Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Fix spelling, naming conventions, and policy-profile alignment

Browse source 
Apple Intelligence policy-profile alignment (HIGH):
- Fix 3/4 policy queries that checked fabricated MDM keys which
  would never match the corrected profiles:
  - extensions: allowIntelligenceExtensions -> allowExternalIntelligenceIntegrations
  - mail: com.apple.mail/allowMailIntelligence -> com.apple.applicationaccess/allowMailSummary
  - notes: com.apple.mobilenotes/allowNotesIntelligence -> com.apple.applicationaccess/allowNotesTranscriptionSummary
- Update resolution text to reference correct keys and domains
- Fix Title Case in policy names (MDM Required, not MDM required)

Spelling fixes across all macOS and Windows YAML (14 corrections):
- existance -> existence, Extention -> Extension,
  recomendation -> recommendation, bellow -> below,
  enableds -> enables, addess -> address
- Missing spaces: SelectGeneral, SelectSharing, OpenSystemSettings
- Grammar: "is not Activate" -> "is not Active"
- Doubled word: "Computer Computer Configuration"
- Missing space: "thatis" -> "that is"

Naming consistency:
- Rename 2.8.1.disable/enable -> 2.8.1-disable/enable (match dash
  convention used by all other suffixed profiles)
- Fix win-10 local-security-options.xml header: Section 2.3.1 -> 2.3
- Add CIS control numbers to win-11-intune local-security-options.xml
  comments (was missing, unlike all other XML files)
- Fix win-10/win-11 PS1: add S-1-5-113 (Local account) to CIS 2.2.16
  and 2.2.20 deny entries to match XML profiles

https://claude.ai/code/session_01DUqJK6iJ8MWMdz2d25ZTNW
This commit is contained in:
Claude 2026-04-16 12:19:37 +00:00
parent 4cbb33e2dd
commit d3a00310d9
No known key found for this signature in database
16 changed files with 122 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
docs/solutions/cis/macos-13/configuration-profiles/2.8.1.disable.mobileconfig → docs/solutions/cis/macos-13/configuration-profiles/2.8.1-disable.mobileconfig
View file

0
docs/solutions/cis/macos-13/configuration-profiles/2.8.1.enable.mobileconfig → docs/solutions/cis/macos-13/configuration-profiles/2.8.1-enable.mobileconfig
View file

