Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 31

Cis 3.3 (#9578)

Browse source
This commit is contained in:
Sharon Katz 2023-02-02 13:16:45 -05:00 committed by GitHub
parent f8bb93266b
commit aae824804b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
ee/cis/macos-13/cis-policy-queries.yml
View file

@ -846,6 +846,36 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size
platforms: macOS
platform: darwin
description: |
macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
resolution: |
Automated method:
Ask your system administrator to deploy a script which will ensure proper retention for install.log.
Terminal Method:
Perform the following to ensure that install logs are retained for at least 365 days:
Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line.
query: |
SELECT 1 WHERE
EXISTS ( SELECT line,
CAST ( regex_match(line, 'ttl=(\d+)', 1) AS INTEGER ) AS val
FROM file_lines
WHERE path = '/etc/asl/com.apple.install'
AND val >=365 )
AND
NOT EXISTS ( SELECT line
FROM file_lines
WHERE path = '/etc/asl/com.apple.install'
AND line LIKE "%all_max=%" );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS3.3
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Access to Audit Records Is Controlled
platforms: macOS

18
ee/cis/macos-13/test/scripts/CIS_3.3.sh Executable file
View file

@ -0,0 +1,18 @@
#!/bin/bash
# For QA:
# Open /etc/asl/com.apple.install for edit and look for a line starting with "* file"
# If exist delete all_max=XXX
# If not exist add ttl=365
# This section will delete the all_max
/usr/bin/sudo sed -E 's/all_max=[0-9]+M//g' /etc/asl/com.apple.install > ./tmp.txt
/usr/bin/sudo cp ./tmp.txt /etc/asl/com.apple.install
/usr/bin/sudo rm ./tmp.txt
/usr/bin/sudo sed -E 's/all_max=[0-9]+G//g' /etc/asl/com.apple.install > ./tmp.txt
/usr/bin/sudo cp ./tmp.txt /etc/asl/com.apple.install
/usr/bin/sudo rm ./tmp.txt