CIS Update - macOS 13, CIS v2.1.0 (#21486)

Changelog ADD: ADD - 2.3.3.2 Ensure the Time Service Is Enabled ADD - 6.3.10 Ensure Show Status Bar Is Enabled UPDATE: UPDATE - 2.6.1.2 Ensure Location Services Is in the Menu Bar UPDATE - 3.1 Ensure Security Auditing Is Enabled UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System Folder UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel) UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon) --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2026-05-23 08:58:41 +00:00 · 2024-10-21 15:24:18 -04:00 · 2024-10-21 15:24:18 -04:00 · 8d27835976
commit 8d27835976
parent 3dbee14cb4
2 changed files with 74 additions and 22 deletions
--- a/ee/cis/macos-13/README.md
+++ b/ee/cis/macos-13/README.md
@ -1,6 +1,6 @@
 # macOS 13.0 Ventura benchmark

-Fleet's policies have been written against v1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+Fleet's policies have been written against v2.1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.

 For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.

--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@ -1,5 +1,5 @@
 ---
-# The latest version of CIS Benchmarks for macOS as of January 2023 was used which was benchmark 1.0 for macOS 13.0 https://workbench.cisecurity.org/benchmarks/10541
+# The latest version of CIS Benchmarks for macOS as of August 2024 was used which was benchmark 2.1.0 for macOS 13
 apiVersion: v1
 kind: policy
 spec:
@ -517,6 +517,23 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure the Time Service Is Enabled
+  platforms: macOS
+  platform: darwin
+  description: |
+    In macOS 10.14, Apple replace ntp with timed for time services, and is used to ensure correct time is kept. Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. 
+  resolution: |
+        Ask your system administrator to deploy a script that will configure:
+        /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist
+  query: |
+    SELECT 1 WHERE  EXISTS(SELECT * FROM processes WHERE path = '/usr/libexec/timed');
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1
+  contributors: defensivedepth
+---
+apiVersion: v1
+kind: policy
 spec:
  name: CIS - Ensure Time Is Set Within Appropriate Limits (Fleetd Required)
  platforms: macOS
@ -1366,10 +1383,10 @@ spec:
 apiVersion: v1
 kind: policy
 spec:
-  name: CIS - Ensure Location Services Is in the Menu Bar
+  name: CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
  platforms: macOS
  platform: darwin
-  description: Checks that Location Services option is presented in the Menu Bar.
+  description: This setting provides the user an understanding of the current status of Location Services and which applications are using it.
  resolution: |
    Automated method:
    Ask your system administrator to deploy an MDM profile that enables the "location services" icon in menu bar when System Services request your location.
@ -1383,7 +1400,7 @@ spec:
        location is set to your organization's parameters
  query:  SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.locationmenu.plist' AND key='ShowSystemServices' AND value=1;
  purpose: Informational
-  tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.1.2
+  tags: compliance, CIS, CIS_Level2
  contributors: sharon-fdm
 ---
 apiVersion: v1
@ -1713,15 +1730,16 @@ spec:
    that can be attempted against the RAM that has the encryption keys or the running operating system protected
    by a login screen.

