From b754cb096c919fe8dc5bf6bc3a9b49c455dd792d Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Wed, 21 Jun 2023 14:00:25 -0400
Subject: [PATCH] Add "username=''" to managed_policies queries (#10710)
https://github.com/fleetdm/fleet/issues/10602
@xpkoala this PR will require testing of all modified items.
Preferably, we should perform the tests before merging to master. Can we
use the dev branch for that? -- Items were tested locally.
---
ee/cis/macos-13/cis-policy-queries.yml | 810 +++++++++++++++++++++----
1 file changed, 681 insertions(+), 129 deletions(-)
diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 2fdc36def4..dab5419f7e 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -29,7 +29,21 @@ spec:
platform: darwin
description: Checks that the system is configured via MDM to automatically install updates.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic updates."
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticCheckEnabled' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticCheckEnabled' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.2
contributors: sharon-fdm
@@ -42,7 +56,21 @@ spec:
platform: darwin
description: Checks that the system is configured via MDM to automatically download updates.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic update downloads."
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticDownload' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticDownload' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.3
contributors: sharon-fdm
@@ -55,7 +83,21 @@ spec:
platform: darwin
description: Ensure that macOS updates are installed after they are available from Apple.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic install of macOS updates."
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallMacOSUpdates' AND value=1 LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticallyInstallMacOSUpdates' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticallyInstallMacOSUpdates' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.4
contributors: sharon-fdm
@@ -68,7 +110,21 @@ spec:
platform: darwin
description: Ensure that application updates are installed after they are available from Apple.
resolution: Ask your system administrator to deploy an MDM profile that enables automatic updates of Apple apps.
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticallyInstallAppUpdates' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='AutomaticallyInstallAppUpdates' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.5
contributors: lucasmrod
@@ -85,7 +141,21 @@ spec:
setting in place, new malware and adware that Apple has added to the list of malware or
untrusted software will not execute.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic critical system and security updates."
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='CriticalUpdateInstall' AND value=1 LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='CriticalUpdateInstall' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SoftwareUpdate' AND
+ name='CriticalUpdateInstall' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.6
contributors: sharon-fdm
@@ -104,7 +174,21 @@ spec:
updates are deferred, they should not be deferred for more than 30 days.
This control only verifies that deferred software updates are not deferred for more than 30 days.
resolution: "Ask your system administrator to deploy an MDM profile configures update deferment to a value of 30 days or less."
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='enforcedSoftwareUpdateDelay' AND value <= 30;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='enforcedSoftwareUpdateDelay' AND
+ value <= 30 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='enforcedSoftwareUpdateDelay' AND
+ value > 30
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.7
contributors: lucasmrod
@@ -126,12 +210,19 @@ spec:
2. The key to include is allowCloudDocumentSync.
3. The key must be set to .
query: |
- SELECT 1 WHERE NOT EXISTS (
+ SELECT 1 WHERE
+ EXISTS (
SELECT 1 FROM managed_policies WHERE
- domain='com.apple.applicationaccess'
- AND
- name='allowCloudDocumentSync'
- AND (value = '1' OR value = 'true')
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudDocumentSync' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudDocumentSync' AND
+ (value != 0 AND value != 'false')
);
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
@@ -156,12 +247,19 @@ spec:
2. The key to include is allowCloudDocumentSync.
3. The key must be set to .
query: |
- SELECT 1 WHERE NOT EXISTS (
+ SELECT 1 WHERE
+ EXISTS (
SELECT 1 FROM managed_policies WHERE
- domain='com.apple.applicationaccess'
- AND
- name='allowCloudDocumentSync'
- AND (value = '0' OR value = 'false')
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudDocumentSync' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudDocumentSync' AND
+ (value != 1 AND value != 'true')
);
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
@@ -187,13 +285,20 @@ spec:
2. The key to include is allowCloudKeychainSync.
3. The key must be set to .
query: |
- SELECT 1 WHERE NOT EXISTS (
+ SELECT 1 WHERE
+ EXISTS (
SELECT 1 FROM managed_policies WHERE
- domain='com.apple.applicationaccess'
- AND
- name='allowCloudKeychainSync'
- AND (value = '1' OR value = 'true')
- );
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudKeychainSync' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudKeychainSync' AND
+ (value != 0 AND value != 'false')
+ );
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
purpose: Informational
@@ -218,12 +323,19 @@ spec:
