Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 31
fleet/ee/cis/macos-13/README.md
Josh Brower 8d27835976
CIS Update - macOS 13, CIS v2.1.0 (#21486) 
Changelog

ADD:

    ADD - 2.3.3.2 Ensure the Time Service Is Enabled 
    ADD - 6.3.10 Ensure Show Status Bar Is Enabled

UPDATE:

    UPDATE - 2.6.1.2  Ensure Location Services Is in the Menu Bar
    UPDATE - 3.1 Ensure Security Auditing Is Enabled 
UPDATE - 5.7 Ensure an Administrator Account Cannot Login to Another
User's Active and Locked Session
UPDATE - 5.1.6 Ensure No World Writable Folders Exist in the System
Folder
UPDATE - 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby
(Intel)
UPDATE - 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep
and Display Sleep (Apple Silicon)

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2024-10-21 15:24:18 -04:00

2 KiB
Raw Blame History

macOS 13.0 Ventura benchmark

Fleet's policies have been written against v2.1.0 of the benchmark. You can refer to the CIS website for full details about this version.

For requirements and usage details, see the CIS Benchmarks documentation.

Limitations

The following CIS benchmarks cannot be checked with a policy in Fleet:

  1. 2.1.2 Audit App Store Password Settings
  2. 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
  3. 2.6.6 Audit Lockdown Mode
  4. 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings
  5. 2.13.1 Audit Passwords System Preference Setting
  6. 2.14.1 Audit Notification & Focus Settings
  7. 3.7 Audit Software Inventory
  8. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled

Checks that require decision

CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.

Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query. The policy will be appended with a -enabled or -disabled label, such as 2.1.1.1-enabled.

  • 2.1.1.1 Audit iCloud Keychain
  • 2.1.1.2 Audit iCloud Drive
  • 2.5.1 Audit Siri
  • 2.8.1 Audit Universal Control

Furthermore, CIS has decided to not require the following password complexity settings:

  • 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
  • 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
  • 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
  • 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured

However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies.