From aae824804bdc20703c3b90e7917db8b53d42314a Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Thu, 2 Feb 2023 13:16:45 -0500
Subject: [PATCH] Cis 3.3 (#9578)

---
 ee/cis/macos-13/cis-policy-queries.yml  | 30 +++++++++++++++++++++++++
 ee/cis/macos-13/test/scripts/CIS_3.3.sh | 18 +++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100755 ee/cis/macos-13/test/scripts/CIS_3.3.sh

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index b8fc582407..6f62d859ff 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -846,6 +846,36 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size
+  platforms: macOS
+  platform: darwin
+  description: |
+    macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
+  resolution: |
+    Automated method:
+      Ask your system administrator to deploy a script which will ensure proper retention for install.log.
+    Terminal Method:
+      Perform the following to ensure that install logs are retained for at least 365 days:
+      Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line.
+  query: |
+    SELECT 1 WHERE
+    EXISTS ( SELECT line, 
+             CAST ( regex_match(line, 'ttl=(\d+)', 1) AS INTEGER ) AS val 
+             FROM file_lines 
+             WHERE path = '/etc/asl/com.apple.install' 
+             AND val >=365 )
+    AND
+    NOT EXISTS ( SELECT line  
+             FROM file_lines 
+             WHERE path = '/etc/asl/com.apple.install'  
+             AND  line  LIKE "%all_max=%" );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS3.3
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Access to Audit Records Is Controlled
   platforms: macOS
diff --git a/ee/cis/macos-13/test/scripts/CIS_3.3.sh b/ee/cis/macos-13/test/scripts/CIS_3.3.sh
new file mode 100755
index 0000000000..d504e4b618
--- /dev/null
+++ b/ee/cis/macos-13/test/scripts/CIS_3.3.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+
+# For QA:
+# Open /etc/asl/com.apple.install for edit and look for a line starting with "* file"
+# If exist delete all_max=XXX
+# If not exist add ttl=365
+
+
+# This section will delete the all_max 
+/usr/bin/sudo sed -E 's/all_max=[0-9]+M//g' /etc/asl/com.apple.install  > ./tmp.txt
+/usr/bin/sudo cp ./tmp.txt /etc/asl/com.apple.install
+/usr/bin/sudo rm ./tmp.txt
+
+/usr/bin/sudo sed -E 's/all_max=[0-9]+G//g' /etc/asl/com.apple.install  > ./tmp.txt
+/usr/bin/sudo cp ./tmp.txt /etc/asl/com.apple.install
+/usr/bin/sudo rm ./tmp.txt
+