From 61da4d3331715f2d37093377fdb6403646e6f3b3 Mon Sep 17 00:00:00 2001
From: Artemis Tosini <artemis@fleetdm.com>
Date: Mon, 6 Feb 2023 17:12:17 -0500
Subject: [PATCH] Add macOS CIS 2.3.3.4 (Printer Sharing) (#9665)

This makes sure printer sharing is disabled on macOS using the CUPS
configuration file. This script makes a change that both works and is
reflected in the macOS UI, unlike many of the scripts
---
 ee/cis/macos-13/cis-policy-queries.yml      | 28 +++++++++++++++++++++
 ee/cis/macos-13/test/scripts/CIS_2.3.3.4.sh |  3 +++
 2 files changed, 31 insertions(+)
 create mode 100755 ee/cis/macos-13/test/scripts/CIS_2.3.3.4.sh

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 5225459fbe..0435b96020 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -327,6 +327,34 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Printer Sharing is Disabled
+  platforms: macOS
+  platform: darwin
+  description: |
+    By enabling Printer Sharing, the computer is set up as a
+    print server to accept print jobs from other computers.
+    Dedicated print servers or direct IP printing should be used instead.
+    Disabling Printer Sharing mitigates the risk of attackers
+    attempting to exploit the print server to gain access to the system.
+  resolution: |
+    Graphical Method:
+    1. Open System Settings
+    2. Select General
+    3. Select Sharing
+    4. Set Printer Sharing to disabled
+  query: |
+    SELECT 1 WHERE NOT EXISTS (
+      SELECT * FROM file_lines WHERE
+        path = '/etc/cups/cupsd.conf' AND
+        line LIKE '%Allow @LOCAL%'
+      );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS2.3.3.4
+  contributors: artemist-work
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Remote Login Is Disabled
   platforms: macOS
diff --git a/ee/cis/macos-13/test/scripts/CIS_2.3.3.4.sh b/ee/cis/macos-13/test/scripts/CIS_2.3.3.4.sh
new file mode 100755
index 0000000000..e539ce313c
--- /dev/null
+++ b/ee/cis/macos-13/test/scripts/CIS_2.3.3.4.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/bin/sudo /usr/sbin/cupsctl --no-share-printers