CIS 3.5 (#9592)

2026-05-23 00:49:03 +00:00 · 2023-02-02 13:13:20 -05:00 · 2023-02-02 13:13:20 -05:00 · d33b8e6e05
commit d33b8e6e05
parent 16d7091600
2 changed files with 52 additions and 0 deletions
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@ -846,6 +846,51 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Access to Audit Records Is Controlled
+  platforms: macOS
+  platform: darwin
+  description: |
+    The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy the following script which will Ensure Access to Audit Records Is Controlled:
+      /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
+      /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
+      /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
+      /usr/bin/sudo /bin/chmod -R o-rw /var/audit/
+  query: |
+    SELECT 1 WHERE 
+      -- For all files in /var/audit:
+      -- UID, GID should be owned by root.
+      -- MODE should be 0440 ("-r--r-----")
+      NOT EXISTS ( SELECT 1 FROM file WHERE path LIKE '/var/audit/%' AND (uid !=0 OR gid !=0 OR mode != "0440") )
+      AND 
+      NOT EXISTS ( select 1 from file 
+                        where path LIKE 
+                        ( 
+                            SELECT dir FROM 
+                            ( 
+                              -- The path we are looking for is written inside /etc/security/audit_control in a line that starts with "dir:"
+                              -- Looking immediately at this and REGEX-ing the path after it (and concatenating "/%")
+                              -- Same explanation for queries below.
+                              select line, CONCAT(regex_match(line, '^dir:(.+)',1 ), '/%') AS dir 
+                              FROM file_lines 
+                              WHERE path = '/etc/security/audit_control' 
+                              AND line LIKE "dir:%"
+                            )
+                        ) 
+                        AND ( uid !=0 OR gid !=0 OR mode != "0440" )
+                  ) 
+      AND 
+      -- For /etc/security/audit_control the MODE should be 0400 ("-r--------")
+      NOT EXISTS ( select 1 from file where path = "/etc/security/audit_control" AND mode != "0400" );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS3.5
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
  name: CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)
  platforms: macOS
--- a/ee/cis/macos-13/test/scripts/CIS_3.5.sh
+++ b/ee/cis/macos-13/test/scripts/CIS_3.5.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+/usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
+/usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
+/usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
+/usr/bin/sudo /bin/chmod -R o-rw /var/audit/
+