CIS 3.1 (#9510)

ee/cis/macos-13/cis-policy-queries.yml

@@ -738,6 +738,37 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Security Auditing Is Enabled
+  platforms: macOS
+  platform: darwin
+  description: |
+    macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy the following script which will enable security auditing:
+    /usr/bin/sudo /bin/launchctl load -w
+    /System/Library/LaunchDaemons/com.apple.auditd.plist
+  query: | 
+  SELECT 1 where exists (
+        SELECT 
+            l.program, l.label, l.program_arguments,  
+            p.path, p.name , p.cmdline  
+        FROM
+            launchd AS l
+            INNER JOIN processes AS p
+        ON (l.program = p.path) 
+        where 
+            (l.label = "com.apple.auditd") 
+            AND 
+            (l.program_arguments = p.cmdline)
+    );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS3.1
+  contributors: lucasmrod
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
   platforms: macOS

ee/cis/macos-13/test/scripts/CIS_3.1.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+/usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
+
+# For Testing: After the above command executed:
+#   This will stop the service: /usr/bin/sudo /bin/launchctl stop com.apple.auditd
+#   This will start the service: /usr/bin/sudo /bin/launchctl start com.apple.auditd