2. The key to include is allowCloudKeychainSync.
3. The key must be set to .
query: |
- SELECT 1 WHERE NOT EXISTS (
+ SELECT 1 WHERE
+ EXISTS (
SELECT 1 FROM managed_policies WHERE
- domain='com.apple.applicationaccess'
- AND
- name='allowCloudKeychainSync'
- AND (value = '0' OR value = 'false')
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudKeychainSync' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudKeychainSync' AND
+ (value != 1 AND value != 'true')
);
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
@@ -244,7 +356,21 @@ spec:
1. The PayloadType string is com.apple.applicationaccess.
2. The key to include is allowCloudDesktopAndDocuments.
3. The key must be set to .
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowCloudDesktopAndDocuments' AND (value = 0 OR value = 'false') LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudDesktopAndDocuments' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowCloudDesktopAndDocuments' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.3
contributors: zwass
@@ -298,7 +424,21 @@ spec:
1. The PayloadType string is com.apple.applicationaccess
2. The key to include is allowAirDrop
3. The key must be set to
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowAirDrop' AND (value = 0 OR value = 'false') LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAirDrop' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAirDrop' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.1.1
contributors: lucasmrod
@@ -324,7 +464,21 @@ spec:
1. The PayloadType string is com.apple.applicationaccess
2. The key to include is allowAirPlayIncomingRequests
3. The key must be set to
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowAirPlayIncomingRequests' AND (value = 0 OR value = 'false') LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAirPlayIncomingRequests' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAirPlayIncomingRequests' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.1.2
contributors: lucasmrod
@@ -342,7 +496,21 @@ spec:
1. The PayloadType string is com.apple.applicationaccess.
2. The key to include is forceAutomaticDateAndTime.
3. The key must be set to .
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='forceAutomaticDateAndTime' AND value=1 LIMIT 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='forceAutomaticDateAndTime' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='forceAutomaticDateAndTime' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.2.1
contributors: sharon-fdm
@@ -624,8 +792,20 @@ spec:
2. The key to include is allowContentCaching
3. The key must be set to
query: |
- SELECT 1 WHERE EXISTS (SELECT * FROM managed_policies mp WHERE domain = 'com.apple.applicationaccess' AND name = 'allowContentCaching' AND value = 0)
- AND NOT EXISTS (SELECT * FROM managed_policies mp WHERE domain = 'com.apple.applicationaccess' AND name = 'allowContentCaching' AND value != 0);
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowContentCaching' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowContentCaching' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.3.3.9
contributors: sharon-fdm
@@ -679,17 +859,35 @@ spec:
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
name = 'homeSharingUIStatus' AND
- value = '0'
+ value = '0' AND
+ username = ''
) AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
name = 'legacySharingUIStatus' AND
- value = '0'
+ value = '0' AND
+ username = ''
) AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
name = 'mediaSharingUIStatus' AND
- value = '0'
+ value = '0' AND
+ username = ''
+ ) AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
+ name = 'homeSharingUIStatus' AND
+ value != '0'
+ ) AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
+ name = 'legacySharingUIStatus' AND
+ value != '0'
+ ) AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain = 'com.apple.preferences.sharing.SharingPrefsExtension' AND
+ name = 'mediaSharingUIStatus' AND
+ value != '0'
);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.10
@@ -781,7 +979,21 @@ spec:
1. The `PayloadType` string is `com.apple.controlcenter`.
2. The key to include is `WiFi`.
3. The key must be set to `18`.
- query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.controlcenter' AND name = 'WiFi' AND value = 18;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.controlcenter' AND
+ name='WiFi' AND
+ value = 18 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.controlcenter' AND
+ name='WiFi' AND
+ value != 18
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.4.1
contributors: lucasmrod
@@ -803,7 +1015,21 @@ spec:
1. The `PayloadType` string is `com.apple.controlcenter`.
2. The key to include is `Bluetooth`.
3. The key must be set to `18`.
- query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.controlcenter' AND name = 'Bluetooth' AND value = 18;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.controlcenter' AND
+ name='Bluetooth' AND
+ value = 18 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.controlcenter' AND
+ name='Bluetooth' AND
+ value != 18
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.4.2
contributors: lucasmrod
@@ -826,12 +1052,21 @@ spec:
2. The key to include is allowAssistant.
3. The key must be set to .
query: |
- SELECT 1 FROM managed_policies WHERE
- domain='com.apple.applicationaccess'
- AND
- name='allowAssistant'
- AND (value = '1' OR value = 'true');
- /*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAssistant' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAssistant' AND
+ (value != 1 AND value != 'true')
+ );
+ /*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-enabled, decision-needed
@@ -855,11 +1090,20 @@ spec:
