From b6968892b0c216b1752dcbb9cd5241beac1999cc Mon Sep 17 00:00:00 2001
From: Artemis Tosini <artemis@fleetdm.com>
Date: Wed, 8 Feb 2023 10:51:42 -0500
Subject: [PATCH] Add macOS CIS 6.1.1 (Show All Filename Extensions) (#9740)

This adds CIS 6.1.1
---------
Co-authored-by: Sharon Katz <sharon@fleetdm.com>
Approved by: Sharon Katz <sharon@fleetdm.com>
---
 ee/cis/macos-13/cis-policy-queries.yml    | 33 ++++++++++++++++++++++-
 ee/cis/macos-13/test/scripts/CIS_6.1.1.sh |  5 ++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100755 ee/cis/macos-13/test/scripts/CIS_6.1.1.sh

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index e5efb926d4..91edff7aa1 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -1508,4 +1508,35 @@ spec:
     );
   purpose: Informational
   tags: compliance, CIS, CIS_Level1, CIS5.7
-  contributors: lucasmrod
\ No newline at end of file
+  contributors: lucasmrod
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure Show All Filename Extensions Setting is Enabled
+  platforms: macOS
+  platform: darwin
+  description: |
+    A filename extension is a suffix added to a base filename that indicates the base filename's
+    file format. Visible filename extensions allow the user to identify the file type and the
+    application it is associated with which leads to quick identification of misrepresented malicious files.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy a script that will ensure Show All Filename Extensions Setting is Enabled
+        For each user run:
+        /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
+  query: |
+    SELECT 1 WHERE NOT EXISTS (
+      SELECT 1 FROM users AS u
+      LEFT JOIN (
+        SELECT * FROM plist WHERE
+          path LIKE '/Users/%/Library/Preferences/.GlobalPreferences.plist' AND
+          key = 'AppleShowAllExtensions' AND
+          value = '1') AS p
+      ON p.path = CONCAT(u.directory, '/Library/Preferences/.GlobalPreferences.plist')
+        WHERE u.directory LIKE '/Users/%' AND
+        p.value IS NULL
+    );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS6.1.1
+  contributors: artemist-work
diff --git a/ee/cis/macos-13/test/scripts/CIS_6.1.1.sh b/ee/cis/macos-13/test/scripts/CIS_6.1.1.sh
new file mode 100755
index 0000000000..2b2bdc687e
--- /dev/null
+++ b/ee/cis/macos-13/test/scripts/CIS_6.1.1.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+
+# For QA: Replace <username> with your test user
+/usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true