diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 6f62d859ff..ce2aa76e96 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -876,6 +876,35 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure Security Auditing Retention Is Enabled + platforms: macOS + platform: darwin + description: | + The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records. + Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following: + expire-after:60d OR 5G + This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required. + resolution: | + Automated method: + Ask your system administrator to deploy the following script which will ensure proper Security Auditing Retention: + cp /etc/security/audit_control ./tmp.txt; origExpire=$(cat ./tmp.txt | grep expire-after); sed "s/${origExpire}/expire-after:60d OR 5G/" ./tmp.txt > /etc/security/audit_control; rm ./tmp.txt; + query: | + SELECT 1 WHERE EXISTS ( + SELECT line, + CAST(regex_match(line, 'expire-after:(\d+)d OR (\d+)G', 1) AS INTEGER) AS days, + CAST(regex_match(line, 'expire-after:(\d+)d OR (\d+)G', 2) AS INTEGER) AS size + FROM file_lines + WHERE path = '/etc/security/audit_control' + AND days >=60 + AND size >=5 + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS3.4 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure Access to Audit Records Is Controlled platforms: macOS diff --git a/ee/cis/macos-13/test/scripts/CIS_3.2.sh b/ee/cis/macos-13/test/scripts/CIS_3.2.sh new file mode 100755 index 0000000000..e8929c3162 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_3.2.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +cp /etc/security/audit_control ./tmp.txt; +origFlags=$(cat ./tmp.txt | grep flags: | grep -v naflags); +sed "s/${origFlags}/flags:-fm,ad,-ex,aa,-fr,lo,-fw/" ./tmp.txt > /etc/security/audit_control; +rm ./tmp.txt; + + diff --git a/ee/cis/macos-13/test/scripts/CIS_3.4.sh b/ee/cis/macos-13/test/scripts/CIS_3.4.sh old mode 100644 new mode 100755 index e8929c3162..70b9da607b --- a/ee/cis/macos-13/test/scripts/CIS_3.4.sh +++ b/ee/cis/macos-13/test/scripts/CIS_3.4.sh @@ -1,8 +1,25 @@ #!/bin/bash cp /etc/security/audit_control ./tmp.txt; -origFlags=$(cat ./tmp.txt | grep flags: | grep -v naflags); -sed "s/${origFlags}/flags:-fm,ad,-ex,aa,-fr,lo,-fw/" ./tmp.txt > /etc/security/audit_control; +origExpire=$(cat ./tmp.txt | grep expire-after); +sed "s/${origExpire}/expire-after:60d OR 5G/" ./tmp.txt > /etc/security/audit_control; rm ./tmp.txt; +# Explanation: +# In your /etc/security/audit_control , look for a line starting at: expire-after +# Cases to test: +# SHOULD PASS: expire-after:60d OR 5G +# SHOULD PASS: expire-after:61d OR 5G +# SHOULD PASS: expire-after:60d OR 6G +# SHOULD PASS: expire-after:61d OR 6G + +# SHOULD FAIL: expire-after:60d +# SHOULD FAIL: expire-after:5G +# SHOULD FAIL: expire-after:59d OR 5G +# SHOULD FAIL: expire-after:60d OR 4G +# SHOULD FAIL: expire-after:60D +# SHOULD FAIL: expire-after:6g +# SHOULD FAIL: expire-after:60D OR 5G +# SHOULD FAIL: expire-after:60d OR 5g +# SHOULD FAIL: expire-after:60D OR 5g