2. The key to include is allowAssistant.
3. The key must be set to .
query: |
- SELECT 1 FROM managed_policies WHERE
- domain='com.apple.applicationaccess'
- AND
- name='allowAssistant'
- AND (value = '0' OR value = 'false');
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAssistant' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowAssistant' AND
+ (value != 0 AND value != 'false')
+ );
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
purpose: Informational
@@ -1244,7 +1488,21 @@ spec:
1. Open Privacy & Security
2. Select Apple Advertising
3. Verify that Personalized Ads is not enabled
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowApplePersonalizedAdvertising' AND value=0;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowApplePersonalizedAdvertising' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowApplePersonalizedAdvertising' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.6.3
contributors: sharon-fdm
@@ -1321,11 +1579,20 @@ spec:
2. The key to include is 'Disable'.
3. The key must be set to .
query: |
- SELECT 1 FROM managed_policies WHERE
- domain='com.apple.universalcontrol'
- AND
- name='Disable'
- AND value = '0';
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.universalcontrol' AND
+ name='Disable' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.universalcontrol' AND
+ name='Disable' AND
+ (value != 0 AND value != 'false')
+ );
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
purpose: Informational
@@ -1349,11 +1616,20 @@ spec:
2. The key to include is 'Disable'.
3. The key must be set to .
query: |
- SELECT 1 FROM managed_policies WHERE
- domain='com.apple.universalcontrol'
- AND
- name='Disable'
- AND value = '1';
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.universalcontrol' AND
+ name='Disable' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.universalcontrol' AND
+ name='Disable' AND
+ (value != 1 AND value != 'true')
+ );
/*CIS does not make a hard recommendation for this policy. Fleet has provided two policies (one failing, one succeeding).
Depending on your organization's decision, you can delete this policy or its counterpart.*/
purpose: Informational
@@ -1516,7 +1792,33 @@ spec:
3. Verify that Require password after screensaver begins or display is turned
off is set with After 0 seconds or After 5 seconds
query: |
- SELECT 1 WHERE EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPassword' AND value=1) AND EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='askForPasswordDelay' AND value <= 5)
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.screensaver' AND
+ name='askForPassword' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.screensaver' AND
+ name='askForPasswordDelay' AND
+ value <= 5 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.screensaver' AND
+ name='askForPassword' AND
+ (value != 1 AND value != 'true')
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.screensaver' AND
+ name='askForPasswordDelay' AND
+ value > 5
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.2
contributors: sharon-fdm
@@ -1562,11 +1864,45 @@ spec:
6. Verify that Improve Siri & Dictation is not enabled
query: |
SELECT 1 WHERE
- EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.SubmitDiagInfo' AND name='AutoSubmit' AND value = 0)
- AND
- EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='allowDiagnosticSubmission' AND value = 0)
- AND
- EXISTS(select 1 FROM managed_policies WHERE domain='com.apple.applicationaccess' AND name='Siri Data Sharing Opt-In Status' AND value = 2);
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SubmitDiagInfo' AND
+ name='AutoSubmit' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='allowDiagnosticSubmission' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='Siri Data Sharing Opt-In Status' AND
+ value = 2 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.SubmitDiagInfo' AND
+ name='Disable' AND
+ (value != 0 AND value != 'false')
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='Disable' AND
+ (value != 0 AND value != 'false')
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.applicationaccess' AND
+ name='Disable' AND
+ value != 2
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.2
contributors: sharon-fdm
@@ -1586,7 +1922,21 @@ spec:
1. Open System Settings
2. Select Lock Screen
3. Verify that Start Screen Saver when inactive is set for 20 minutes or less (≤1200 seconds)
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.screensaver' AND name='idleTime' AND value <= 1200;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.screensaver' AND
+ name='idleTime' AND
+ value <= 1200 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.screensaver' AND
+ name='idleTime' AND
+ value > 1200
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.1
contributors: sharon-fdm
@@ -1631,9 +1981,24 @@ spec:
6. Verify that an installed profile has FileVault Can't Disable set to True
query: |
SELECT 1 WHERE
- EXISTS(SELECT 1 FROM managed_policies WHERE domain='com.apple.MCX' AND name='dontAllowFDEDisable' AND value=1)
- AND
- EXISTS(SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1);
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.MCX' AND
+ name='dontAllowFDEDisable' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.MCX' AND
+ name='dontAllowFDEDisable' AND
+ (value != 1 AND value != 'true')
+ )
+ AND EXISTS (
+ SELECT 1 FROM disk_encryption WHERE
+ user_uuid IS NOT "" AND
+ filevault_status = 'on'
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.6.5
contributors: sharon-fdm
@@ -1653,7 +2018,21 @@ spec:
1. Open System Settings
2. Select Lock Screen
3. Verify that Login window shows is set to Name and Password
