From 647c15a9091d6728d902f90c25fd6b9d7dccdeac Mon Sep 17 00:00:00 2001 From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> Date: Thu, 2 Feb 2023 12:50:01 -0500 Subject: [PATCH] CIS 5.1.1 (#9617) --- ee/cis/macos-13/cis-policy-queries.yml | 33 +++++++++++++++++++++++ ee/cis/macos-13/test/scripts/CIS_5.1.1.sh | 5 ++++ 2 files changed, 38 insertions(+) create mode 100755 ee/cis/macos-13/test/scripts/CIS_5.1.1.sh diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index e4f3aa3862..34beb73e40 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -892,6 +892,35 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure Home Folders Are Secure + platforms: macOS + platform: darwin + description: | + By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system. + The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions. + Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable. + resolution: | + Automated method: + Ask your system administrator to deploy a script that will go over all users and set the mode for all of them either like this: + /usr/bin/sudo /bin/chmod -R og-rwx /Users/ + Or like this if there is a need for excutable access: + /usr/bin/sudo /bin/chmod -R og-rw /Users/ + query: SELECT 1 WHERE NOT EXISTS ( + SELECT 1 FROM file WHERE ( + path LIKE '/Users/%' + AND path != '/Users/Shared/' + AND mode != "0700" + AND mode !="0701" + AND mode !="0710" + AND mode !="0711" + )); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS5.1.1 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure System Integrity Protection Status (SIP) Is Enabled platforms: macOS @@ -930,6 +959,7 @@ spec: query: SELECT 1 FROM pwd_policy where max_failed_attempts <= 5; purpose: Informational tags: compliance, CIS, CIS_Level1, CIS5.2.1 + contributors: sharon-fdm --- apiVersion: v1 kind: policy @@ -960,6 +990,7 @@ spec: WHERE minlength >= 15); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS5.2.2 + contributors: sharon-fdm --- apiVersion: v1 kind: policy @@ -984,6 +1015,7 @@ spec: EXISTS(SELECT 1 FROM pwd_policy WHERE days_to_expiration <= 365); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS5.2.7 + contributors: sharon-fdm --- apiVersion: v1 kind: policy @@ -1004,3 +1036,4 @@ spec: query: SELECT 1 FROM pwd_policy where history_depth >= 15; purpose: Informational tags: compliance, CIS, CIS_Level1, CIS5.2.8 + contributors: sharon-fdm diff --git a/ee/cis/macos-13/test/scripts/CIS_5.1.1.sh b/ee/cis/macos-13/test/scripts/CIS_5.1.1.sh new file mode 100755 index 0000000000..1276aa8f73 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_5.1.1.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +for i in $(/usr/bin/sudo dscl . list /Users | grep -v "^_"); do + /usr/bin/sudo /bin/chmod -R og-rwx /Users/"$i" +done