From aa513e722c0958b02842b489b1f1ec105e2fff33 Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Thu, 26 Jan 2023 16:53:58 -0500
Subject: [PATCH] CIS 3.1 (#9510)

---
 ee/cis/macos-13/cis-policy-queries.yml  | 31 +++++++++++++++++++++++++
 ee/cis/macos-13/test/scripts/CIS_3.1.sh |  7 ++++++
 2 files changed, 38 insertions(+)
 create mode 100755 ee/cis/macos-13/test/scripts/CIS_3.1.sh

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 61c97971fa..48a3d64b8a 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -738,6 +738,37 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Security Auditing Is Enabled
+  platforms: macOS
+  platform: darwin
+  description: |
+    macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy the following script which will enable security auditing:
+    /usr/bin/sudo /bin/launchctl load -w
+    /System/Library/LaunchDaemons/com.apple.auditd.plist
+  query: | 
+  SELECT 1 where exists (
+        SELECT 
+            l.program, l.label, l.program_arguments,  
+            p.path, p.name , p.cmdline  
+        FROM
+            launchd AS l
+            INNER JOIN processes AS p
+        ON (l.program = p.path) 
+        where 
+            (l.label = "com.apple.auditd") 
+            AND 
+            (l.program_arguments = p.cmdline)
+    );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS3.1
+  contributors: lucasmrod
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
   platforms: macOS
diff --git a/ee/cis/macos-13/test/scripts/CIS_3.1.sh b/ee/cis/macos-13/test/scripts/CIS_3.1.sh
new file mode 100755
index 0000000000..6e3aa1955d
--- /dev/null
+++ b/ee/cis/macos-13/test/scripts/CIS_3.1.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+/usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
+
+# For Testing: After the above command executed:
+#   This will stop the service: /usr/bin/sudo /bin/launchctl stop com.apple.auditd
+#   This will start the service: /usr/bin/sudo /bin/launchctl start com.apple.auditd
\ No newline at end of file