- query: SELECT 1 FROM managed_policies where domain='com.apple.loginwindow' AND name='SHOWFULLNAME' AND value=1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.loginwindow' AND
+ name='SHOWFULLNAME' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.loginwindow' AND
+ name='SHOWFULLNAME' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.4
contributors: sharon-fdm
@@ -1673,7 +2052,21 @@ spec:
1. OpenSystemSettings
2. Select Lock Screen
3. Verify that Show password hints is disabled
- query: SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'RetriesUntilHint' AND value = 0;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.loginwindow' AND
+ name='RetriesUntilHint' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.loginwindow' AND
+ name='RetriesUntilHint' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.5
contributors: sharon-fdm
@@ -1768,7 +2161,21 @@ spec:
1. The Payload Type string is com.apple.loginwindow
2. The key to include is com.apple.login.mcx.DisableAutoLoginClient
3. The key must be set to
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND name='com.apple.login.mcx.DisableAutoLoginClient' AND value = 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.login.mcx.DisableAutoLoginClient' AND
+ name='Disable' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.login.mcx.DisableAutoLoginClient' AND
+ name='Disable' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.12.3
contributors: sharon-fdm
@@ -1983,15 +2390,47 @@ spec:
query: |
SELECT 1 WHERE
(
- EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='EnableLogging' AND value=1 )
- AND
- EXISTS ( SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND name='LoggingOption' AND value="detail" )
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.security.firewall' AND
+ name='EnableLogging' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.security.firewall' AND
+ name='LoggingOption' AND
+ value = "detail" AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.security.firewall' AND
+ name='EnableLogging' AND
+ (value != 1 AND value != 'true')
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.security.firewall' AND
+ name='LoggingOption' AND
+ value != "detail"
+ )
)
OR
(
- EXISTS ( SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.alf.plist' AND key='loggingenabled' AND value = 1 )
- AND
- EXISTS ( SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.alf.plist' AND key='loggingoption' AND value = 2 )
+ EXISTS (
+ SELECT 1 FROM plist WHERE
+ path='/Library/Preferences/com.apple.alf.plist' AND
+ key='loggingenabled' AND
+ value = 1
+ )
+ AND EXISTS (
+ SELECT 1 FROM plist WHERE
+ path='/Library/Preferences/com.apple.alf.plist' AND
+ key='loggingoption' AND
+ value = 2
+ )
);
purpose: Informational
@@ -2015,7 +2454,21 @@ spec:
1. The Payload Type string is `com.apple.mDNSResponder`.
2. The key to include is `NoMulticastAdvertisements`.
3. The key must be set to ``.
- query: SELECT 1 FROM managed_policies WHERE domain='com.apple.mDNSResponder' AND name='NoMulticastAdvertisements' AND value = 1;
+ query: |
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.mDNSResponder' AND
+ name='NoMulticastAdvertisements' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.mDNSResponder' AND
+ name='NoMulticastAdvertisements' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-4.1
contributors: lucasmrod
@@ -2299,11 +2752,20 @@ spec:
resolution: |
Ask your system administrator to deploy an MDM profile that ensures Complex Password Must Contain Alphabetic Characters
query: |
- SELECT 1 FROM managed_policies WHERE
- domain = 'com.apple.mobiledevice.passwordpolicy' AND
- name = 'requireAlphanumeric' AND
- (value = 1 OR value = 'true')
- LIMIT 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.mobiledevice.passwordpolicy' AND
+ name='requireAlphanumeric' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.mobiledevice.passwordpolicy' AND
+ name='requireAlphanumeric' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.2.3, CIS-macos-13-5.2.4
contributors: sharon-fdm
@@ -2319,11 +2781,20 @@ spec:
resolution: |
Ask your system administrator to deploy an MDM profile that ensures Complex Password Must Contain Special Characters
query: |
- SELECT 1 FROM managed_policies WHERE
- domain = 'com.apple.mobiledevice.passwordpolicy' AND
- name = 'minComplexChars' AND
- value >= 1
- LIMIT 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.mobiledevice.passwordpolicy' AND
+ name='minComplexChars' AND
+ value >= 1 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.mobiledevice.passwordpolicy' AND
+ name='minComplexChars' AND
+ value < 1
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.2.5
contributors: sharon-fdm
@@ -2670,11 +3141,20 @@ spec:
Payload Method:
Ask your administrator to deploy a profile which disables AutoOpenSafeDownloads in Safari
query: |
- SELECT 1 FROM managed_policies WHERE
- domain = 'com.apple.Safari' AND
- name = 'AutoOpenSafeDownloads' AND
- value = '0'
- LIMIT 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='AutoOpenSafeDownloads' AND
+ (value = 0 OR value = 'false') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='AutoOpenSafeDownloads' AND
+ (value != 0 AND value != 'false')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.1
contributors: artemist-work
@@ -2704,20 +3184,29 @@ spec:
2. The key to include is HistoryAgeInDaysLimit
3. The key must be set to: <1,7,14,31,365,36500>
query: |
- SELECT 1 FROM managed_policies WHERE
- domain = 'com.apple.Safari' AND
- name = 'HistoryAgeInDaysLimit' AND
- /*
- Please replace the checked value bellow to match the one decided by your organization.