38
docs/solutions/cis/macos-13/policies/cis-policy-queries.yml
View file

@ -204,7 +204,7 @@
description: |
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
This query will check for the existance of the policy not its value (That should be set per organization's decision)
This query will check for the existence of the policy not its value (That should be set per organization's decision)
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
@ -238,7 +238,7 @@
description: |
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
This query will check for the existance of the policy not its value (That should be set per organization's decision)
This query will check for the existence of the policy not its value (That should be set per organization's decision)
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
@ -743,8 +743,8 @@
Graphical Method:
Perform the following steps to disable Content Caching:
1. Open System Settings
2. SelectGeneral
3. SelectSharing
2. Select General
3. Select Sharing
4. Set Content Caching to disabled
Profile Method:
Create or edit a configuration profile with the following information:
@ -1023,7 +1023,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool true
@ -1049,7 +1049,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false
@ -1075,7 +1075,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri StatusMenuVisible field is true.
Extension of CIS-2.5.1. This will check that Siri StatusMenuVisible field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool true
@ -1101,7 +1101,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri StatusMenuVisible field is false.
Extension of CIS-2.5.1. This will check that Siri StatusMenuVisible field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool false
@ -1127,7 +1127,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool true
@ -1153,7 +1153,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
@ -1179,7 +1179,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri LockscreenEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri LockscreenEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool true
@ -1205,7 +1205,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri LockscreenEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri LockscreenEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false
@ -1556,7 +1556,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.9.2
# contributors: lucasmrod
- name: CIS - Ensure the OS is not Activate When Resuming from Sleep (Fleetd, FDA Required)
- name: CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)
# platforms: macOS
platform: darwin
description: |
@ -1879,7 +1879,7 @@
Ask your system administrator to deploy an MDM profile that Ensures Show Password Hints Is Disabled.
Graphical method:
Perform the following steps to ensure Show Password Hints Is Disabled:
1. OpenSystemSettings
1. Open System Settings
2. Select Lock Screen
3. Verify that Show password hints is disabled
query: |
@ -2108,7 +2108,7 @@
The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following:
expire-after:60d OR 5G
This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
This recommendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
resolution: |
Automated method:
Ask your system administrator to deploy the following script which will ensure proper Security Auditing Retention:
@ -2943,7 +2943,7 @@
domain='com.apple.Safari' AND
name='HistoryAgeInDaysLimit' AND
/*
Please replace the checked value bellow to match the one decided by your organization.
Please replace the checked value below to match the one decided by your organization.
1 - After one day
7 - After one week
14 - After two weeks
@ -2973,7 +2973,7 @@
unwanted content. Warning users prior to loading the content enables better security.
resolution: |
Payload Method:
Ask your administrator to deploy a profile which enableds WarnAboutFraudulentWebsites in Safari
Ask your administrator to deploy a profile which enables WarnAboutFraudulentWebsites in Safari
query: |
SELECT 1 WHERE
EXISTS (
@ -3059,7 +3059,7 @@
platform: darwin
description: |
Public (Routable) IP addresses can be used to track people to their current location, including
home and business addresses. While a valid IP addess is necessary to load the site the valid
home and business addresses. While a valid IP address is necessary to load the site the valid
address does not need to be provided to known trackers and should be hidden.
resolution: |
Ask your system administrator to deploy a script that will configure "Hide IP Address in Safari" to Enabled
@ -3087,7 +3087,7 @@
platform: darwin
description: |
Public (Routable) IP addresses can be used to track people to their current location, including
home and business addresses. While a valid IP addess is necessary to load the site the valid
home and business addresses. While a valid IP address is necessary to load the site the valid
address does not need to be provided to known trackers and should be hidden.
However, enabling this setting will proxy web information through a 3rd party service, which may
not be allowed by your organization's policy.

0
docs/solutions/cis/macos-14/configuration-profiles/2.8.1.disable.mobileconfig → docs/solutions/cis/macos-14/configuration-profiles/2.8.1-disable.mobileconfig
View file

0
docs/solutions/cis/macos-14/configuration-profiles/2.8.1.enable.mobileconfig → docs/solutions/cis/macos-14/configuration-profiles/2.8.1-enable.mobileconfig
View file

