diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 5a3399c405..2b5ba61995 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -1306,6 +1306,90 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications + platforms: macOS + platform: darwin + description: | + Applications in the System Applications Directory (/Applications) should be world- executable since that is their reason to be on the system. They should not be world- writable and allow any process or user to alter them for other processes or users to then execute modified versions. + resolution: | + Ask your system administrator to deploy a script that will configure all *.app under /Applications folders to have no write permissions for 'others'. + $ /usr/bin/sudo IFS=$'\n' + for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); + do + /bin/chmod -R o-w "$apps" + done + query: | + SELECT 1 WHERE NOT EXISTS ( + SELECT 1 FROM file WHERE + path LIKE '/Applications/%%' + AND type = 'directory' + AND directory LIKE '%.app' + AND CAST( SUBSTRING( mode ,-1) AS INTEGER) & 0x2 !=0 -- mode last char is others' permissions. bitwise with 0x2 means write permissions. (which we do not want here) + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS5.1.5 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure No World Writable Files Exist in the System Folder + platforms: macOS + platform: darwin + description: | + Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions. + Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a persistent presence on the system. + resolution: | + Ask your system administrator to deploy a script that will ensure folders are not world-writable in the /System folder. + /usr/bin/sudo IFS=$'\n' + for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); + do + /bin/chmod -R o-w "$sysPermissions" + done + query: | + SELECT 1 WHERE NOT EXISTS ( + SELECT 1 FROM file WHERE + path LIKE '/System/Volumes/Data/System/%%' + AND type = 'directory' + AND directory NOT LIKE '%Drop Box%' + AND CAST( SUBSTRING( mode ,-1) AS INTEGER) & 0x2 !=0 -- mode last char is others' permissions. bitwise with 0x2 means write permissions. (which we do not want here) + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS5.1.6 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure No World Writable Files Exist in the Library Folder + platforms: macOS + platform: darwin + description: | + Software sometimes insists on being installed in the /System/Volumes/Data/Library Directory and has inappropriate world-writable permissions. + Folders in /System/Volumes/Data/Library should not be world-writable. The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set. + resolution: | + Ask your system administrator to deploy a script that will ensure folders are not world-writable in the /System folder. + /usr/bin/sudo IFS=$'\n' + for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data); + do + /bin/chmod -R o-w "$libPermissions" + done + query: | + SELECT 1 WHERE NOT EXISTS ( + SELECT 1 FROM file WHERE + path LIKE '/System/Volumes/Data/Library/%%' + AND type = 'directory' + AND directory NOT LIKE '%Caches%' + AND directory NOT LIKE '%/Preferences/Audio/Data%' + AND CAST( SUBSTRING( mode ,-1) AS INTEGER) & 0x2 !=0 -- mode last char is others' permissions. bitwise with 0x2 means write permissions. (which we do not want here) + ); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS5.1.7 + contributors: sharon-fdm +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required) platforms: macOS diff --git a/ee/cis/macos-13/test/scripts/CIS_5.1.5.sh b/ee/cis/macos-13/test/scripts/CIS_5.1.5.sh new file mode 100755 index 0000000000..e054f190c5 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_5.1.5.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/bin/sudo IFS=$'\n' +for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); +do + /bin/chmod -R o-w "$apps" +done \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_5.1.6.sh b/ee/cis/macos-13/test/scripts/CIS_5.1.6.sh new file mode 100755 index 0000000000..77411cdfb2 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_5.1.6.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/bin/sudo IFS=$'\n' +for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); +do + /bin/chmod -R o-w "$sysPermissions" +done \ No newline at end of file diff --git a/ee/cis/macos-13/test/scripts/CIS_5.1.7.sh b/ee/cis/macos-13/test/scripts/CIS_5.1.7.sh new file mode 100755 index 0000000000..83cacad983 --- /dev/null +++ b/ee/cis/macos-13/test/scripts/CIS_5.1.7.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/bin/sudo IFS=$'\n' +for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data); +do + /bin/chmod -R o-w "$libPermissions" +done