**Related issue:** Resolves#35173
# macOS 26 Tahoe CIS benchmark v1.0.0 (new benchmark)
Adds a brand-new policy set covering the **CIS Apple macOS 26 Tahoe
Benchmark, v1.0.0** under `ee/cis/macos-26/`. Follows the same layout as
`macos-13`/`-14`/`-15` (`cis-policy-queries.yml`, `README.md`,
`test/scripts/`, `test/profiles/`).
## Coverage
| Section | Title | Status |
|---|---|---|
| 1 | Install Updates, Patches and Additional Security Software |
complete (6/6 automated) |
| 2 | System Settings | complete (all automated across §2.1–§2.18) |
| 3 | Logging and Auditing | complete (5/5 automated) |
| 4 | Network Configurations | complete (3/3 automated) |
| 5 | System Access, Authentication and Authorization | complete (19/19
automated) |
| 6 | Applications | complete (7/7 automated) |
| 7 | Supplemental | skipped (per Fleet convention) |
Total automated policies shipped: **89**. Manual-assessment
recommendations are documented in `ee/cis/macos-26/README.md` under
**Limitations**.
## Notable query/format choices
- **Combined-key profiles per CIS instructions.** §2.2.1+§2.2.2
(Firewall + Stealth Mode) are shipped as a single
`2.2.1-and-2.2.2.mobileconfig` because CIS explicitly requires both keys
in the same profile. §2.6.5 (Gatekeeper) and §2.11.2 (screensaver
wake-password + delay) follow the same pattern.
- **§2.5.2.1 (Siri)** uses the new `allowAssistant=false` key on
`com.apple.applicationaccess`, replacing the deprecated
`com.apple.ironwood.support` payload from earlier benchmarks.
- **§2.6.3.2** uses the spaced literal key `Siri Data Sharing Opt-In
Status` (integer 2) on `com.apple.assistant.support` — the v1.0.0
PayloadType move from `com.apple.applicationaccess`.
- **§5.1.6, §5.1.7, §3.1, §5.7** use fleetd-only osquery tables
(`find_cmd`, `authdb`, `pwd_policy`, `dscl`, etc.) and are flagged
`(Fleetd Required)` in the policy descriptions.
- **§2.10.1.2** (Apple Silicon sleep ≤15 min) default-passes on Intel
hosts via a `system_info.cpu_type` check.
## Test artifacts added
| Type | Count | Location |
|---|---|---|
| Pass scripts | 48 | `ee/cis/macos-26/test/scripts/CIS_*_pass.sh` |
| Fail scripts | 46 | `ee/cis/macos-26/test/scripts/CIS_*_fail.sh` |
| Pass-only scripts | 2 | `CIS_1.1.sh`, `CIS_5.1.6.sh` |
| MDM profiles | 37 | `ee/cis/macos-26/test/profiles/*.mobileconfig` |
Profile-only recommendations (§2.3.1.x AirDrop/AirPlay, §2.5.x Apple
Intelligence, §2.6.3.x Analytics, §6.x Safari/Terminal) ship with a
`.mobileconfig` only and no script counterpart, since CIS marks them as
configurable solely via profile.
## Documentation updates
| File | Change |
|---|---|
| `ee/cis/macos-26/README.md` | New file — coverage table, limitations,
per-section notes (query patterns, fleetd dependencies, FDA
requirements). |
| `ee/cis/CIS-BENCHMARKS.md` | Added `macos-26/` to the directory
layout; updated **Query patterns** doc to include the `EXISTS`/`NOT
EXISTS` user-vs-system-scope guidance and `username = ''` notes. |
| `ee/cis/prompt.md` | Refreshed authoring prompts with macOS-26
conventions (combined-key profiles, fleetd-table flagging). |
| `tools/cis/cis-test-runner.py` | Minor adjustments to support the new
benchmark directory. |
| `changes/35173-cis-macos-26-v1` | User-visible change note. |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS 26 CIS Benchmark v1.0.0 with comprehensive configuration
profiles to enforce recommended system and app settings (updates,
firewall/stealth, privacy, backups, FileVault, Safari, Terminal, etc.).