-    Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
    MacBooks should be set so that the `standbydelay` is 15 minutes (900 seconds) or less.
+    Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
+    Organizations may still decide to use hibernate after sleeping if there is a security need 
+    (ex. international travel), but it can cause kernel panics in Apple Silicon Macs.
  resolution: |
    Ask your system administrator to deploy the following script to Macbook devices:
    if [[ $(uname -m) == 'arm64' ]]; then
            # Apple silicon
            /usr/bin/sudo /usr/bin/pmset -a standby 900
            /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1
-            /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25
    else
            # Intel
            /usr/bin/sudo /usr/bin/pmset -a standbydelaylow 900
@ -1762,12 +1780,11 @@ spec:
            SELECT 1 FROM system_info WHERE cpu_type = 'arm64e'
          ) AND EXISTS (
            SELECT
-                CAST(JSON_EXTRACT(battery, '$.standby') AS INTEGER) AS standby,
-                CAST(JSON_EXTRACT(battery, '$.hibernatemode') AS INTEGER) AS hibernatemode
+                CAST(JSON_EXTRACT(battery, '$.standby') AS INTEGER) AS standby
            FROM (
                SELECT JSON_EXTRACT(json_result, '$.Battery Power:') AS battery FROM pmset WHERE getting = 'custom'
            )
-            WHERE standby <= 900 AND hibernatemode = 25
+            WHERE standby <= 900
          )
        )
    );
@ -2184,10 +2201,10 @@ spec:
  platforms: macOS
  platform: darwin
  description: |
-    macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
+    macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log. Apple has deprecated auditd as of macOS 11.0 Big Sur. In macOS 14.0 Sonoma it is no longer enabled by default.
  resolution: |
    Automated method:
-    Ask your system administrator to deploy the following script which will enable security auditing:
+    Ask your system administrator to deploy the following script which will load auditd and create the audit_control file:
    /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
  query: | 
    SELECT 1 WHERE EXISTS (
@ -2635,14 +2652,11 @@ spec:
  platforms: macOS
  platform: darwin
  description: |
-    Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions.
-    Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application.
-    It could also be a sign of a computer compromise and a persistent presence on the system.
-    The audit check excludes the "Drop Box" folder that is part of Apple's default user template.
+    Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions. Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a persistent presence on the system.
  resolution: |
    Ask your system administrator to deploy a script that will ensure folders are not world-writable in the /System folder. 
    /usr/bin/sudo IFS=$'\n'
-    for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); 
+    for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -vE "Drop Box|locks" ); 
    do
      /bin/chmod -R o-w "$sysPermissions"
    done
@ -2666,11 +2680,15 @@ spec:
  platform: darwin
  description: |
    Software sometimes insists on being installed in the /System/Volumes/Data/Library Directory and has inappropriate world-writable permissions.  
-    Folders in /System/Volumes/Data/Library should not be world-writable. The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set.
+    Folders in /System/Volumes/Data/Library should not be world-writable. Macs with writable files in System should be investigated forensically. 
+    A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a 
+    persistent presence on the system.
+    
+    The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set.
  resolution: |
    Ask your system administrator to deploy a script that will ensure folders are not world-writable in the /System folder. 
    /usr/bin/sudo IFS=$'\n'
-    for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data); 
+    for libPermissions in $(/usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -Ev "Caches|/Preferences/Audio/Data|locks");
    do
      /bin/chmod -R o-w "$libPermissions"
    done
@ -3006,16 +3024,16 @@ spec:
  resolution: |
    Automated method:
    Ask your system administrator to deploy a script that runs the following:
-      /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver use-login-window-ui
+      /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver authenticate-session-owner
  query: |
    SELECT 1 WHERE EXISTS (
      SELECT JSON_EXTRACT(json_result, '$.rule') AS rule
      FROM authdb
      WHERE right_name = 'system.login.screensaver' AND 
-      rule LIKE '%use-login-window-ui%'
+      rule LIKE '%authenticate-session-owner%'
    );
  purpose: Informational
-  tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.7
+  tags: compliance, CIS, CIS_Level1
  contributors: lucasmrod
 ---
 apiVersion: v1
@ -3449,6 +3467,40 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Show Status Bar Is Enabled (MDM Required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    The Status Bar in Safari shows the full URL of any link on hover. It protects the user from visiting sites where the domain has been obfuscated by allowing the user to review whether the link points to an unexpected location.
+  resolution: |
+    Automated method:
+    Profile Method:
+    Create or edit a configuration profile with the following information:
+      1. The PayloadType string is com.apple.Safari
+      2. The key to include is ShowOverlayStatusBar 
+      3. The key must be set to: <true/>
+  query: |
+    SELECT 1 WHERE 
+      EXISTS (
+        SELECT 1 FROM managed_policies WHERE 
+            domain='com.apple.Safari' AND 
+            name='ShowOverlayStatusBar' AND 
+            (value = 1 OR value = 'true') AND 
+            username = ''
+        )
+      AND NOT EXISTS (
+        SELECT 1 FROM managed_policies WHERE 
+            domain='com.apple.Safari' AND 
+            name='ShowOverlayStatusBar' AND 
+            (value != 1 AND value != 'true')
+        );  
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1
+  contributors: defensivedepth
+---
+apiVersion: v1
+kind: policy
 spec:
  name: CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)
  platforms: macOS