38
docs/solutions/cis/macos-14/policies/cis-policy-queries.yml
View file

@ -204,7 +204,7 @@
description: |
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
This query will check for the existance of the policy not its value (That should be set per organization's decision)
This query will check for the existence of the policy not its value (That should be set per organization's decision)
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
@ -238,7 +238,7 @@
description: |
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
This query will check for the existance of the policy not its value (That should be set per organization's decision)
This query will check for the existence of the policy not its value (That should be set per organization's decision)
resolution: |
The administrator should configure this via MDM profile.
Create or edit a configuration profile with the following information:
@ -731,8 +731,8 @@
Graphical Method:
Perform the following steps to disable Content Caching:
1. Open System Settings
2. SelectGeneral
3. SelectSharing
2. Select General
3. Select Sharing
4. Set Content Caching to disabled
Profile Method:
Create or edit a configuration profile with the following information:
@ -1028,7 +1028,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool true
@ -1054,7 +1054,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false
@ -1080,7 +1080,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri StatusMenuVisible field is true.
Extension of CIS-2.5.1. This will check that Siri StatusMenuVisible field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool true
@ -1106,7 +1106,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri StatusMenuVisible field is false.
Extension of CIS-2.5.1. This will check that Siri StatusMenuVisible field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool false
@ -1132,7 +1132,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool true
@ -1158,7 +1158,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
@ -1184,7 +1184,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri LockscreenEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri LockscreenEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool true
@ -1210,7 +1210,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri LockscreenEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri LockscreenEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false
@ -1611,7 +1611,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
- name: CIS - Ensure the OS is not Activate When Resuming from Sleep (Fleetd, FDA Required)
- name: CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)
# platforms: macOS
platform: darwin
description: |
@ -1934,7 +1934,7 @@
Ask your system administrator to deploy an MDM profile that Ensures Show Password Hints Is Disabled.
Graphical method:
Perform the following steps to ensure Show Password Hints Is Disabled:
1. OpenSystemSettings
1. Open System Settings
2. Select Lock Screen
3. Verify that Show password hints is disabled
query: |
@ -2190,7 +2190,7 @@
The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following:
expire-after:60d OR 5G
This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
This recommendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
resolution: |
Automated method:
Ask your system administrator to deploy the following script which will ensure proper Security Auditing Retention:
@ -3012,7 +3012,7 @@
domain='com.apple.Safari' AND
name='HistoryAgeInDaysLimit' AND
/*
Please replace the checked value bellow to match the one decided by your organization.
Please replace the checked value below to match the one decided by your organization.
1 - After one day
7 - After one week
14 - After two weeks
@ -3042,7 +3042,7 @@
unwanted content. Warning users prior to loading the content enables better security.
resolution: |
Payload Method:
Ask your administrator to deploy a profile which enableds WarnAboutFraudulentWebsites in Safari
Ask your administrator to deploy a profile which enables WarnAboutFraudulentWebsites in Safari
query: |
SELECT 1 WHERE
EXISTS (
@ -3128,7 +3128,7 @@
platform: darwin
description: |
Public (Routable) IP addresses can be used to track people to their current location, including
home and business addresses. While a valid IP addess is necessary to load the site the valid
home and business addresses. While a valid IP address is necessary to load the site the valid
address does not need to be provided to known trackers and should be hidden.
resolution: |
Ask your system administrator to deploy a script that will configure "Hide IP Address in Safari" to Enabled
@ -3156,7 +3156,7 @@
platform: darwin
description: |
Public (Routable) IP addresses can be used to track people to their current location, including
home and business addresses. While a valid IP addess is necessary to load the site the valid
home and business addresses. While a valid IP address is necessary to load the site the valid
address does not need to be provided to known trackers and should be hidden.
However, enabling this setting will proxy web information through a 3rd party service, which may
not be allowed by your organization's policy.

0
docs/solutions/cis/macos-15/configuration-profiles/2.8.1.disable.mobileconfig → docs/solutions/cis/macos-15/configuration-profiles/2.8.1-disable.mobileconfig
View file

0
docs/solutions/cis/macos-15/configuration-profiles/2.8.1.enable.mobileconfig → docs/solutions/cis/macos-15/configuration-profiles/2.8.1-enable.mobileconfig
View file