* **Tests**
* Added extensive pass/fail remediation and validation scripts for CIS
controls across macOS subsystems; test runner updated to include macOS
26 support and mark an SSH-related control as manual.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#35171
# macOS 15 CIS benchmark v1.1.0 → v2.0.0 change set
## Policy changes
| CIS ID | Policy name (new) | Change type | Effect |
|---|---|---|---|
| 1.1 | CIS - Ensure Apple-provided Software Updates Are Installed
(Fleetd Required) | Modified | Renamed from "Ensure All Apple-provided
Software Is Current"; resolution expanded with terminal `softwareupdate
-i -a` method; `cis_id` added. Query unchanged (still uses fleetd's
`software_update` table). |
| 1.6 | CIS - Ensure Software Update Deferment Is Less Than or Equal to
30 Days (MDM Required) | Modified | Added Apple-deprecation note to
description; `cis_id` added. Query unchanged. |
| 1.7 | CIS - Ensure XProtect Is Running and Updated | Removed | Deleted
— v2.0.0 removed 1.7 from the numbered benchmark and moved it to
Supplemental section 7.4. Per authoring outline, Fleet does not track
section 7+ recommendations. |
| 2.1.1.1 | CIS - Ensure iCloud Passwords & Keychain is enabled/disabled
(MDM Required) | Modified | Renamed from "iCloud Keychain" to match
v2.0.0's "Audit iCloud Passwords & Keychain"; Description, Rationale,
and Impact Statement updated from the new PDF; `cis_id` added to both
enable/disable variants. Query unchanged (`allowCloudKeychainSync` key
is the same). |
| 2.3.1.1 | CIS - Ensure AirDrop Is Disabled (MDM Required) | Modified |
Added note to resolution stating AirDrop can only be toggled via
configuration profile; `cis_id` added. Query unchanged. |
| 2.3.3.4 | CIS - Ensure Remote Login Is Disabled | Modified |
Description rewritten to match v2.0.0 text; terminal remediation
(`systemsetup -setremotelogin off`) added to resolution; `cis_id` added.
Query unchanged (still checks `disabled.plist`). |
| 2.6.3.1, 2.6.3.2, 2.6.3.3, 2.6.3.4 | CIS - Ensure Sending Diagnostic
and Usage Data to Apple Is Disabled (MDM Required) | Modified | **Query
change**: Siri Data Sharing Opt-In Status check moved from
`com.apple.applicationaccess` → `com.apple.assistant.support` domain to
track v2.0.0's new PayloadType; `cis_id` added (combined). |
| 2.4.1 | CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM
Required) | Removed | Deleted — recommendation removed in v2.0.0. |
| 2.4.2 | CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM
Required) | Removed | Deleted — recommendation removed in v2.0.0
(replaced by Manual 2.4.1 "Audit Menu Bar and Control Center Icons"). |
| 6.1.1 | CIS - Ensure Show All Filename Extensions Setting is Enabled |
Removed | Deleted — recommendation downgraded to Manual in v2.0.0. |
Policy count: 113 → 109.
## Test artifacts added
| Target CIS ID | File | Type | Notes |
|---|---|---|---|
| 2.3.3.4 | `ee/cis/macos-15/test/scripts/CIS_2.3.3.4_pass.sh` | pass
script | `systemsetup -setremotelogin off` |
| 2.3.3.4 | `ee/cis/macos-15/test/scripts/CIS_2.3.3.4_fail.sh` | fail
script | `systemsetup -setremotelogin on` |
| 1.6 | `ee/cis/macos-15/test/profiles/1.6.mobileconfig` | MDM profile |
Sets `enforcedSoftwareUpdateDelay=30`,
`forceDelayedSoftwareUpdates=true` |
| 2.3.1.1 | `ee/cis/macos-15/test/profiles/2.3.1.1.mobileconfig` | MDM
profile | Sets `allowAirDrop=false` |
| 2.6.3.2 | `ee/cis/macos-15/test/profiles/2.6.3.2.mobileconfig` | MDM
profile | Four payloads covering the combined Fleet query: Siri opt-in
(new v2.0.0 domain), AutoSubmit, allowDiagnosticSubmission,
AXSAudioDonationSiriImprovementEnabled |
No test added for 1.1 — query depends on live OS update state (fleetd
`software_update` table) and cannot be toggled by a script or profile.
No test added for 2.1.1.1 — it is an org-decision Audit recommendation
(Fleet ships both enable and disable variants); one of the two policies
fails by construction regardless of system state.
## Documentation updates
| File | Change |
|---|---|
| `ee/cis/macos-15/README.md` | Benchmark version bumped v1.1.0 →
v2.0.0. Limitations list renumbered to v2.0.0 section numbers; added
2.4.1 (new "Audit Menu Bar and Control Center Icons") and 6.1.1 (now
Manual "Audit Show All Filename Extensions"). Org-decision entry renamed
from "Audit iCloud Keychain" to "Audit iCloud Passwords & Keychain" to
match v2.0.0 terminology. |
**Related issue:** Resolves#35172
Updates the macOS 14 (Sonoma) CIS policy set to benchmark v3.0.0, adds a
`cis_id` field to every policy, fixes several broken test scripts,
introduces an automated test runner, and ships `CIS-BENCHMARKS.md` as a
central guide for authoring and maintaining CIS benchmarks.
