From 7aefd5c73b82df7af1e88838e8045c7c63344185 Mon Sep 17 00:00:00 2001 From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:13:11 -0500 Subject: [PATCH] Cis 3.4 (#9554) --- ee/cis/macos-13/cis-policy-queries.yml | 29 +++++++++++++++++++++++++ ee/cis/macos-13/test/scripts/CIS_3.2.sh | 8 +++++++ ee/cis/macos-13/test/scripts/CIS_3.4.sh | 21 ++++++++++++++++-- 3 files changed, 56 insertions(+), 2 deletions(-) create mode 100755 ee/cis/macos-13/test/scripts/CIS_3.2.sh mode change 100644 => 100755 ee/cis/macos-13/test/scripts/CIS_3.4.sh diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 6f62d859ff..ce2aa76e96 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -876,6 +876,35 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure Security Auditing Retention Is Enabled + platforms: macOS + platform: darwin + description: | + The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records. + Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following: + expire-after:60d OR 5G + This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required. + resolution: | + Automated method: + Ask your system administrator to deploy the following script which will ensure proper Security Auditing Retention: + cp /etc/security/audit_control ./tmp.txt; origExpire=$(cat ./tmp.txt | grep expire-after); sed "s/${origExpire}/expire-after:60d OR 5G/" ./tmp.txt > /etc/security/audit_control; rm ./tmp.txt; + query: | + SELECT 1 WHERE EXISTS ( + SELECT line, + CAST(regex_match(line, 'expire-after:(\d+)d OR (\d+)G', 1) AS INTEGER) AS days, + CAST(regex_match(line, 'expire-after:(\d+)d OR (\d+)G', 2) AS INTEGER) AS size + FROM file_lines + WHERE path = '/etc/security/audit_control' + AND days >=60 + AND size >=5 + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS3.4 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure Access to Audit Records Is Controlled platforms: macOS diff --git a/ee/cis/macos-13/test/scripts/CIS_3.2.sh b/ee/cis/macos-13/test/scripts/CIS_3.2.sh new file mode 100755 index 0000000000..e8929c3162 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_3.2.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +cp /etc/security/audit_control ./tmp.txt; +origFlags=$(cat ./tmp.txt | grep flags: | grep -v naflags); +sed "s/${origFlags}/flags:-fm,ad,-ex,aa,-fr,lo,-fw/" ./tmp.txt > /etc/security/audit_control; +rm ./tmp.txt; + + diff --git a/ee/cis/macos-13/test/scripts/CIS_3.4.sh b/ee/cis/macos-13/test/scripts/CIS_3.4.sh old mode 100644 new mode 100755 index e8929c3162..70b9da607b --- a/ee/cis/macos-13/test/scripts/CIS_3.4.sh +++ b/ee/cis/macos-13/test/scripts/CIS_3.4.sh @@ -1,8 +1,25 @@ #!/bin/bash cp /etc/security/audit_control ./tmp.txt; -origFlags=$(cat ./tmp.txt | grep flags: | grep -v naflags); -sed "s/${origFlags}/flags:-fm,ad,-ex,aa,-fr,lo,-fw/" ./tmp.txt > /etc/security/audit_control; +origExpire=$(cat ./tmp.txt | grep expire-after); +sed "s/${origExpire}/expire-after:60d OR 5G/" ./tmp.txt > /etc/security/audit_control; rm ./tmp.txt; +# Explanation: +# In your /etc/security/audit_control , look for a line starting at: expire-after +# Cases to test: +# SHOULD PASS: expire-after:60d OR 5G +# SHOULD PASS: expire-after:61d OR 5G +# SHOULD PASS: expire-after:60d OR 6G +# SHOULD PASS: expire-after:61d OR 6G + +# SHOULD FAIL: expire-after:60d +# SHOULD FAIL: expire-after:5G +# SHOULD FAIL: expire-after:59d OR 5G +# SHOULD FAIL: expire-after:60d OR 4G +# SHOULD FAIL: expire-after:60D +# SHOULD FAIL: expire-after:6g +# SHOULD FAIL: expire-after:60D OR 5G +# SHOULD FAIL: expire-after:60d OR 5g +# SHOULD FAIL: expire-after:60D OR 5g