From 1741c4ddd3a3e2a78a2452ad17ca9b8b4bb64748 Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Fri, 3 Mar 2023 14:06:15 -0500
Subject: [PATCH] CIS_MAC13_5.2.3_5.2.4 (#10248)

---
 ee/cis/macos-13/cis-policy-queries.yml        | 23 ++++++++++++
 .../profiles/5.2.3-and-5.2.4.mobileconfig     | 37 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 ee/cis/macos-13/test/profiles/5.2.3-and-5.2.4.mobileconfig

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 47060a056e..16ddb39805 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -1827,6 +1827,29 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    CIS - 5.2.3 - Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non- alphanumeric characters.
+    Ensure that an Alphabetic character is part of the password policy on the computer.
+    CIS - 5.2.4 - Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non- alphanumeric characters.
+    Ensure that a number or numeric value is part of the password policy on the computer.
+  resolution: |
+    Ask your system administrator to deploy an MDM profile that ensures Complex Password Must Contain Alphabetic Characters
+  query: |
+    SELECT 1 FROM managed_policies WHERE
+      domain = 'com.apple.mobiledevice.passwordpolicy' AND
+      name = 'requireAlphanumeric' AND
+      (value = 1 OR value = 'true')
+      LIMIT 1;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.2.3, CIS-macos-13-5.2.4
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Password Age Is Configured (Fleetd Required)
   platforms: macOS
diff --git a/ee/cis/macos-13/test/profiles/5.2.3-and-5.2.4.mobileconfig b/ee/cis/macos-13/test/profiles/5.2.3-and-5.2.4.mobileconfig
new file mode 100644
index 0000000000..6555d780ce
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/5.2.3-and-5.2.4.mobileconfig
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDisplayName</key>
+			<string>test</string>
+			<key>PayloadType</key>
+			<string>com.apple.mobiledevice.passwordpolicy</string>
+			<key>PayloadIdentifier</key>
+			<string>com.fleetdm.cis-5.2.3-and-5.2.4.check</string>
+			<key>PayloadUUID</key>
+			<string>207388F7-0144-4518-9CCD-9E488EF9C5D7</string>
+			<key>requireAlphanumeric</key>
+			<true/>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>test</string>
+	<key>PayloadDisplayName</key>
+	<string>Require AlphaNumeric characters in password</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.cis-5.2.3-and-5.2.4</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>19BDCDC8-7E9E-48A6-9468-F87EE865F677</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>