## Summary of changes
- `ee/cis/macos-14/cis-policy-queries.yml`: v3.0.0 updates + `cis_id`
added to every entry
- `ee/cis/CIS-BENCHMARKS.md`: new authoring/testing/automation guide for
all macOS CIS benchmarks (and the pattern other OS dirs follow)
- `tools/cis/cis-test-runner.py`: new 2150-line Python runner that
drives end-to-end validation against a real tart VM + Fleet server
- `ee/cis/macos-14/test/scripts/`: 10 new pass/fail script pairs, 8
existing scripts fixed (several were silently broken)
# How the automated testing works
The runner (`tools/cis/cis-test-runner.py`) exercises the full policy
lifecycle against a real macOS VM:
**Phases**
1. **Parse** `cis-policy-queries.yml` and filter by `--all`,
`--cis-ids`, `--match`, and type flags (`--only-scripts`, `--only-mdm`,
`--only-manual`).
2. **Classify** each policy into a test type based on available
artifacts:
| Priority | Type | Artifacts | Behavior |
|---|---|---|---|
| 1 | `PASS_FAIL` | `CIS_{id}_pass.sh` + `_fail.sh` | Run fail → verify
query fails → run pass → verify passes |
| 2 | `PASS_ONLY` | `CIS_{id}.sh` | Run script → verify passes |
| 3 | `PROFILE` | `.mobileconfig` only | Verify query fails before
profile → push profile → verify passes |
| 4 | `ORG_DECISION` | paired `-enable`/`-disable` profiles | Toggle
between variants |
| 5 | `MANUAL` | none | Prompt operator, or skip with `--skip-manual` |
3. **Provision**: create a fresh Fleet team with a unique enroll secret,
build a fleetd pkg bound to it, create+boot a tart VM, install the
agent, and enroll.
4. **MDM**: prompt the operator for MDM enrollment if any tests need it.
Clear team profiles, baseline the VM, push all required profiles in one
batch, wait for delivery.
5. **Execute**: for each plan, SCP the script, run it over SSH, then run
the policy via `fleetctl query --hosts <hostname>`. A query that returns
rows = pass.
6. **Report** summary with PASS/FAIL/SKIP/ERROR counts.
7. **Cleanup** (with `--cleanup`) deletes the team, host record, and VM.
**Special-case handling** (keyed by OS version because CIS IDs aren't
stable across releases):
- `SSH_BREAKING_CIS_IDS`: tests that disable sshd (2.3.3.4, 2.3.3.5) are
forced to `MANUAL` so the runner doesn't lock itself out.
- `PASSWORD_POLICY_CIS_IDS`: 5.2.x profiles invalidate the VM's
`admin`/`admin` login — forced to `MANUAL`.
- `NON_AUTOMATABLE_CIS_IDS`: tests that can't run reliably in a VM
(Location Services, Touch ID, shared Siri profile state) forced to
`MANUAL` with a per-entry reason.
- `--keep-vm`: reuses the VM across runs, skipping agent
install/enrollment if the host is already in Fleet. Falls back to fresh
creation if SSH is unreachable.
**Credential resolution order**: CLI flag →
`FLEET_URL`/`FLEET_API_TOKEN` env → `~/.fleet/config` (from `fleetctl
login`).
## How to use `CIS-BENCHMARKS.md` going forward
The doc is the single reference for authoring and maintaining CIS
benchmark policies across all macOS (and Windows) versions. For each new
benchmark release, the workflow is:
1. **Read "Updating benchmarks when a new CIS version is released"** —
directs you to the PDF's *Appendix: Change History* to enumerate
Added/Modified/Removed recommendations.
2. **Use the field reference and query patterns** to write or update
policies: direct table check, `managed_policies` EXISTS/NOT EXISTS, or
plist negation check. Name qualifiers `(MDM Required)` / `(Fleetd
Required)` / `(FDA Required)` are documented.
3. **Create matching test artifacts** — pass/fail scripts for togglable
settings, `.mobileconfig` profiles for MDM-only settings. Script
conventions (full paths, sudo pattern, `not_always_working_` prefix) are
standardized.
4. **Update the per-OS README** with limitations, org-decision policies,
and optional policies.
5. **Run the test runner** to validate.
The doc also contains an **end-to-end AI agent prompt** (section at the
bottom) designed to be handed a new CIS PDF plus the previous version's
PDF, to automatically generate the diff, write policies, produce test
artifacts, update docs, and run validation. This lets future benchmark
updates start from a consistent, repeatable baseline rather than being
hand-authored from scratch.
## Query changes
All entries in `cis-policy-queries.yml` received a `cis_id` field so the
runner (and humans) can map policies → scripts → profiles → the
benchmark document without parsing the display name.
