2e631491c2
When importing CIS benchmark content for multiple OS versions into a single Fleet team via GitOps, users encounter several hard validation failures because Fleet enforces uniqueness on script basenames, mobileconfig PayloadDisplayName / PayloadIdentifier, and policy name fields. Changes (all confined to docs/solutions/cis/): - Fix #!/usr/bin/env bash shebang in CIS_2.6.7.sh (macOS 13/14/15) -> #!/bin/bash - Prefix script filenames with OS slug (macos13-, macos14-, macos15-, win10-, win11-, win11-intune-) to prevent basename collisions - Prefix mobileconfig PayloadDisplayName with OS tag ([macOS 13] etc.), which is the field Fleet uses for identity - Prefix mobileconfig PayloadIdentifier with an OS slug so identifiers stay unique across versions - Prefix every policy name: field with the OS tag; preserve original YAML formatting (plain, single-quoted with '' escapes, and folded block scalars) - Rename Windows XML profiles with win10-, win11-, and win11-intune- prefixes None of these changes affect the security logic or coverage of the benchmarks. They only make the content importable without manual intervention. Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| configuration-profiles | ||
| policies | ||
| scripts | ||
| README.md | ||
macOS 14 Sonoma benchmark
Fleet's policies have been written against v2.1.0 of the benchmark. You can refer to the CIS website for full details about this version.
For requirements and usage details, see the CIS Benchmarks documentation.
Contents
| Folder | Description |
|---|---|
policies/ |
GitOps-compatible policy YAML — import via fleetctl apply or reference with - path: in fleet.yml |
configuration-profiles/ |
Apple .mobileconfig profiles — upload via Fleet UI or fleetctl apply to enforce the settings checked by the policies |
scripts/ |
Shell scripts — upload via Fleet UI or fleetctl apply and link as run_script remediation in the corresponding policy |
Limitations
The following CIS benchmarks cannot be checked with a policy in Fleet:
- 2.1.2 Audit App Store Password Settings
- 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
- 2.6.6 Audit Lockdown Mode
- 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings
- 2.13.1 Audit Passwords System Preference Setting
- 2.14.1 Audit Notification & Focus Settings
- 3.7 Audit Software Inventory
- 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled
Checks that require decision
CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.
Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy.
The policy will be appended with a -enabled or -disabled label, such as 2.1.1.1-enabled.
- 2.1.1.1 Audit iCloud Keychain
- 2.1.1.2 Audit iCloud Drive
- 2.5.1 Audit Siri
- 2.8.1 Audit Universal Control
Furthermore, CIS has decided to not require the following password complexity settings:
- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured
However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies.