.
description: This setting provides the user an understanding of the current status of Location Services and which applications are using it.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that enables the "location services" icon in menu bar when System Services request your location.
@ -1713,15 +1715,16 @@ spec:
that can be attempted against the RAM that has the encryption keys or the running operating system protected
by a login screen.
Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
MacBooks should be set so that the `standbydelay` is 15 minutes (900 seconds) or less.
Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
Organizations may still decide to use hibernate after sleeping if there is a security need
(ex. international travel), but it can cause kernel panics in Apple Silicon Macs.
resolution: |
Ask your system administrator to deploy the following script to Macbook devices:
if [[ $(uname -m) == 'arm64' ]]; then
# Apple silicon
/usr/bin/sudo /usr/bin/pmset -a standby 900
/usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1
/usr/bin/sudo /usr/bin/pmset -a hibernatemode 25
else
# Intel
/usr/bin/sudo /usr/bin/pmset -a standbydelaylow 900
@ -1762,12 +1765,11 @@ spec:
SELECT 1 FROM system_info WHERE cpu_type = 'arm64e'
) AND EXISTS (
SELECT
CAST(JSON_EXTRACT(battery, '$.standby') AS INTEGER) AS standby,
CAST(JSON_EXTRACT(battery, '$.hibernatemode') AS INTEGER) AS hibernatemode
CAST(JSON_EXTRACT(battery, '$.standby') AS INTEGER) AS standby
FROM (
SELECT JSON_EXTRACT(json_result, '$.Battery Power:') AS battery FROM pmset WHERE getting = 'custom'
)
WHERE standby <= 900 AND hibernatemode = 25
WHERE standby <= 900
)
)
);
@ -2213,11 +2215,12 @@ spec:
platforms: macOS
platform: darwin
description: |
macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log. Apple has deprecated auditd as of macOS 11.0 Big Sur. In macOS 14.0 Sonoma it is no longer enabled by default..
resolution: |
Automated method:
Ask your system administrator to deploy the following script which will enable security auditing:
Ask your system administrator to deploy the following script which will enable security auditing and create the audit_control file::
/usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
/usr/bin/sudo /bin/cp /etc/security/audit_control.example /etc/security/audit_control
query: |
SELECT 1 WHERE EXISTS (
SELECT
@ -2664,14 +2667,11 @@ spec:
platforms: macOS
platform: darwin
description: |
Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions.
Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application.
It could also be a sign of a computer compromise and a persistent presence on the system.
The audit check excludes the "Drop Box" folder that is part of Apple's default user template.
Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions. Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a persistent presence on the system.
resolution: |
Ask your system administrator to deploy a script that will ensure folders are not world-writable in the /System folder.
/usr/bin/sudo IFS=$'\n'
for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" );
for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -vE "Drop Box|locks" );
do
/bin/chmod -R o-w "$sysPermissions"
done
@ -3035,13 +3035,13 @@ spec:
resolution: |
Automated method:
Ask your system administrator to deploy a script that runs the following:
/usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver use-login-window-ui
/usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver authenticate-session-owner
query: |
SELECT 1 WHERE EXISTS (
SELECT JSON_EXTRACT(json_result, '$.rule') AS rule
FROM authdb
WHERE right_name = 'system.login.screensaver' AND
rule LIKE '%use-login-window-ui%'
rule LIKE '%authenticate-session-owner%'
);
purpose: Informational
tags: compliance, CIS, CIS_Level1
@ -3448,6 +3448,39 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Show Status Bar Is Enabled (MDM Required)
platforms: macOS
platform: darwin
description: |
The Status Bar in Safari shows the full URL of any link on hover. It protects the user from visiting sites where the domain has been obfuscated by allowing the user to review whether the link points to an unexpected location.
resolution: |
Automated method:
Profile Method:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.Safari
2. The key to include is ShowOverlayStatusBar
3. The key must be set to: <true/>
query: |
SELECT 1 WHERE
EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='ShowOverlayStatusBar' AND
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='ShowOverlayStatusBar' AND
(value != 1 AND value != 'true')
);
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: defensivedepth
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)
platforms: macOS