mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 01:18:42 +00:00
Sharon Katz
GitHub
parent
1a055d6cc3
commit
c4fa0393af
2 changed files with 108 additions and 0 deletions
|
|
@ -846,6 +846,93 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)
|
||||
platforms: macOS
|
||||
platform: darwin
|
||||
description: |
|
||||
macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. While Location Services may be very useful, it may not be desirable to allow all applications that can use Location Services to use your location for Internet queries in order to provide tailored content based on your current location.
|
||||
Ensure applications that can use Location Services are authorized and provide that information where the application interacts with external systems. Apple offers feedback within System Preferences and may be enabled to supply information on the menu bar when Location Services are used.
|
||||
Safari can deny access from websites or prompt for access.
|
||||
Applications that support Location Services can be individually controlled in the Privacy tab in Security & Privacy under System Preferences.
|
||||
Access should be evaluated to ensure that privacy controls are as expected.
|
||||
This query verifies that location services is disabled for all apps.
|
||||
resolution: |
|
||||
Graphical Method:
|
||||
Perform the following steps to disable unnecessary applications from accessing Location Services:
|
||||
1. Open System Settings
|
||||
2. Select Privacy & Security
|
||||
3. Select Location Services
|
||||
4. Set Location Services to disabled.
|
||||
query: SELECT 1 FROM location_services WHERE enabled = 0;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.1.3-Location-Service-disabled
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)
|
||||
platforms: macOS
|
||||
platform: darwin
|
||||
description: |
|
||||
macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. While Location Services may be very useful, it may not be desirable to allow all applications that can use Location Services to use your location for Internet queries in order to provide tailored content based on your current location.
|
||||
Ensure applications that can use Location Services are authorized and provide that information where the application interacts with external systems. Apple offers feedback within System Preferences and may be enabled to supply information on the menu bar when Location Services are used.
|
||||
Safari can deny access from websites or prompt for access.
|
||||
Applications that support Location Services can be individually controlled in the Privacy tab in Security & Privacy under System Preferences.
|
||||
Access should be evaluated to ensure that privacy controls are as expected.
|
||||
This query verifies that location services is enabled and a specific list of application can use it.
|
||||
resolution: |
|
||||
Graphical Method:
|
||||
Perform the following steps to disable unnecessary applications from accessing Location Services:
|
||||
1. Open System Settings
|
||||
2. Select Privacy & Security
|
||||
3. Select Location Services
|
||||
4. Set any applications listed to your organization's requirements
|
||||
5. Select System Services
|
||||
6. Set any System Services listed to your organization's requirements
|
||||
query: |
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
-- Instructions for running and modifying this query:
|
||||
-- Put the list of allowed applications in the designated area below.
|
||||
-- To see what apps are currently allowed (and get the exact name format of the app name), use this query:
|
||||
-- SELECT * FROM plist WHERE
|
||||
-- path='/var/db/locationd/clients.plist'
|
||||
-- AND subkey = "Authorized"
|
||||
-- AND value = '1';
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
SELECT 1 WHERE
|
||||
-- If location_services is not allowed at all, we are good.
|
||||
EXISTS(
|
||||
SELECT 1 FROM location_services WHERE enabled = 0
|
||||
)
|
||||
OR
|
||||
-- If location_services is allowed, make sure allowed apps are approved.
|
||||
NOT EXISTS(
|
||||
SELECT 1 FROM plist WHERE
|
||||
path='/var/db/locationd/clients.plist'
|
||||
AND subkey = "Authorized"
|
||||
AND value = '1'
|
||||
AND NOT(
|
||||
------------------------------------------------------------------------------------
|
||||
-- Designated area to add applications allowed to use location-services
|
||||
------------------------------------------------------------------------------------
|
||||
-- Typical app name
|
||||
key LIKE "%:com.apple.TV"
|
||||
OR
|
||||
-- Typical system service name
|
||||
key LIKE "%com.apple.locationd.bundle-/System/Library/PrivateFrameworks/CoreParsec.framework"
|
||||
OR
|
||||
key LIKE "%:com.apple.locationd.bundle-/System/Library/LocationBundles/DoNotDisturb.bundle"
|
||||
------------------------------------------------------------------------------------
|
||||
)
|
||||
);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.1.3-Location-Service-specifc-app-enabled, decision-needed
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)
|
||||
platforms: macOS
|
||||
|
|
|
|||
21
ee/cis/macos-13/test/manual_tests/CIS_2.6.1.3
Normal file
21
ee/cis/macos-13/test/manual_tests/CIS_2.6.1.3
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
Instructions for validating CIS 2.6.1.3
|
||||
|
||||
|
||||
Go to settings / Privacy & Security / Location Services
|
||||
|
||||
Test 1:
|
||||
Disable the main switch for Location Services
|
||||
result:
|
||||
The query should pass.
|
||||
|
||||
Test 2:
|
||||
Enable the main switch for Location Services
|
||||
Enable only Apple TV app
|
||||
result:
|
||||
The query should pass.
|
||||
|
||||
Test 3:
|
||||
Enable the main switch for Location Services
|
||||
Enable any app other than Apple TV
|
||||
result:
|
||||
The query should fail.
|
||||
Loading…
Reference in a new issue