From b60f063e0934792f44796cabca4f34f2ad54094b Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Wed, 1 Feb 2023 17:35:50 -0500
Subject: [PATCH] CIS 3.6 (#9582)

---
 ee/cis/macos-13/cis-policy-queries.yml        | 36 ++++++++++++++++
 .../macos-13/test/profiles/3.6.mobileconfig   | 41 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 ee/cis/macos-13/test/profiles/3.6.mobileconfig

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index fc483aa7eb..f2e6ded235 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -791,6 +791,42 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)
+  platforms: macOS
+  platform: darwin
+  description: |
+    The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to "detailed" to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine Firewall connection attempts.
+  resolution: |
+    Profile Method:
+    Create or edit a configuration profile with the following information:
+    1. The Payload Type string is com.apple.security.firewall 
+    2. The key to include is EnableFirewall
+    3. The key must be set to<true/>
+    4. The key to also include is EnableLogging
+    5. The key must be set to<true/>
+    6. The key to also include is LoggingOption
+    7. The key must be set to <string>detail</string>
+  query: |
+    SELECT 1 WHERE
+    (
+      EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value=1 )
+      AND
+      EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='LoggingOption' AND value="detail" )
+    )
+    OR
+    (
+      EXISTS ( SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.alf.plist' AND key='loggingenabled' AND value = 1 )
+      AND
+      EXISTS ( SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.alf.plist' AND key='loggingoption' AND value = 2 )
+    );
+
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS3.6
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
   platforms: macOS
diff --git a/ee/cis/macos-13/test/profiles/3.6.mobileconfig b/ee/cis/macos-13/test/profiles/3.6.mobileconfig
new file mode 100644
index 0000000000..a4474aa98e
--- /dev/null
+++ b/ee/cis/macos-13/test/profiles/3.6.mobileconfig
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDisplayName</key>
+			<string>test</string>
+			<key>PayloadType</key>
+			<string>com.apple.security.firewall</string>
+			<key>PayloadIdentifier</key>
+			<string>com.fleetdm.cis-3.6.check</string>
+			<key>PayloadUUID</key>
+			<string>604D8218-D7B6-43B1-95E6-DFCA4C25D73D</string>
+			<key>EnableFirewall</key>
+			<true/>
+			<key>EnableLogging</key>
+			<true/>
+			<key>LoggingOption</key>
+			<string>detail</string>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>test</string>
+	<key>PayloadDisplayName</key>
+	<string>Ensure Firewall Logging Is Enabled and Configured</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.cis-3.6</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>5E27501E-50DF-4804-9DEC-0E63C34E8831</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>