| CIS ID | Change |
|---|---|
| 1.1 | Renamed "Ensure All Apple-provided Software Is Current" →
"Ensure Apple-provided Software Updates Are Installed"; added terminal
remediation to `resolution` |
| 1.6 | Expanded description with v3.0.0 language about rapid security
response updates |
| 1.x (deferment) | **Removed** — "Ensure Software Update Deferment Is
Less Than or Equal to 30 Days" dropped from v3.0.0 |
| 2.3.1.1 | Renamed "Ensure AirDrop Is Disabled" → "Ensure AirDrop Is
Disabled When Not Actively Transferring Files"; expanded description |
| 2.3.3.1 (DVD/CD Sharing) | **Removed** — dropped from v3.0.0 |
| 2.3.3.4 (Remote Login) | Query now checks BOTH `disabled.plist` AND
that `com.openssh.sshd` is not in the `launchd` table; resolution
updated to terminal method |
| 5.1.7 | Query rewritten: sticky-bit dirs now properly excluded
(first-char-of-mode check instead of bit-AND on full mode string);
SIP-protected dirs excluded via `com.apple.rootless` xattr check |
| 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.7 | Dropped `username = ''` filter —
Safari profiles deliver at user scope, so the system-scope filter
guaranteed zero rows |
| 6.3.3 | Fixed `NOT EXISTS` domain typo: `com.apple.loginwindow` →
`com.apple.Safari` (the check was previously meaningless) |
| Wi-Fi/Bluetooth menu bar | **Removed** — "Show Wi-Fi status in Menu
Bar" and "Show Bluetooth status in Menu Bar" dropped from v3.0.0 |
| Show All Filename Extensions | **Removed** — dropped from v3.0.0 |
## Script changes
### New scripts
| Script | Purpose |
|---|---|
| `CIS_1.1_pass.sh` / `_fail.sh` | Install updates (pass); clear
`LastFullSuccessfulDate` (fail — caveat: only works when real updates
are pending) |
| `CIS_1.6_pass.sh` / `_fail.sh` | Open/remove the `1.6.mobileconfig`
profile |
| `CIS_2.3.1.1_pass.sh` / `_fail.sh` | Open/remove the AirDrop profile |
| `CIS_2.3.2.2_pass.sh` / `_fail.sh` | `launchctl load/unload -w` of
`com.apple.timed.plist` |
| `CIS_2.3.3.4_pass.sh` / `_fail.sh` | `systemsetup -setremotelogin
off/on` (runs as MANUAL via the runner's SSH-breaking safeguard) |
### Existing scripts fixed
| Script | Bug | Fix |
|---|---|---|
| `CIS_2.3.3.1.sh` | Disabled `com.apple.ODSAgent` (DVD/CD sharing), not
Screen Sharing | Now disables `com.apple.screensharing` |
| `CIS_2.9.2.sh` | `pmset -a womp 0` sets Wake-on-Network, not Power Nap
| Now `pmset -a/-b/-c powernap 0` |
| `CIS_3.2.sh` | `sed` pipeline into root-owned file via user
redirection silently failed; did nothing if the flags line was missing |
`awk` with `tee`/`mv`; appends a flags line when absent; enforces 0400
root:wheel |
| `CIS_3.3.sh` | Only stripped `all_max=`; never added `ttl=365` when
missing, so the query could never pass from a fresh system | `awk` now
both strips `all_max=` and inserts/updates `ttl=365` on the `* file`
line |
| `CIS_3.4.sh` | `sudo sed … > /etc/security/audit_control` — redirect
runs as caller, not root; write silently failed | Rewrites via
`tee`/`mv` with proper perms; appends when line is absent |
| `CIS_3.5.sh` | `chmod -R o-rw` doesn't produce the exact `0400`/`0440`
modes the query requires | Explicit `chmod 0400` on `audit_control`,
`find … -exec chmod 0440 {}` under `/var/audit/` |
| `CIS_5.1.7.sh` | `sudo IFS=$'\n'` runs IFS in a subshell that exits
immediately; searched `/System/Volumes/Data/Library` but the query looks
at `/Library/%` | IFS set in parent shell; searches `/Library`; skips
SIP-protected dirs via xattr |
| `CIS_5.7.sh` | Wrote `use-login-window-ui` which the query doesn't
accept | Writes `authenticate-session-owner` |
| `CIS_6.3.6.sh` | Contained literal `<username>` placeholders that were
never substituted | Iterates non-system users (`UniqueID >= 500`) and
runs `defaults write` as each |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* macOS 14 (Sonoma) CIS policies updated to v3.0.0 with refreshed policy
names and CIS IDs.
* New CLI test runner to automate CIS validation against macOS VMs.
* **Bug Fixes / Improvements**
* Updated remediations and audit/query logic; safer, atomic config
updates; several policies revised or removed.
* **Tests**
* Many new and improved pass/fail helper scripts for validating CIS
checks and profiles.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Documentation changes for the 4.73.0 release
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Fixes#31106
Details of the changes done
- for macOS 15:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155384061
- for macOS 14:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155691097
- for macOS 13:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155763952
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added new security policies for macOS 15, including controls for Apple
Intelligence features such as external intelligence extensions, writing
tools, mail summarization, and notes summarization.
* Introduced a policy to ensure sleep and display sleep are enabled on
Apple Silicon devices.
* **Improvements**
* Enhanced and clarified descriptions for several existing macOS CIS
policies, including Bluetooth Sharing, Siri, NFS Server, password
policies, and filename extension visibility.