80
docs/solutions/cis/macos-15/policies/cis-policy-queries.yml
View file

@ -175,7 +175,7 @@
description: |
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
This query will check for the existance of the policy not its value (That should be set per organization's decision)
This query will check for the existence of the policy not its value (That should be set per organization's decision)
resolution: |
The administrator should configure this via MDM profile.
Ask your administrator to deploy a profile with the following configuration:
@ -208,7 +208,7 @@
description: |
iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive, or Google Drive.
One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
This query will check for the existance of the policy not its value (That should be set per organization's decision)
This query will check for the existence of the policy not its value (That should be set per organization's decision)
resolution: |
The administrator should configure this via MDM profile.
Ask your administrator to deploy a profile with the following configuration:
@ -667,8 +667,8 @@
Graphical Method:
Perform the following steps to disable Content Caching:
1. Open System Settings
2. SelectGeneral
3. SelectSharing
2. Select General
3. Select Sharing
4. Set Content Caching to disabled
Profile Method:
Ask your administrator to deploy a profile with the following configuration:
@ -931,7 +931,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool true
@ -957,7 +957,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri TypeToSiriEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false
@ -983,7 +983,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri StatusMenuVisible field is true.
Extension of CIS-2.5.1. This will check that Siri StatusMenuVisible field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool true
@ -1009,7 +1009,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri StatusMenuVisible field is false.
Extension of CIS-2.5.1. This will check that Siri StatusMenuVisible field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool false
@ -1035,7 +1035,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool true
@ -1061,7 +1061,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri VoiceTriggerUserEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
@ -1087,7 +1087,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri LockscreenEnabled field is true.
Extension of CIS-2.5.1. This will check that Siri LockscreenEnabled field is true.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool true
@ -1113,7 +1113,7 @@
# platforms: macOS
platform: darwin
description: |
Extention of CIS-2.5.1. This will check that Siri LockscreenEnabled field is false.
Extension of CIS-2.5.1. This will check that Siri LockscreenEnabled field is false.
resolution: |
Ask your system administrator to deploy a script that will configure
$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false
@ -1511,7 +1511,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
- name: CIS - Ensure the OS is not Activate When Resuming from Sleep (Fleetd, FDA Required)
- name: CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)
# platforms: macOS
platform: darwin
description: |
@ -1833,7 +1833,7 @@
Ask your system administrator to deploy an MDM profile that Ensures Show Password Hints Is Disabled.
Graphical method:
Perform the following steps to ensure Show Password Hints Is Disabled:
1. OpenSystemSettings
1. Open System Settings
2. Select Lock Screen
3. Verify that Show password hints is disabled
query: |
@ -2086,7 +2086,7 @@
The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following:
expire-after:60d OR 5G
This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
This recommendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
resolution: |
Automated method:
Ask your system administrator to deploy the following script which will ensure proper Security Auditing Retention:
@ -2839,7 +2839,7 @@
domain='com.apple.Safari' AND
name='HistoryAgeInDaysLimit' AND
/*
Please replace the checked value bellow to match the one decided by your organization.
Please replace the checked value below to match the one decided by your organization.
1 - After one day
7 - After one week
14 - After two weeks
@ -2868,7 +2868,7 @@
unwanted content. Warning users prior to loading the content enables better security.
resolution: |
Payload Method:
Ask your administrator to deploy a profile which enableds WarnAboutFraudulentWebsites in Safari
Ask your administrator to deploy a profile which enables WarnAboutFraudulentWebsites in Safari
query: |
SELECT 1 WHERE
EXISTS (
@ -2951,7 +2951,7 @@
platform: darwin
description: |
