Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30

Remove username requirement from some CIS policies (#29842)

Browse source 
#29127
This commit is contained in:
Dante Catalfamo 2025-06-12 15:22:35 -04:00 committed by GitHub
parent 4277a9e93e
commit ab12f475c2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 54 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changes/29127-cis-no-require-username Normal file
View file

@ -0,0 +1 @@
- Removed username requirements for certain MDM CIS policies

152
ee/cis/macos-15/cis-policy-queries.yml
View file

@ -35,8 +35,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticCheckEnabled' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -62,8 +61,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticDownload' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -89,8 +87,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticallyInstallMacOSUpdates' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -116,8 +113,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticallyInstallAppUpdates' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -173,8 +169,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='CriticalUpdateInstall' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -206,8 +201,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='enforcedSoftwareUpdateDelay' AND
value <= 30 AND
username = ''
value <= 30
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -241,8 +235,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowCloudDocumentSync' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -278,8 +271,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowCloudDocumentSync' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -316,8 +308,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowCloudKeychainSync' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -354,8 +345,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowCloudKeychainSync' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -388,8 +378,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowCloudDesktopAndDocuments' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -456,8 +445,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowAirDrop' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -496,8 +484,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowAirPlayIncomingRequests' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -528,8 +515,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='forceAutomaticDateAndTime' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -825,8 +811,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowContentCaching' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -887,20 +872,17 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
name = 'homeSharingUIStatus' AND
value = '0' AND
username = ''
value = '0'
) AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
name = 'legacySharingUIStatus' AND
value = '0' AND
username = ''
value = '0'
) AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
name = 'mediaSharingUIStatus' AND
value = '0' AND
username = ''
value = '0'
) AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
@ -1013,8 +995,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.controlcenter' AND
name='WiFi' AND
value = 18 AND
username = ''
value = 18
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1049,8 +1030,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.controlcenter' AND
name='Bluetooth' AND
value = 18 AND
username = ''
value = 18
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1085,8 +1065,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowAssistant' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1123,8 +1102,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowAssistant' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1522,8 +1500,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowApplePersonalizedAdvertising' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1612,8 +1589,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.universalcontrol' AND
name='Disable' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1649,8 +1625,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.universalcontrol' AND
name='Disable' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1825,15 +1800,13 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='askForPassword' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='askForPasswordDelay' AND
value <= 5 AND
username = ''
value <= 5
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1897,29 +1870,25 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SubmitDiagInfo' AND
name='AutoSubmit' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='allowDiagnosticSubmission' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Accessibility' AND
name='AXSAudioDonationSiriImprovementEnabled' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='Siri Data Sharing Opt-In Status' AND
value = 2 AND
username = ''
value = 2
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -1964,8 +1933,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='idleTime' AND
CAST(value AS INT) <= 1200 AND
username = ''
CAST(value AS INT) <= 1200
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2021,8 +1989,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.MCX' AND
name='dontAllowFDEDisable' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2060,8 +2027,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.loginwindow' AND
name='SHOWFULLNAME' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2094,8 +2060,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.loginwindow' AND
name='RetriesUntilHint' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2198,15 +2163,14 @@ spec:
SELECT 1 WHERE
EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.login.mcx.DisableAutoLoginClient' AND
name='Disable' AND
(value = 1 OR value = 'true') AND
username = ''
domain='com.apple.loginwindow' AND
name='com.apple.login.mcx.DisableAutoLoginClient' AND
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.login.mcx.DisableAutoLoginClient' AND
name='Disable' AND
domain='com.apple.loginwindow' AND
name='com.apple.login.mcx.DisableAutoLoginClient' AND
(value != 1 AND value != 'true')
);
purpose: Informational
@ -2229,8 +2193,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
name='forceOnDeviceOnlyDictation' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2457,8 +2420,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.mDNSResponder' AND
name='NoMulticastAdvertisements' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2755,8 +2717,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.mobiledevice.passwordpolicy' AND
name='requireAlphanumeric' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -2784,8 +2745,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.mobiledevice.passwordpolicy' AND
name='minComplexChars' AND
value >= 1 AND
username = ''
value >= 1
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -3114,8 +3074,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='AutoOpenSafeDownloads' AND
(value = 0 OR value = 'false') AND
username = ''
(value = 0 OR value = 'false')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -3166,8 +3125,7 @@ spec:
365 - After one year
36500 - Set Manually
*/
value = 1 AND
username = ''
value = 1
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -3198,8 +3156,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='WarnAboutFraudulentWebsites' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -3236,22 +3193,20 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='BlockStoragePolicy' AND
value = '2' AND
username = ''
value = '2'
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='WebKitPreferences.storageBlockingPolicy' AND
value = '1' AND
username = ''
value = '1'
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Safari' AND
name='WebKitStorageBlockingPolicy' AND
value = '1' AND
username = ''
value = '1'
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -3459,8 +3414,7 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Terminal' AND
name='SecureKeyboardEntry' AND
(value = 1 OR value = 'true') AND
username = ''
(value = 1 OR value = 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
@ -3507,4 +3461,4 @@ spec:
LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: defensivedepth
contributors: defensivedepth