* Updated policy queries and resolutions to align with the latest CIS
Benchmark version 1.1.0 and current macOS settings.
* Standardized resolution instructions and improved contributor
attribution across policies.
* **Bug Fixes**
* Corrected and clarified policy names and descriptions, such as
renaming Siri policy to ensure it is disabled and focusing on
world-writable folders instead of files.
* **Removals**
* Removed the policy requiring auto-update to be enabled for macOS 15.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This is fixing a misinterpretation of the [CIS
document](https://drive.google.com/file/d/1Bq6GSn_wRMp2JKbYsRt51V5BXV1gizDp/view?usp=drive_link)
for Macos 15/
In the doc search for: "show full Website".
The Audit bash script is:
```
% /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType |
/usr/bin/grep ShowFullURLInSmartSearchField | /usr/bin/tr -d ' '
Result on my Mac:
ShowFullURLInSmartSearchField = 1;
```
This should be interpreted as 'Any user who has this setting is ok'. Not
looking for an empty user.
We have 48 other occurrences that we will discuss outside the scope of
this issue.
QA:
Applying the profile for my main user worked.
Adding a test user
The configuration was applied to it without the need to redeploy the
profile.
--> Hence, we are good with the way CIS recommends auditing.
checking with a query finds both accounts with the proper settign:
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
#27396
## Results
First Column:
- `+` = Added
- D = Duplicate
- X = Updated/Removed
- ? = Unclear/un-actionable
Tested Column:
- Yes = Works as described
- NF = Could not find GP setting, but registry key exists and editing it
makes the policy pass
- NA = Not available. Could not find GP setting, registry setting
doesn't exist
| | Tested | Type | Comment |
|--- |------- |------
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
| + | NF | ADD | 5 (L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc)' is set to 'Disabled' |
| + | Yes | ADD | 18.10.58 (L1) Ensure 'Turn on Basic feed
authentication over HTTP' is set to 'Disabled' |
| + | Yes | ADD | 2.3.11 (L1) Ensure 'Network security: LDAP client
encryption requirements' is set to 'Negotiate sealing' or higher |
| + | Yes | ADD | 18.6.4 (L1) Ensure 'Configure multicast DNS (mDNS)
protocol' is set to 'Disabled' |
| + | Yes | ADD | 18.6.4 (L2) Ensure 'Turn off default IPv6 DNS Servers'
is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit client does not support
encryption' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit client does not support
signing' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit insecure guest logon' is set
to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Enable authentication rate
limiter' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Enable remote mailslots' is set to
'Disabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Mandate the minimum version of
SMB' is set to 'Enabled: 3.1.1' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Set authentication rate limiter
delay (milliseconds)' is set to 'Enabled: 2000' or more |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit insecure guest logon' is set
to 'Enabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit server does not support
encryption' is set to 'Enabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit server does not support
signing' is set to 'Enabled' |
| D | -- | ADD | 18.6.8 (L1) Ensure 'Enable remote mailslots' is set to
'Disabled' |
| D | -- | ADD | 18.6.8 (L1) Ensure 'Mandate the minimum version of SMB'
is set to 'Enabled: 3.1.1' |
| + | Yes | ADD | 18.7 (L2) Ensure 'Configure Windows protected print'
is set to 'Enabled' |
| + | Yes | ADD | 18.9 (L1) Ensure 'Configure the behavior of the sudo
command' is set to 'Enabled: Disabled' |
| + | Yes | ADD | 18.9.30.1 (L1) Ensure 'Block NetBIOS-based discovery
for domain controller location' is set to 'Enabled' |
| + | Yes | ADD | 18.9.39 (L1) Ensure 'Configure SAM change password RPC
methods policy' is set to 'Enabled: Block all change password RPC
methods' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off API Sampling' is set to
'Enabled' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off Application Footprint'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off Install Tracing' is set
to 'Enabled' |
| + | Yes | ADD | 18.10.4 (L1) Ensure 'Not allow per-user unsigned
packages to install by default (requires explicitly allow per install)'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.18 (L1) Ensure 'Enable App Installer Local
Archive Malware Scan Override' is set to 'Disabled' |
| + | Yes | ADD | 18.10.18 (L1) Ensure 'Enable App Installer Microsoft
Store Source Certificate Validation Bypass' is set to 'Disabled' |
| + | Yes | ADD | 18.10.18 (L2) Ensure 'Enable Windows Package Manager
command line interfaces' is set to 'Disabled' |
| + | Yes | ADD | 18.10.29 (L1) Ensure 'Do not apply the Mark of the Web
tag to files copied from insecure sources' is set to 'Disabled' |
| + | Yes | ADD | 18.10.43 (L1) Ensure 'Control whether exclusions are
