diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 48a3d64b8a..e378e47bce 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -712,6 +712,27 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure Guest Access to Shared Folders Is Disabled + platforms: macOS + platform: darwin + description: Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network + resolution: | + Automated method: + Ask your system administrator to deploy the following script which will disable guest users from access to shared folders: + /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off + Graphical Method: + Perform the following steps to no longer allow guest user access to shared folders: + 1. Open System Settings + 2. Select Users & Groups + 3. Select the i next to the Guest User + 4. Set Allow guests to connect to shared folders to disabled + query: SELECT 1 from plist where path = '/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist' AND key = 'AllowGuestAccess' AND value = 0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS2.12.2 +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure Automatic Login Is Disabled (MDM Required) platforms: macOS diff --git a/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh b/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh index bc6ca6801e..048bf03195 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.10.3.sh @@ -1 +1,3 @@ +#!/bin/bash + sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Test Message 1" \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh b/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh index 64ee7db1b0..2862a52444 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.10.4.sh @@ -1 +1,3 @@ +#!/bin/bash + sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh b/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh index 0dae154973..2c3b51b2d6 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.10.5.sh @@ -1 +1,3 @@ +#!/bin/bash + sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh b/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh index 67b775aba8..2300483f0b 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.11.1.sh @@ -1 +1,3 @@ +#!/bin/bash + sudo dscl . -list /Users hint . -delete /Users/ \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh b/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh index c324af99c6..619f9153c9 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.12.1.sh @@ -1,2 +1,4 @@ +#!/bin/bash + sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false sudo /usr/bin/defaults write /Library/Preferences/com.apple.MCX DisableGuestAccount -bool true \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.12.2.sh b/ee/cis/macos-13/test/scripts/CIS_2.12.2.sh new file mode 100755 index 0000000000..a6bccab0d1 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_2.12.2.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +/usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off + + +# For testing +# Get Status: /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess status +# Set to enabled: /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess on + diff --git a/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh b/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh index a9620cc8e4..fbf775dbdc 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.12.3.sh @@ -1 +1,3 @@ +#!/bin/bash + sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh b/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh index e6f46b2092..00fc667cbe 100644 --- a/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.6.2.sh @@ -1,3 +1,5 @@ +#!/bin/bash + sudo /usr/bin/defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false diff --git a/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh b/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh index fdc670807b..9d62022c8f 100755 --- a/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh +++ b/ee/cis/macos-13/test/scripts/CIS_2.6.4.sh @@ -1 +1,3 @@ +#!/bin/bash + sudo /usr/sbin/spctl --master-enable diff --git a/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh index 3ac450c53f..f883ba341a 100755 --- a/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh +++ b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.1.sh @@ -1,2 +1,4 @@ +#!/bin/bash + #replace username sudo -u /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 1200 \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh index 00e00f63d8..844c44f6a8 100755 --- a/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh +++ b/ee/cis/macos-13/test/scripts/not_always_working_CIS_2.10.2.sh @@ -1,2 +1,4 @@ +#!/bin/bash + sudo /usr/sbin/sysadminctl -screenLock immediate -password sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password \ No newline at end of file