From 1fc799577dc6b003ef2a113a88bbd04184600fc3 Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Thu, 9 Feb 2023 13:22:36 -0500
Subject: [PATCH] CIS 6.4.1 (#9773)

---
 ee/cis/macos-13/cis-policy-queries.yml        | 26 ++++++++++++-
 .../macos-13/test/profiles/6.4.1.mobileconfig | 37 +++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 ee/cis/macos-13/test/profiles/6.4.1.mobileconfig

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index aeb0080e8b..a817f3be44 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -2075,4 +2075,28 @@ spec:
       AND value = 1;
   purpose: Informational
   tags: compliance, CIS, CIS_Level1, CIS6.3.7
-  contributors: sharon-fdm
\ No newline at end of file
+  contributors: sharon-fdm
+---
+  apiVersion: v1
+  kind: policy
+  spec:
+    name: CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)
+    platforms: macOS
+    platform: darwin
+    description: |
+      Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal. Unauthorized applications and malicious code could intercept keystrokes entered in the Terminal.
+      Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal.
+    resolution: |
+      Profile Method:
+      Create or edit a configuration profile with the following information:
+        1. The PayloadType string is com.apple.Terminal 
+        2. The key to include is SecureKeyboardEntry
+        3. The key must be set to
+        <true/>
+    query: |
+      SELECT 1 from managed_policies WHERE domain = 'com.apple.Terminal'
+        AND name = 'SecureKeyboardEntry' 
+        AND value == 1;
+    purpose: Informational
+    tags: compliance, CIS, CIS_Level1, CIS6.4.1
+    contributors: sharon-fdm
\ No newline at end of file
diff --git a/ee/cis/macos-13/test/profiles/6.4.1.mobileconfig b/ee/cis/macos-13/test/profiles/6.4.1.mobileconfig
new file mode 100644
index 0000000000..9aca882491
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/6.4.1.mobileconfig
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>PayloadContent</key>
+		<array>
+			<dict>
+				<key>PayloadDisplayName</key>
+				<string>test</string>
+				<key>PayloadType</key>
+				<string>com.apple.Terminal</string>
+				<key>PayloadIdentifier</key>
+				<string>com.fleetdm.cis-6.4.1.check</string>
+				<key>PayloadUUID</key>
+				<string>E8D36749-D7F8-4280-9B17-D6224B67B63B</string>
+				<key>SecureKeyboardEntry</key>
+				<true/>
+			</dict>
+		</array>
+		<key>PayloadDescription</key>
+		<string>test</string>
+		<key>PayloadDisplayName</key>
+		<string>Ensure Secure Keyboard Entry Terminal.app Is Enabled</string>
+		<key>PayloadIdentifier</key>
+		<string>com.fleetdm.cis-6.4.1</string>
+		<key>PayloadRemovalDisallowed</key>
+		<false/>
+		<key>PayloadScope</key>
+		<string>System</string>
+		<key>PayloadType</key>
+		<string>Configuration</string>
+		<key>PayloadUUID</key>
+		<string>D4C0B4CC-D39A-4F0F-AF8A-AB5A73D02B3F</string>
+		<key>PayloadVersion</key>
+		<integer>1</integer>
+	</dict>
+</plist>