visible to local users' is set to 'Enabled' |
| + | Yes | ADD | 18.10.43.4 (L1) Ensure 'Enable EDR in block mode' is
set to 'Enabled' |
| + | Yes | ADD | 18.10.43.8 (L2) Ensure 'Convert warn verdict to block'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.43.10 (L1) Ensure 'Configure real-time
protection and Security Intelligence Updates during OOBE' is set to
'Enabled' |
| + | Yes | ADD | 18.10.43.11.1.1 (L2) Ensure 'Configure Brute-Force
Protection aggressiveness' is set to 'Enabled: Medium' or higher |
| + | Yes | ADD | 18.10.43.11.1.1 (L1) Ensure 'Configure Remote
Encryption Protection Mode' is set to 'Enabled: Audit' or higher |
| + | Yes | ADD | 18.10.43.11.1.2 (L2) Ensure 'Configure how
aggressively Remote Encryption Protection blocks threats' is set to
'Enabled: Medium' or higher |
| + | Yes | ADD | 18.10.43.13 (L1) Ensure 'Scan excluded files and
directories during quick scans' is set to 'Enabled: 1' |
| + | Yes | ADD | 18.10.43.13 (L1) Ensure 'Trigger a quick scan after X
days without any scans' is set to 'Enabled: 7' |
| + | Yes | ADD | 18.10.57.3.3 (L2) Ensure 'Restrict clipboard transfer
from server to client' is set to 'Enabled: Disable clipboard transfers
from server to client' |
| + | NA | ADD | 19.7.40 (L1) Ensure 'Turn off Windows Copilot' is set
to 'Enabled' |
| + | NF | ADD | 5 (L2) Ensure 'GameInput Service (GameInputSvc)' is set
to 'Disabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Require Encryption' is set to
'Enabled' |
| + | Yes | ADD | 18.10.91 (L2) Ensure 'Allow mapping folders into
Windows Sandbox' is set to 'Disabled' |
| X | Yes | MOVE | 18.4.1 (L1) Ensure 'Configure RPC packet level
privacy setting for incoming connections' is set to 'Enabled' TO 18.7 |
| X | Yes | REMOVE | 18.10.42 Ensure 'Turn off Microsoft Defender
AntiVirus' is set to 'Disabled' |
| X | Yes | REMOVE | 18.10.15 (L1) Ensure 'Toggle user control over
Insider builds' is set to 'Disabled' |
| X | Yes | REMOVE | 18.10.66 (L1) Ensure 'Only display the private
store within the Microsoft Store' is set to 'Enabled' |
| X | Yes | REMOVE | 2.3.1 (L1) Ensure 'Accounts: Block Microsoft
accounts' is set to 'Users can't add or log on with Microsoft accounts'
|
| X | Yes | REMOVE | 18.9.7.1 (BL) Ensure 'Prevent installation of
devices that match any of these device IDs: Prevent installation of
devices that match any of these device IDs' is set to
'PCI\CC<sub>0C0A</sub>' |
| X | Yes | REMOVE | 18.9.7 (BL) Ensure 'Prevent installation of devices
that match any of these device IDs: Also apply to matching devices that
are already installed.' is set to 'True' (checked) |
| X | Yes | REMOVE | 18.9.7 (BL) Ensure 'Prevent installation of devices
that match any of these device IDs' is set to 'Enabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Name Resolution Protocol
(PNRPsvc)' is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Networking Grouping (p2psvc)'
is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Networking Identity Manager
(p2pimsvc)' is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'PNRP Machine Name Publication
Service (PNRPAutoReg)' is set to 'Disabled' |
| X | Yes | REMOVE | 18.6.4 (L1) Ensure ‘Configure DNS over HTTPS (DoH)
name resolution' is set to 'Enabled: Allow DoH' or higher |
| X | Yes | RENAME | 2.2 (L1) Configure 'Create symbolic links' TO (L1)
Ensure 'Create symbolic links' is set to 'Administrators'23528 |
| X | Yes | RENAME | 2.2 (L2) Configure 'Log on as a service' TO (L2)
Ensure 'Log on as a service' is configured |
| + | Yes | RENAME | 18.10.82.1 (L1) Ensure 'Enable MPR notifications
for the system' TO 'Configure the transmission of the user's password in
the content of MPR notifications sent by winlogon.' |
| X | Yes | UPDATE | 18.10.17 (L1 -> L2) Ensure 'Enable App Installer'
is set to 'Disabled' |
| X | Yes | UPDATE | 18.4 (L1) Ensure 'Enable Certificate Padding' TO
Allow REG<sub>DWORD</sub> or REG<sub>SZ</sub> |
| X | NA | UPDATE | 18.9.26 Ensure 'Configures LSASS to run as a
protected process' is set to 'Enabled: Enabled with UEFI Lock' |
| ? | Unknown | UPDATE | Section 17 Auditpol commands to use Policy
GUIDs |
| ? | Unknown | UPDATE | 18.4 (L1) Ensure 'Enable Certificate Padding'
is set to 'Enabled' |
| ? | Unknown | UPDATE | Section changes from Windows 11 Release 23H2
v2.0 Administrative Templates |
| ? | Unknown | UPDATE | Section changes from Windows 11 Release 24H2
Administrative Templates |
| ? | Unknown | UPDATE | User Overview (Section 19) |
| ? | Unknown | UPDATE | Profile Names |
| ? | Unknown | UPDATE | General Overview and Intended Audience Section
|
| ? | Unknown | UPDATE | BitLocker Operating System Drive Section |
| ? | Unknown | UPDATE | 18.10.93.4 (L1) Ensure 'Enable optional
updates' is set to 'Disabled' |
Move around some parameters and mark `script_id` required
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
PR for https://github.com/fleetdm/fleet/issues/24647
Adds:
- 2.6.3.3: Ensure Improve Assistive Voice Features Is Disabled
- 5.11: Ensure Logging Is Enabled for Sudo (Automated)
2.6.3.1, 2.6.3.2, 2.6.3.4 were previously added.