Public (Routable) IP addresses can be used to track people to their current location, including
home and business addresses. While a valid IP addess is necessary to load the site the valid
home and business addresses. While a valid IP address is necessary to load the site the valid
address does not need to be provided to known trackers and should be hidden.
resolution: |
Ask your system administrator to deploy a script that will configure "Hide IP Address in Safari" to Enabled
@ -2979,7 +2979,7 @@
platform: darwin
description: |
Public (Routable) IP addresses can be used to track people to their current location, including
home and business addresses. While a valid IP addess is necessary to load the site the valid
home and business addresses. While a valid IP address is necessary to load the site the valid
address does not need to be provided to known trackers and should be hidden.
However, enabling this setting will proxy web information through a 3rd party service, which may
not be allowed by your organization's policy.
@ -3161,7 +3161,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
- name: CIS - Ensure external intelligence extensions is disabled (MDM required)
- name: CIS - Ensure External Intelligence Extensions Is Disabled (MDM Required)
# platforms: macOS
platform: darwin
description: |
@ -3179,25 +3179,25 @@
Profile Method:
Ask your administrator to deploy a profile with the following configuration:
1. The PayloadType string is com.apple.applicationaccess
2. The key to include is allowIntelligenceExtensions
2. The key to include is allowExternalIntelligenceIntegrations
3. The key must be set to <false/>
query: |
SELECT 1 WHERE EXISTS(
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.applicationaccess' AND
name = 'allowIntelligenceExtensions' AND
name = 'allowExternalIntelligenceIntegrations' AND
(value = 0 OR value = 'false')
) AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.applicationaccess' AND
name = 'allowIntelligenceExtensions' AND
name = 'allowExternalIntelligenceIntegrations' AND
(value != 0 AND value != 'false')
);
# purpose: Informational
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
- name: CIS - Ensure writing tools is disabled (MDM required)
- name: CIS - Ensure Writing Tools Is Disabled (MDM Required)
# platforms: macOS
platform: darwin
description: |
@ -3231,7 +3231,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
- name: CIS - Ensure mail summarization is disabled (MDM required)
- name: CIS - Ensure Mail Summarization Is Disabled (MDM Required)
# platforms: macOS
platform: darwin
description: |
@ -3244,26 +3244,26 @@
resolution: |
Profile Method:
Ask your administrator to deploy a profile with the following configuration:
1. The PayloadType string is com.apple.mail
2. The key to include is allowMailIntelligence
3. The key must be set to <false/>
1. The PayloadType string is com.apple.applicationaccess
2. The keys to include are allowMailSmartReplies and allowMailSummary
3. Both keys must be set to <false/>
query: |
SELECT 1 WHERE EXISTS(
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.mail' AND
name = 'allowMailIntelligence' AND
domain = 'com.apple.applicationaccess' AND
name = 'allowMailSummary' AND
(value = 0 OR value = 'false')
) AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.mail' AND
name = 'allowMailIntelligence' AND
domain = 'com.apple.applicationaccess' AND
name = 'allowMailSummary' AND
(value != 0 AND value != 'false')
);
# purpose: Informational
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
- name: CIS - Ensure notes summarization is disabled (MDM required)
- name: CIS - Ensure Notes Summarization Is Disabled (MDM Required)
# platforms: macOS
platform: darwin
description: |
@ -3276,19 +3276,19 @@
resolution: |
Profile Method:
Ask your administrator to deploy a profile with the following configuration:
1. The PayloadType string is com.apple.mobilenotes
2. The key to include is allowNotesIntelligence
3. The key must be set to <false/>
1. The PayloadType string is com.apple.applicationaccess
2. The keys to include are allowNotesTranscription and allowNotesTranscriptionSummary
3. Both keys must be set to <false/>
query: |
SELECT 1 WHERE EXISTS(
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.mobilenotes' AND
name = 'allowNotesIntelligence' AND
domain = 'com.apple.applicationaccess' AND
name = 'allowNotesTranscriptionSummary' AND
(value = 0 OR value = 'false')
) AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain = 'com.apple.mobilenotes' AND
name = 'allowNotesIntelligence' AND
domain = 'com.apple.applicationaccess' AND
name = 'allowNotesTranscriptionSummary' AND
(value != 0 AND value != 'false')
);
# purpose: Informational

