From d33b8e6e05b70f465fabd929d8ae9635d7571c8a Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Thu, 2 Feb 2023 13:13:20 -0500
Subject: [PATCH] CIS 3.5 (#9592)

---
 ee/cis/macos-13/cis-policy-queries.yml  | 45 +++++++++++++++++++++++++
 ee/cis/macos-13/test/scripts/CIS_3.5.sh |  7 ++++
 2 files changed, 52 insertions(+)
 create mode 100755 ee/cis/macos-13/test/scripts/CIS_3.5.sh

diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml
index 08d502d93c..b8fc582407 100644
--- a/ee/cis/macos-13/cis-policy-queries.yml
+++ b/ee/cis/macos-13/cis-policy-queries.yml
@@ -846,6 +846,51 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure Access to Audit Records Is Controlled
+  platforms: macOS
+  platform: darwin
+  description: |
+    The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
+  resolution: |
+    Automated method:
+    Ask your system administrator to deploy the following script which will Ensure Access to Audit Records Is Controlled:
+      /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
+      /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
+      /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
+      /usr/bin/sudo /bin/chmod -R o-rw /var/audit/
+  query: |
+    SELECT 1 WHERE 
+      -- For all files in /var/audit:
+      -- UID, GID should be owned by root.
+      -- MODE should be 0440 ("-r--r-----")
+      NOT EXISTS ( SELECT 1 FROM file WHERE path LIKE '/var/audit/%' AND (uid !=0 OR gid !=0 OR mode != "0440") )
+      AND 
+      NOT EXISTS ( select 1 from file 
+                        where path LIKE 
+                        ( 
+                            SELECT dir FROM 
+                            ( 
+                              -- The path we are looking for is written inside /etc/security/audit_control in a line that starts with "dir:"
+                              -- Looking immediately at this and REGEX-ing the path after it (and concatenating "/%")
+                              -- Same explanation for queries below.
+                              select line, CONCAT(regex_match(line, '^dir:(.+)',1 ), '/%') AS dir 
+                              FROM file_lines 
+                              WHERE path = '/etc/security/audit_control' 
+                              AND line LIKE "dir:%"
+                            )
+                        ) 
+                        AND ( uid !=0 OR gid !=0 OR mode != "0440" )
+                  ) 
+      AND 
+      -- For /etc/security/audit_control the MODE should be 0400 ("-r--------")
+      NOT EXISTS ( select 1 from file where path = "/etc/security/audit_control" AND mode != "0400" );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS3.5
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)
   platforms: macOS
diff --git a/ee/cis/macos-13/test/scripts/CIS_3.5.sh b/ee/cis/macos-13/test/scripts/CIS_3.5.sh
new file mode 100755
index 0000000000..29c09f5df7
--- /dev/null
+++ b/ee/cis/macos-13/test/scripts/CIS_3.5.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+/usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
+/usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
+/usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
+/usr/bin/sudo /bin/chmod -R o-rw /var/audit/
+