2.7.2. is a `Manual` check, which is not supported here.
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
All edited YAML files were ran through a YAML syntax check before before
committed.
**macOS-13**
- UPDATED: "3.5 - Ensure Access to Audit Records Is Controlled"
Description and Resolution. Query did not change.
- ADDED: "5.10 - Ensure XProtect Is Running and Updated" Checking for
updated is actually handled via a different query.
**macOS-14**
- UPDATED: "3.5 - Ensure Access to Audit Records Is Controlled"
Description and Resolution. Query did not change.
- ADDED: "5.10 - Ensure XProtect Is Running and Updated" Checking for
updated is actually handled via a different query.
**macOS-15**
Initial version duplicated from macOS-14 queries, then the following
changes were applied:
- REMOVED: "3.6 - Ensure Firewall Logging Is Enabled and Configured"
The following controls were not added, further research on how to check
them with osquery is required:
- 2.6.3.1 - 2.6.3.5 and 2.7.2: I am not sure how we can accomplish this.
- "5.11 - Ensure Logging Is Enabled For Sudo" I believe this one can be
accomplished through the file_lines table
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Co-authored-by: Sharon Katz <sharon@fleetdm.com>
Changelog
ADD:
ADD - 2.3.3.2 Ensure the Time Service Is Enabled
ADD - 6.3.10 Ensure Show Status Bar Is Enabled
REMOVE:
REMOVE - 2.3.2.2 Ensure Time Is Set Within Appropriate Limits
UPDATE:
UPDATE - 2.6.1.2 Ensure Location Services Is in the Menu Bar
UPDATE - 3.1 Ensure Security Auditing Is Enabled
UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System
Folder
UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session
UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby
(Intel)
UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Changelog
ADD:
ADD - 2.3.3.2 Ensure the Time Service Is Enabled
ADD - 6.3.10 Ensure Show Status Bar Is Enabled
UPDATE:
UPDATE - 2.6.1.2 Ensure Location Services Is in the Menu Bar
UPDATE - 3.1 Ensure Security Auditing Is Enabled
UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session
UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System
Folder
UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby
(Intel)
UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Changelog
ADD:
ADD - 18.10.75.1 (L1) Ensure 'Automatic Data Collection' is set to
'Enabled'
ADD - 18.10.92.2 (L1) Ensure 'Enable features introduced via servicing
that are off by default' is set to 'Disabled'
ADD - 18.10.92.4 (L1) Ensure 'Enable optional updates' is set to
'Disabled'
ADD - 18.8 (L2) Ensure 'Remove Personalized Website Recommendations from
the Recommended section in the Start Menu' is set to 'Enabled'
ADD - 18.9.19 (L1) 'Configure security policy processing: Do not apply
during periodic background processing' is set to 'False'
ADD - 18.9.19 (L1) 'Configure security policy processing: Process even
if the Group Policy objects have not changed' is set to 'True'
ADD - 18.9.25 (L1) Ensure 'Configure password backup directory' is set
to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
ADD - 18.9.25 (L1) Ensure 'Enable password encryption' is set to
'Enabled'
ADD - 18.9.25 (L1) Ensure 'Post-authentication actions: Actions' is set
to 'Enabled: Reset the password and logoff the managed account' or
higher
ADD - 18.9.25 (L1) Ensure 'Post-authentication actions: Grace period
(hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
ADD - 19.7.38 (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
ADD - 2.3.11 (L1) Ensure 'Network security: Restrict NTLM: Audit
Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
ADD - 2.3.11 (L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM
traffic to remote servers' is set to 'Audit all' or higher
REMOVE:
REMOVE - 18.10.76.3 (L1) Ensure 'Prevent bypassing Windows Defender
SmartScreen prompts for sites' is set to 'Enabled'
REMOVE - 5 (L1) Ensure 'Internet Connection Sharing (ICS)
(SharedAccess)' is set to 'Disabled'
REMOVE - 9.1 (L1) Ensure 'Windows Firewall: Domain: Outbound
connections' is set to 'Allow (default)'
REMOVE - 9.2 (L1) Ensure 'Windows Firewall: Private: Outbound
connections' is set to 'Allow (default)'
REMOVE - 9.3 (L1) Ensure 'Windows Firewall: Public: Outbound
connections' is set to 'Allow (default)'
UPDATE:
UPDATE - 18.10.42.7 (L2 -> L1) Ensure 'Enable file hash computation
