From 3365fd736fe4a72cb34f43e5a73b39861e9057c3 Mon Sep 17 00:00:00 2001 From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:13:29 -0400 Subject: [PATCH] Repurpose policies (#17560) - Update CIS guest account policy - Update guest account policy in dogfood --- ee/cis/macos-13/cis-policy-queries.yml | 5 +---- ee/cis/macos-14/cis-policy-queries.yml | 5 +---- .../lib/macos-device-health.policies.yml | 14 +------------- 3 files changed, 3 insertions(+), 21 deletions(-) diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 6681502b22..29481efce6 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -2110,10 +2110,7 @@ spec: 3. Select the i next to the Guest User 4. Verify that Allow guests to log in to this computer is disable query: | - SELECT 1 WHERE - EXISTS(SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0) - OR - EXISTS(select 1 FROM plist WHERE path='/Library/Preferences/com.apple.MCX.plist' AND key='DisableGuestAccount' AND value = 1); + SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0; purpose: Informational tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.12.1 contributors: sharon-fdm diff --git a/ee/cis/macos-14/cis-policy-queries.yml b/ee/cis/macos-14/cis-policy-queries.yml index c38b97123a..d277be53fd 100644 --- a/ee/cis/macos-14/cis-policy-queries.yml +++ b/ee/cis/macos-14/cis-policy-queries.yml @@ -2110,10 +2110,7 @@ spec: 3. Select the i next to the Guest User 4. Verify that Allow guests to log in to this computer is disable query: | - SELECT 1 WHERE - EXISTS(SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0) - OR - EXISTS(select 1 FROM plist WHERE path='/Library/Preferences/com.apple.MCX.plist' AND key='DisableGuestAccount' AND value = 1); + SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0; purpose: Informational tags: compliance, CIS, CIS_Level1 contributors: sharon-fdm diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml index 85d046a84f..401c086fa0 100644 --- a/it-and-security/lib/macos-device-health.policies.yml +++ b/it-and-security/lib/macos-device-health.policies.yml @@ -17,19 +17,7 @@ resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. platform: darwin - name: macOS - Require 10 character password - query: SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='askForPassword' AND - CAST(value AS INT) - ) - AND EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='minLength' AND - CAST(value AS INT) <= 10 - ); + query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0; critical: false description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10.