Adding first set of CIS benchmark policies for macOS (#7296)

* Adding CIS 1.1 for macOS * Adding CIS 1.2 * Fix linting * Adding CIS 1.3 * Adding CIS 1.4 * Apply suggestions from code review Committing Noah's suggestions Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> * Fixed copy pasta errors + changed formatting Fixed some auto update queries that were accidentally the same, and put [CIS X.X] between brackets in `constants.ts` Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2026-05-23 17:08:53 +00:00 · 2022-08-22 15:23:09 -04:00 · 2022-08-22 15:23:09 -04:00 · c4ccf20bd6
commit c4ccf20bd6
parent c1f2e8a810
2 changed files with 90 additions and 0 deletions
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@ -750,3 +750,51 @@ spec:
  tags: compliance, hardening, built-in
  platform: darwin
  contributors: GuillaumeRoss
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: Operating system up to date (macOS)
+  query: SELECT 1 FROM os_version WHERE version >= '12.5.1';
+  description: "Checks that the operating system is up to date."
+  resolution: "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password."
+  platforms: macOS
+  tags: compliance, CIS, template, CIS1.1
+  platform: darwin
+  contributors: GuillaumeRoss
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: Automatic updates enabled (macOS)
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;
+  description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates."
+  resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates."
+  platforms: macOS
+  tags: compliance, CIS, CIS1.2
+  platform: darwin
+  contributors: GuillaumeRoss
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: Automatic update downloads enabled (macOS)
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;
+  description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates."
+  resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads."
+  platforms: macOS
+  tags: compliance, CIS, CIS1.3
+  platform: darwin
+  contributors: GuillaumeRoss
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: Automatic installation of application updates is enabled (macOS)
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;
+  description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to App Store applications."
+  resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates."
+  platforms: macOS
+  tags: compliance, CIS, CIS1.4
+  platform: darwin
+  contributors: GuillaumeRoss
--- a/frontend/utilities/constants.ts
+++ b/frontend/utilities/constants.ts
@ -182,6 +182,48 @@ export const DEFAULT_POLICIES = [
      "Contact your IT administrator to confirm that your Mac is receiving configuration profiles for password length.",
    platform: "darwin",
  },
+  {
+    key: 17,
+    query: "SELECT 1 FROM os_version WHERE version >= '12.5.1';",
+    name: "Operating system up to date (macOS) [CIS 1.1]",
+    description: "Checks that the operating system is up to date.",
+    resolution:
+      "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password.",
+    platform: "darwin",
+  },
+  {
+    key: 19,
+    query:
+      "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;",
+    name: "Automatic updates enabled (macOS) [CIS 1.2]",
+    description:
+      "Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates.",
+    resolution:
+      "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates.",
+    platform: "darwin",
+  },
+  {
+    key: 20,
+    query:
+      "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;",
+    name: "Automatic update downloads enabled (macOS) [CIS 1.3]",
+    description:
+      "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates.",
+    resolution:
+      "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads.",
+    platform: "darwin",
+  },
+  {
+    key: 21,
+    query:
+      "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;",
+    name: "Installation of application updates is enabled (macOS) [CIS 1.4]",
+    description:
+      "Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to Apple applications.",
+    resolution:
+      "Contact your IT administrator to ensure your Mac is receiving a profile that enables installation of application updates.",
+    platform: "darwin",
+  },
 ] as IPolicyNew[];

 export const FREQUENCY_DROPDOWN_OPTIONS = [