2
docs/solutions/cis/win-10/configuration-profiles/local-security-options.xml
View file

@ -1,4 +1,4 @@
<!-- CIS Windows 10 Enterprise v3.0.0 Local Security Options (Section 2.3.1) -->
<!-- CIS Windows 10 Enterprise v3.0.0 Local Security Options (Section 2.3) -->
<Replace>
<!-- 2.3.1.1: Accounts Administrator account status = Disabled -->
<Item>

4
docs/solutions/cis/win-10/policies/cis-policy-queries.yml
View file

@ -175,7 +175,7 @@
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to an empty list of users:
'Computer Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller'
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/UserRights/AccessCredentialManagerAsTrustedCaller</LocURI></Target></Item></Get></SyncBody>"
AND mdm_command_output = "";
@ -8725,7 +8725,7 @@
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'User Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges'
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml thatis included with all versions of the Microsoft Windows Administrative Templates.
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
query: |
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated' AND data = 0);
# purpose: Informational

12
docs/solutions/cis/win-10/scripts/user-rights-assignment.ps1
View file

@ -20,9 +20,9 @@
- 2.2.13 Create permanent shared objects -> (empty)
- 2.2.14 Create symbolic links -> Administrators
- 2.2.15 Debug programs -> Administrators
- 2.2.16 Deny access this computer from the network -> Guests
- 2.2.16 Deny access this computer from the network -> Guests, Local account
- 2.2.19 Deny log on locally -> Guests
- 2.2.20 Deny log on through Remote Desktop Services -> Guests
- 2.2.20 Deny log on through Remote Desktop Services -> Guests, Local account
- 2.2.21 Enable computer and user accounts for delegation -> (empty)
- 2.2.22 Force shutdown from a remote system -> Administrators
- 2.2.23 Generate security audits -> LOCAL SERVICE, NETWORK SERVICE
@ -92,12 +92,12 @@ $userRights = [ordered]@{
'SeCreateSymbolicLinkPrivilege' = '*S-1-5-32-544'
# CIS 2.2.15: Administrators
'SeDebugPrivilege' = '*S-1-5-32-544'
# CIS 2.2.16: Guests
'SeDenyNetworkLogonRight' = '*S-1-5-32-546'
# CIS 2.2.16: Guests, Local account
'SeDenyNetworkLogonRight' = '*S-1-5-32-546,*S-1-5-113'
# CIS 2.2.19: Guests
'SeDenyInteractiveLogonRight' = '*S-1-5-32-546'
# CIS 2.2.20: Guests
'SeDenyRemoteInteractiveLogonRight' = '*S-1-5-32-546'
# CIS 2.2.20: Guests, Local account
'SeDenyRemoteInteractiveLogonRight' = '*S-1-5-32-546,*S-1-5-113'
# CIS 2.2.21: No One
'SeEnableDelegationPrivilege' = ''
# CIS 2.2.22: Administrators

52
docs/solutions/cis/win-11-intune/configuration-profiles/local-security-options.xml
View file

