mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
ecc7d2ce02
**Related issue:** Resolves #35173 # macOS 26 Tahoe CIS benchmark v1.0.0 (new benchmark) Adds a brand-new policy set covering the **CIS Apple macOS 26 Tahoe Benchmark, v1.0.0** under `ee/cis/macos-26/`. Follows the same layout as `macos-13`/`-14`/`-15` (`cis-policy-queries.yml`, `README.md`, `test/scripts/`, `test/profiles/`). ## Coverage | Section | Title | Status | |---|---|---| | 1 | Install Updates, Patches and Additional Security Software | complete (6/6 automated) | | 2 | System Settings | complete (all automated across §2.1–§2.18) | | 3 | Logging and Auditing | complete (5/5 automated) | | 4 | Network Configurations | complete (3/3 automated) | | 5 | System Access, Authentication and Authorization | complete (19/19 automated) | | 6 | Applications | complete (7/7 automated) | | 7 | Supplemental | skipped (per Fleet convention) | Total automated policies shipped: **89**. Manual-assessment recommendations are documented in `ee/cis/macos-26/README.md` under **Limitations**. ## Notable query/format choices - **Combined-key profiles per CIS instructions.** §2.2.1+§2.2.2 (Firewall + Stealth Mode) are shipped as a single `2.2.1-and-2.2.2.mobileconfig` because CIS explicitly requires both keys in the same profile. §2.6.5 (Gatekeeper) and §2.11.2 (screensaver wake-password + delay) follow the same pattern. - **§2.5.2.1 (Siri)** uses the new `allowAssistant=false` key on `com.apple.applicationaccess`, replacing the deprecated `com.apple.ironwood.support` payload from earlier benchmarks. - **§2.6.3.2** uses the spaced literal key `Siri Data Sharing Opt-In Status` (integer 2) on `com.apple.assistant.support` — the v1.0.0 PayloadType move from `com.apple.applicationaccess`. - **§5.1.6, §5.1.7, §3.1, §5.7** use fleetd-only osquery tables (`find_cmd`, `authdb`, `pwd_policy`, `dscl`, etc.) and are flagged `(Fleetd Required)` in the policy descriptions. - **§2.10.1.2** (Apple Silicon sleep ≤15 min) default-passes on Intel hosts via a `system_info.cpu_type` check. ## Test artifacts added | Type | Count | Location | |---|---|---| | Pass scripts | 48 | `ee/cis/macos-26/test/scripts/CIS_*_pass.sh` | | Fail scripts | 46 | `ee/cis/macos-26/test/scripts/CIS_*_fail.sh` | | Pass-only scripts | 2 | `CIS_1.1.sh`, `CIS_5.1.6.sh` | | MDM profiles | 37 | `ee/cis/macos-26/test/profiles/*.mobileconfig` | Profile-only recommendations (§2.3.1.x AirDrop/AirPlay, §2.5.x Apple Intelligence, §2.6.3.x Analytics, §6.x Safari/Terminal) ship with a `.mobileconfig` only and no script counterpart, since CIS marks them as configurable solely via profile. ## Documentation updates | File | Change | |---|---| | `ee/cis/macos-26/README.md` | New file — coverage table, limitations, per-section notes (query patterns, fleetd dependencies, FDA requirements). | | `ee/cis/CIS-BENCHMARKS.md` | Added `macos-26/` to the directory layout; updated **Query patterns** doc to include the `EXISTS`/`NOT EXISTS` user-vs-system-scope guidance and `username = ''` notes. | | `ee/cis/prompt.md` | Refreshed authoring prompts with macOS-26 conventions (combined-key profiles, fleetd-table flagging). | | `tools/cis/cis-test-runner.py` | Minor adjustments to support the new benchmark directory. | | `changes/35173-cis-macos-26-v1` | User-visible change note. | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added macOS 26 CIS Benchmark v1.0.0 with comprehensive configuration profiles to enforce recommended system and app settings (updates, firewall/stealth, privacy, backups, FileVault, Safari, Terminal, etc.). * **Tests** * Added extensive pass/fail remediation and validation scripts for CIS controls across macOS subsystems; test runner updated to include macOS 26 support and mark an SSH-related control as manual. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| CIS-Benchmark-diff.py | ||
| cis-test-runner.py | ||