From 399a6f53e7f1214fae6f964312f4f4d1a0f6e1a3 Mon Sep 17 00:00:00 2001 From: Lucas Manuel Rodriguez Date: Thu, 9 Feb 2023 14:28:02 -0300 Subject: [PATCH] Add check for CIS 6.3.4 (#9766) #9261 --- ee/cis/macos-13/cis-policy-queries.yml | 31 ++++++++++++++ .../macos-13/test/profiles/1.2.mobileconfig | 2 +- .../macos-13/test/profiles/6.3.4.mobileconfig | 41 +++++++++++++++++++ 3 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 ee/cis/macos-13/test/profiles/6.3.4.mobileconfig diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 4a24070cb6..b89ba56166 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -1927,6 +1927,37 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required) + platforms: macOS + platform: darwin + description: | + Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of + selling personal data. Users should protect their data and not volunteer it to marketing companies. + resolution: | + Automated method: + Ask your system administrator to deploy a profile via MDM with the following information: + 1. The PayloadType string is com.apple.Safari. + 2. The key to include is BlockStoragePolicy. + 3. The key must be set to: 2 + 4. The key to also include is WebKitPreferences.storageBlockingPolicy + 5. The key must be set to: 1 + 6. The key to also include is WebKitStorageBlockingPolicy + 7. The key must be set to: 1 + query: | + SELECT 1 WHERE EXISTS ( + SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Safari' AND name = 'BlockStoragePolicy' AND value = '2' + ) AND EXISTS ( + SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Safari' AND name = 'WebKitPreferences.storageBlockingPolicy' AND value = '1' + ) AND EXISTS ( + SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Safari' AND name = 'WebKitStorageBlockingPolicy' AND value = '1' + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS6.3.4 + contributors: lucasmrod +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required) platforms: macOS diff --git a/ee/cis/macos-13/test/profiles/1.2.mobileconfig b/ee/cis/macos-13/test/profiles/1.2.mobileconfig index 9b4fe75500..5d576e4d7c 100644 --- a/ee/cis/macos-13/test/profiles/1.2.mobileconfig +++ b/ee/cis/macos-13/test/profiles/1.2.mobileconfig @@ -20,7 +20,7 @@ PayloadDescription test PayloadDisplayName - Ensure Auto Update Is Enabled + Ensure Auto Update Is Enabled PayloadIdentifier com.fleetdm.cis-1.2 PayloadRemovalDisallowed diff --git a/ee/cis/macos-13/test/profiles/6.3.4.mobileconfig b/ee/cis/macos-13/test/profiles/6.3.4.mobileconfig new file mode 100644 index 0000000000..88bde35973 --- /dev/null +++ b/ee/cis/macos-13/test/profiles/6.3.4.mobileconfig @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + PayloadDisplayName + test + PayloadType + com.apple.Safari + PayloadIdentifier + com.fleetdm.cis-6.3.4.check + PayloadUUID + E0560069-04EF-4985-815E-987A304F8EB7 + BlockStoragePolicy + 2 + WebKitPreferences.storageBlockingPolicy + 1 + WebKitStorageBlockingPolicy + 1 + + + PayloadDescription + test + PayloadDisplayName + Ensure Prevent Cross-site Tracking in Safari Is Enabled + PayloadIdentifier + com.fleetdm.cis-6.3.4 + PayloadRemovalDisallowed + + PayloadScope + System + PayloadType + Configuration + PayloadUUID + E1D04566-15CE-458C-A0D1-5F6C7B9A6472 + PayloadVersion + 1 + +