@ -1,6 +1,6 @@
<!-- CIS Windows 11 Intune v8.1 Local Security Options (Section 2.3) -->
<Replace>
<!-- Accounts: Guest account status = Disabled -->
<!-- 2.3.1.3: Accounts: Guest account status = Disabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -12,7 +12,7 @@
</Item>
</Replace>
<Replace>
<!-- Accounts: Rename administrator account
<!-- 2.3.1.5: Accounts: Rename administrator account
Update "AdminAcct" to your organization's preferred name (must not be "Administrator"). -->
<Item>
<Meta>
@ -25,7 +25,7 @@
</Item>
</Replace>
<Replace>
<!-- Accounts: Rename guest account
<!-- 2.3.1.6: Accounts: Rename guest account
Update "GuestAcct" to your organization's preferred name (must not be "Guest"). -->
<Item>
<Meta>
@ -38,7 +38,7 @@
</Item>
</Replace>
<Replace>
<!-- Interactive logon: Do not display last signed-in = Enabled -->
<!-- 2.3.7.2: Interactive logon: Do not display last signed-in = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -50,7 +50,7 @@
</Item>
</Replace>
<Replace>
<!-- Interactive logon: Do not require CTRL+ALT+DEL = Disabled (0 = CTRL+ALT+DEL required) -->
<!-- 2.3.7.1: Interactive logon: Do not require CTRL+ALT+DEL = Disabled (0 = CTRL+ALT+DEL required) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -62,7 +62,7 @@
</Item>
</Replace>
<Replace>
<!-- Interactive logon: Machine inactivity limit = 900 seconds (15 minutes) -->
<!-- 2.3.7.7: Interactive logon: Machine inactivity limit = 900 seconds (15 minutes) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -74,7 +74,7 @@
</Item>
</Replace>
<Replace>
<!-- Interactive logon: Smart card removal behavior = Lock Workstation (1) -->
<!-- 2.3.7.8: Interactive logon: Smart card removal behavior = Lock Workstation (1) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
@ -86,7 +86,7 @@
</Item>
</Replace>
<Replace>
<!-- Interactive logon: Message text for users attempting to log on
<!-- 2.3.7.4: Interactive logon: Message text for users attempting to log on
Update with your organization's legal notice text. -->
<Item>
<Meta>
@ -99,7 +99,7 @@
</Item>
</Replace>
<Replace>
<!-- Interactive logon: Message title for users attempting to log on
<!-- 2.3.7.5: Interactive logon: Message title for users attempting to log on
Update with your organization's preferred title. -->
<Item>
<Meta>
@ -112,7 +112,7 @@
</Item>
</Replace>
<Replace>
<!-- Microsoft network client: Digitally sign communications (always) = Enabled -->
<!-- 2.3.8.1: Microsoft network client: Digitally sign communications (always) = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -124,7 +124,7 @@
</Item>
</Replace>
<Replace>
<!-- Microsoft network client: Digitally sign communications (if server agrees) = Enabled -->
<!-- 2.3.8.2: Microsoft network client: Digitally sign communications (if server agrees) = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -136,7 +136,7 @@
</Item>
</Replace>
<Replace>
<!-- Microsoft network server: Digitally sign communications (always) = Enabled -->
<!-- 2.3.9.1: Microsoft network server: Digitally sign communications (always) = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -148,7 +148,7 @@
</Item>
</Replace>
<Replace>
<!-- Microsoft network server: Digitally sign communications (if client agrees) = Enabled -->
<!-- 2.3.9.2: Microsoft network server: Digitally sign communications (if client agrees) = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -160,7 +160,7 @@
</Item>
</Replace>
<Replace>
<!-- Network access: Do not allow anonymous enumeration of SAM accounts = Enabled -->
<!-- 2.3.10.2: Network access: Do not allow anonymous enumeration of SAM accounts = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -172,7 +172,7 @@
</Item>
</Replace>
<Replace>
<!-- Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled -->
<!-- 2.3.10.3: Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -184,7 +184,7 @@
</Item>
</Replace>
<Replace>
<!-- Network access: Restrict anonymous access to Named Pipes and Shares = Enabled -->
<!-- 2.3.10.6: Network access: Restrict anonymous access to Named Pipes and Shares = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -196,7 +196,7 @@
</Item>
</Replace>
<Replace>
<!-- Network access: Restrict clients allowed to make remote calls to SAM
<!-- 2.3.10.7: Network access: Restrict clients allowed to make remote calls to SAM
Value: O:BAG:BAD:(A;;RC;;;BA) = Administrators only (SDDL format) -->
<Item>
<Meta>
@ -209,7 +209,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: Allow Local System to use computer identity for NTLM = Enabled -->
<!-- 2.3.11.1: Network security: Allow Local System to use computer identity for NTLM = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -221,7 +221,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: Allow PKU2U authentication requests = Disabled -->
<!-- 2.3.11.2: Network security: Allow PKU2U authentication requests = Disabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -233,7 +233,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: Do not store LAN Manager hash value = Enabled -->
<!-- 2.3.11.4: Network security: Do not store LAN Manager hash value = Enabled -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -245,7 +245,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM & NTLM (5) -->
<!-- 2.3.11.5: Network security: LAN Manager authentication level = NTLMv2 only (5). Refuse LM & NTLM (5) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -257,7 +257,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: Minimum session security for NTLM SSP based clients = 537395200 (require NTLMv2 + 128-bit encryption) -->
<!-- 2.3.11.6: Network security: Minimum session security for NTLM SSP based clients = 537395200 (require NTLMv2 + 128-bit encryption) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -269,7 +269,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: Minimum session security for NTLM SSP based servers = 537395200 (require NTLMv2 + 128-bit encryption) -->
<!-- 2.3.11.7: Network security: Minimum session security for NTLM SSP based servers = 537395200 (require NTLMv2 + 128-bit encryption) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -281,7 +281,7 @@
</Item>
</Replace>
<Replace>
<!-- Network security: Restrict NTLM: Audit incoming NTLM traffic = Enable auditing (2) -->
<!-- 2.3.11.8: Network security: Restrict NTLM: Audit incoming NTLM traffic = Enable auditing (2) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -293,7 +293,7 @@
</Item>
</Replace>
<Replace>
<!-- UAC: Behavior of elevation prompt for administrators = Prompt for credentials on secure desktop (2) -->
<!-- 2.3.17.2: UAC: Behavior of elevation prompt for administrators = Prompt for credentials (2) (2) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
@ -305,7 +305,7 @@
</Item>
</Replace>
<Replace>
<!-- UAC: Behavior of elevation prompt for standard users = Automatically deny elevation requests (0) -->
<!-- 2.3.17.5: UAC: Behavior of elevation prompt for standard users = Automatically deny (0) (0) -->
<Item>
<Meta>
<Format xmlns="syncml:metinf">int</Format>

