mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 17:08:53 +00:00
Add CIS check for 5.8 (#9750)
#9260 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`.~ See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - ~[ ] Added/updated tests~ - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
This commit is contained in:
Lucas Manuel Rodriguez
GitHub
parent
d4a1b4d218
commit
2265c84b2a
2 changed files with 31 additions and 3 deletions
|
|
@ -1614,9 +1614,7 @@ spec:
|
|||
Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15. The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.
|
||||
resolution: |
|
||||
Automated method:
|
||||
Ask your system administrator to deploy an MDM profile that disables Guest Account.
|
||||
Profile Method:
|
||||
Create or edit a configuration profile with the following information:
|
||||
Ask your system administrator to deploy an MDM profile with the following information:
|
||||
1. The Payload Type string is com.apple.mobiledevice.passwordpolicy
|
||||
2. The key to include is pinHistory
|
||||
3. The key must be set to <integer><value≥15></integer>
|
||||
|
|
@ -1651,6 +1649,31 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure a Login Window Banner Exists
|
||||
platforms: macOS
|
||||
platform: darwin
|
||||
description: |
|
||||
An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid
|
||||
in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status,
|
||||
acceptable use policy, and authorization requirements.
|
||||
resolution: |
|
||||
Automated method:
|
||||
Ask your system administrator to deploy the following script:
|
||||
echo "Content of the banner" | sudo tee /Library/Security/PolicyBanner.txt
|
||||
/usr/bin/sudo /usr/sbin/chown root:wheel /Library/Security/PolicyBanner.txt
|
||||
/usr/bin/sudo /bin/chmod o+r /Library/Security/PolicyBanner.txt
|
||||
query: |
|
||||
SELECT 1 FROM file
|
||||
WHERE (path = '/Library/Security/PolicyBanner.txt' OR
|
||||
path = '/Library/Security/PolicyBanner.rtf') AND mode = '0644'
|
||||
AND uid = 0 AND gid = 0;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS5.8
|
||||
contributors: lucasmrod
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure Show All Filename Extensions Setting is Enabled
|
||||
platforms: macOS
|
||||
|
|
|
|||
5
ee/cis/macos-13/test/scripts/CIS_5.8.sh
Executable file
5
ee/cis/macos-13/test/scripts/CIS_5.8.sh
Executable file
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "Content of the banner" | sudo tee /Library/Security/PolicyBanner.txt
|
||||
/usr/bin/sudo /usr/sbin/chown root:wheel /Library/Security/PolicyBanner.txt
|
||||
/usr/bin/sudo /bin/chmod o+r /Library/Security/PolicyBanner.txt
|
||||
Loading…
Reference in a new issue