Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 52

CIS 5.1.1 (#9617)

Browse source
This commit is contained in:
Sharon Katz 2023-02-02 12:50:01 -05:00 committed by GitHub
parent dfe6b53963
commit 647c15a909
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
ee/cis/macos-13/cis-policy-queries.yml
View file

@ -892,6 +892,35 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Home Folders Are Secure
platforms: macOS
platform: darwin
description: |
By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.
The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions.
Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.
resolution: |
Automated method:
Ask your system administrator to deploy a script that will go over all users and set the mode for all of them either like this:
/usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
Or like this if there is a need for excutable access:
/usr/bin/sudo /bin/chmod -R og-rw /Users/<username>
query: SELECT 1 WHERE NOT EXISTS (
SELECT 1 FROM file WHERE (
path LIKE '/Users/%'
AND path != '/Users/Shared/'
AND mode != "0700"
AND mode !="0701"
AND mode !="0710"
AND mode !="0711"
));
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS5.1.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure System Integrity Protection Status (SIP) Is Enabled
platforms: macOS
@ -930,6 +959,7 @@ spec:
query: SELECT 1 FROM pwd_policy where max_failed_attempts <= 5;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS5.2.1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
@ -960,6 +990,7 @@ spec:
WHERE minlength >= 15);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS5.2.2
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
@ -984,6 +1015,7 @@ spec:
EXISTS(SELECT 1 FROM pwd_policy WHERE days_to_expiration <= 365);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS5.2.7
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
@ -1004,3 +1036,4 @@ spec:
query: SELECT 1 FROM pwd_policy where history_depth >= 15;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS5.2.8
contributors: sharon-fdm

5
ee/cis/macos-13/test/scripts/CIS_5.1.1.sh Executable file
View file

@ -0,0 +1,5 @@
#!/bin/bash
for i in $(/usr/bin/sudo dscl . list /Users | grep -v "^_"); do
/usr/bin/sudo /bin/chmod -R og-rwx /Users/"$i"
done