2
docs/solutions/cis/win-11/configuration-profiles/local-security-options.xml
View file

@ -1,4 +1,4 @@
<!-- CIS Windows 11 Enterprise v4.0.0 Local Security Options (Section 2.3.1) -->
<!-- CIS Windows 11 Enterprise v4.0.0 Local Security Options (Section 2.3) -->
<Replace>
<!-- 2.3.1.1: Accounts Administrator account status = Disabled -->
<Item>

4
docs/solutions/cis/win-11/policies/cis-policy-queries.yml
View file

@ -175,7 +175,7 @@
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to an empty list of users:
'Computer Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller'
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/UserRights/AccessCredentialManagerAsTrustedCaller</LocURI></Target></Item></Get></SyncBody>"
AND mdm_command_output = "";
@ -9496,7 +9496,7 @@
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'User Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges'
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml thatis included with all versions of the Microsoft Windows Administrative Templates.
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
query: |
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated' AND data = 0);
# purpose: Informational

12
docs/solutions/cis/win-11/scripts/user-rights-assignment.ps1
View file

@ -20,9 +20,9 @@
- 2.2.13 Create permanent shared objects -> (empty)
- 2.2.14 Create symbolic links -> Administrators
- 2.2.15 Debug programs -> Administrators
- 2.2.16 Deny access this computer from the network -> Guests
- 2.2.16 Deny access this computer from the network -> Guests, Local account
- 2.2.19 Deny log on locally -> Guests
- 2.2.20 Deny log on through Remote Desktop Services -> Guests
- 2.2.20 Deny log on through Remote Desktop Services -> Guests, Local account
- 2.2.21 Enable computer and user accounts for delegation -> (empty)
- 2.2.22 Force shutdown from a remote system -> Administrators
- 2.2.23 Generate security audits -> LOCAL SERVICE, NETWORK SERVICE
@ -92,12 +92,12 @@ $userRights = [ordered]@{
'SeCreateSymbolicLinkPrivilege' = '*S-1-5-32-544'
# CIS 2.2.15: Administrators
'SeDebugPrivilege' = '*S-1-5-32-544'
# CIS 2.2.16: Guests
'SeDenyNetworkLogonRight' = '*S-1-5-32-546'
# CIS 2.2.16: Guests, Local account
'SeDenyNetworkLogonRight' = '*S-1-5-32-546,*S-1-5-113'
# CIS 2.2.19: Guests
'SeDenyInteractiveLogonRight' = '*S-1-5-32-546'
# CIS 2.2.20: Guests
'SeDenyRemoteInteractiveLogonRight' = '*S-1-5-32-546'
# CIS 2.2.20: Guests, Local account
'SeDenyRemoteInteractiveLogonRight' = '*S-1-5-32-546,*S-1-5-113'
# CIS 2.2.21: No One
'SeEnableDelegationPrivilege' = ''
# CIS 2.2.22: Administrators