- 1 - After one day
- 7 - After one week
- 14 - After two weeks
- 31 - After one month
- 365 - After one year
- 36500 - Set Manually
- */
- value = '1'
- LIMIT 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='HistoryAgeInDaysLimit' AND
+ /*
+ Please replace the checked value bellow to match the one decided by your organization.
+ 1 - After one day
+ 7 - After one week
+ 14 - After two weeks
+ 31 - After one month
+ 365 - After one year
+ 36500 - Set Manually
+ */
+ value = 1 AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='HistoryAgeInDaysLimit' AND
+ value != 1
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS-macos-13-6.3.2, decision-needed
contributors: sharon-fdm
@@ -2736,11 +3225,20 @@ spec:
Payload Method:
Ask your administrator to deploy a profile which enableds WarnAboutFraudulentWebsites in Safari
query: |
- SELECT 1 FROM managed_policies WHERE
- domain = 'com.apple.Safari' AND
- name = 'WarnAboutFraudulentWebsites' AND
- value = '1'
- LIMIT 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='WarnAboutFraudulentWebsites' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.loginwindow' AND
+ name='WarnAboutFraudulentWebsites' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.3
contributors: artemist-work
@@ -2765,13 +3263,46 @@ spec:
6. The key to also include is WebKitStorageBlockingPolicy
7. The key must be set to: 1
query: |
- SELECT 1 WHERE EXISTS (
- SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Safari' AND name = 'BlockStoragePolicy' AND value = '2'
- ) AND EXISTS (
- SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Safari' AND name = 'WebKitPreferences.storageBlockingPolicy' AND value = '1'
- ) AND EXISTS (
- SELECT 1 FROM managed_policies WHERE domain = 'com.apple.Safari' AND name = 'WebKitStorageBlockingPolicy' AND value = '1'
- );
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='BlockStoragePolicy' AND
+ value = '2' AND
+ username = ''
+ )
+ AND EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='WebKitPreferences.storageBlockingPolicy' AND
+ value = '1' AND
+ username = ''
+ )
+ AND EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='WebKitStorageBlockingPolicy' AND
+ value = '1' AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='BlockStoragePolicy' AND
+ value != '2'
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='WebKitPreferences.storageBlockingPolicy' AND
+ value != '1'
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='WebKitStorageBlockingPolicy' AND
+ value != '1'
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.4
contributors: lucasmrod
@@ -2895,12 +3426,22 @@ spec:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.Safari
2. The key to include is ShowFullURLInSmartSearchField
- 3. The key must be set to:
-
+ 3. The key must be set to:
query: |
- SELECT 1 from managed_policies WHERE domain = 'com.apple.Safari'
- AND name = 'ShowFullURLInSmartSearchField'
- AND value = 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='ShowFullURLInSmartSearchField' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Safari' AND
+ name='ShowFullURLInSmartSearchField' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.7
contributors: sharon-fdm
@@ -2922,9 +3463,20 @@ spec:
3. The key must be set to
query: |
- SELECT 1 from managed_policies WHERE domain = 'com.apple.Terminal'
- AND name = 'SecureKeyboardEntry'
- AND value == 1;
+ SELECT 1 WHERE
+ EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Terminal' AND
+ name='SecureKeyboardEntry' AND
+ (value = 1 OR value = 'true') AND
+ username = ''
+ )
+ AND NOT EXISTS (
+ SELECT 1 FROM managed_policies WHERE
+ domain='com.apple.Terminal' AND
+ name='SecureKeyboardEntry' AND
+ (value != 1 AND value != 'true')
+ );
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.4.1
contributors: sharon-fdm