feature' is set to 'Enabled'
UPDATE - 18.10.86 (L1 -> L2) Ensure 'Turn on PowerShell Script Block
Logging' is set to 'Enabled'
UPDATE - 18.10.86 (L1 -> L2) Ensure 'Turn on PowerShell Transcription'
is set to 'Enabled'
UPDATE - 18.5 'MSS: (AutoAdminLogon) Enable Automatic Logon (not
recommended)' TO 'MSS: (AutoAdminLogon) Enable Automatic Logon'
UPDATE - 18.5 'MSS: (DisableIPSourceRouting IPv6) IP source routing
protection level (protects against packet spoofing)' TO 'MSS:
(DisableIPSourceRouting IPv6) IP source routing protection level'
UPDATE - 18.5 'MSS: (DisableIPSourceRouting) IP source routing
protection level (protects against packet spoofing)' TO 'MSS:
(DisableIPSourceRouting) IP source routing protection level'
UPDATE - 18.5 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)' TO 'MSS:
(PerformRouterDiscovery) Allow IRDP to detect and configure Default
Gateway addresses'
UPDATE - 18.5 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended)' TO 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode'
UPDATE - 18.5 'MSS: (ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires (0 recommended)' TO 'MSS:
(ScreenSaverGracePeriod) The time in seconds before the screen saver
grace period expires'
UPDATE - 18.5 'MSS: (KeepAliveTime) How often keep-alive packets are
sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes
(recommended)' TO 'Enabled: 300,000 or 5 minutes'
UPDATE - 18.9.50.1 (L2 -> L1) Ensure 'Enable Windows NTP Client' is set
to 'Enabled'
UPDATE - 18.9.50.1 (L2 -> L1) Ensure 'Enable Windows NTP Server' is set
to 'Disabled'
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Co-authored-by: Sharon Katz <sharon@fleetdm.com>
This PR adds support for CIS Controls for macOS 14 - Sonoma.
The CIS Control changes from macOS 13 to 14 was minimal:
- Removed 5.9
- Added 2.18.1
- tested by running the test profile (ee/cis/macos-14/test/profiles/on-device-dictiation-enabled.mobileconfig)
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Found while working on #12696.
This was caught be a recent check added by @mostlikelee to `fleetctl
apply` (#13294).
Sample error:
```sh
$ fleetctl apply --context loadtest -f ee/cis/win-10/cis-policy-queries.yml
Error: applying policies: policy names must be globally unique. Please correct policy "CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'\n" and try again.
```
#11939
- This PR fixes typos in three CIS Windows queries (the queries were
failing with `invalid SQL syntax`).
- Also adds tooling to perform similar testing that we ran for macOS
(using `fleetd_tables` as an extension).
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
#10292
The query was processing *every* file under `/Applications/`, which
makes it super expensive both in CPU usage and Memory footprint. This
query was the main culprit of triggering worker process kills by the
watchdog.
On some runs it triggered CPU usage alerts:
```
7716:W0623 15:38:05.402959 221732864 watcher.cpp:415] osqueryd worker (72976) stopping:
Maximum sustainable CPU utilization limit 1200ms exceeded for 12 seconds
```
And on other runs it triggered memory usage alerts:
```
4431 W0626 07:28:50.868021 147312640 watcher.cpp:424] osqueryd worker (21453) stopping:
Memory limits exceeded: 214020096 bytes (limit is 200MB)
```
For the above logs I used a custom osqueryd branch to be able to print
more information: https://github.com/osquery/osquery/pull/8070
The metrics for the old query were CPU usage: ~4521 ms
```
435:level=warn ts=2023-06-26T09:58:29.665712Z query=fleet_policy_query_1233 queryTime=4521 memory=12226560 msg="distributed query performance is excessive" hostID=308 platform=darwin
```
With the new query, CPU usage: ~210 ms.
```
23893:level=debug ts=2023-06-26T18:06:08.242456Z query=fleet_policy_query_1233 queryTime=210 msg=stats memory=0 hostID=308 platform=darwin
```
Basically a ~20x improvement.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
https://github.com/fleetdm/fleet/issues/10602
@xpkoala this PR will require testing of all modified items.
Preferably, we should perform the tests before merging to master. Can we
use the dev branch for that? -- Items were tested locally.
This relates to #11312
`18.9.17.6`: Fixing the issue with policy pointing to a different GPO
and Registry value
`18.9.47.4.2`: Adding COLLATE NOCASE to avoid case sensitive issue with
SpynetReporting value
