From ec746374d38322585b21cda487b7608a02467295 Mon Sep 17 00:00:00 2001 From: Artemis Tosini Date: Mon, 13 Mar 2023 12:24:00 -0400 Subject: [PATCH] Add macOS CIS 6.3.5 (Safari Hide IP Addresses) (#10316) This adds two conflicting checks for macOS CIS 6.3.5. Proxying requests to 3rd party trackers may protect private information but it may also be against company policy as it routes data throught a 3rd party service. There's no documentation about now to set this through a policy or script, and in fact I can find no information about what this bitfield means, except the incorrect and conflicting documentation in the CIS pdf. Co-authored-by: Sharon Katz --- ee/cis/macos-13/cis-policy-queries.yml | 68 ++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/ee/cis/macos-13/cis-policy-queries.yml b/ee/cis/macos-13/cis-policy-queries.yml index 8216390696..898fb21d42 100644 --- a/ee/cis/macos-13/cis-policy-queries.yml +++ b/ee/cis/macos-13/cis-policy-queries.yml @@ -2371,6 +2371,74 @@ spec: --- apiVersion: v1 kind: policy +spec: +name: CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy) + platforms: macOS + platform: darwin + description: | + Public (Routable) IP addresses can be used to track people to their current location, including + home and business addresses. While a valid IP addess is necessary to load the site the valid + address does not need to be provided to known trackers and should be hidden. + resolution: | + Ask your system administrator to deploy a script that will configure "Hide IP Address in Safari" to Enabled + $ /usr/bin/sudo -u /usr/bin/defaults write + /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences + /com.apple.Safari WBSPrivacyProxyAvailabilityTraffic -int 130276 + query: | + SELECT 1 WHERE + NOT EXISTS( + SELECT 1 FROM plist + WHERE path LIKE "/Users/%/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist" + AND key = "WBSPrivacyProxyAvailabilityTraffic" + AND ((value >> 2) & 1) == 0 + ) + AND EXISTS( + SELECT 1 FROM plist + WHERE path LIKE "/Users/%/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist" + AND key = "WBSPrivacyProxyAvailabilityTraffic" + AND ((value >> 2) & 1) == 1 + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.5-enabled, decision-needed + contributors: artemist-work +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy) + platforms: macOS + platform: darwin + description: | + Public (Routable) IP addresses can be used to track people to their current location, including + home and business addresses. While a valid IP addess is necessary to load the site the valid + address does not need to be provided to known trackers and should be hidden. + However, enabling this setting will proxy web information through a 3rd party service, which may + not be allowed by your organization's policy. + resolution: | + Ask your system administrator to deploy a script that will configure "Hide IP Address in Safari" to Enabled + $ /usr/bin/sudo -u /usr/bin/defaults write + /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences + /com.apple.Safari WBSPrivacyProxyAvailabilityTraffic -int 130272 + query: | + SELECT 1 WHERE + NOT EXISTS( + SELECT 1 FROM plist + WHERE path LIKE "/Users/%/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist" + AND key = "WBSPrivacyProxyAvailabilityTraffic" + AND ((value >> 2) & 1) == 1 + ) + AND EXISTS( + SELECT 1 FROM plist + WHERE path LIKE "/Users/%/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist" + AND key = "WBSPrivacyProxyAvailabilityTraffic" + AND ((value >> 2) & 1) == 0 + ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.5-disabled, decision-needed + contributors: artemist-work +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required) platforms: macOS