From 985c051ebb31e97d73fc248a4855570f21f13bbf Mon Sep 17 00:00:00 2001
From: Artemis Tosini <artemis@fleetdm.com>
Date: Mon, 6 Feb 2023 13:13:38 -0500
Subject: [PATCH] Add macOS CIS 2.3.3.6 (Remote Management) (#9664)

I can't find any way of adding a policy to remove ARD but this uses an
officially documented script to disable it which works on my mac.
---
 ee/cis/macos-13/cis-policy-queries.yml      | 28 +++++++++++++++++++++
 ee/cis/macos-13/test/scripts/CIS_2.3.3.6.sh |  3 +++
 2 files changed, 31 insertions(+)
 create mode 100755 ee/cis/macos-13/test/scripts/CIS_2.3.3.6.sh

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index ce2aa76e96..0b663b4c90 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -274,6 +274,34 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Remote Management is Disabled
+  platforms: macOS
+  platform: darwin
+  description: |
+    Remote Management is the client portion of Apple Remote Desktop (ARD).
+    Remote Management can be used by remote administrators to view the current screen,
+    install software, report on, and generally manage client Macs.
+    Remote Management should only be enabled on trusted networks with strong
+    user controls present in a Directory system.
+    Mobile devices without strict controls are vulnerable to exploit and monitoring.
+  resolution: |
+    Graphical Method:
+    1. Open System Settings
+    2. Select General
+    3. Select Sharing
+    4. Set Remote Management to disabled
+  query: |
+    SELECT 1 WHERE NOT EXISTS (
+      SELECT * FROM processes WHERE
+        path = '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent'
+    );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS2.3.3.6
+  contributors: artemist-work
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)
   platforms: macOS
diff --git a/ee/cis/macos-13/test/scripts/CIS_2.3.3.6.sh b/ee/cis/macos-13/test/scripts/CIS_2.3.3.6.sh
new file mode 100755
index 0000000000..628b998cac
--- /dev/null
+++ b/ee/cis/macos-13/test/scripts/CIS_2.3.3.6.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop