additional cis controls

2026-03-20 15:30:25 +00:00 · 2021-12-28 08:50:09 -05:00
parent e3eb92ac72
commit 63a0ac8a3d
6 changed files with 124 additions and 3 deletions
--- a/includes/supported_payloads.yaml
+++ b/includes/supported_payloads.yaml
@@ -22,6 +22,7 @@ payloads_types:
  - com.apple.SubmitDiagInfo
  - com.apple.SystemConfiguration
  - com.apple.TCC.configuration-profile-policy
+  - com.apple.Terminal
  - com.apple.TextEdit
  - com.apple.TimeMachine
  - com.apple.airplay
--- a/rules/cis_lvl1.txt
+++ b/rules/cis_lvl1.txt
@@ -16,8 +16,6 @@ Recommendation #	Title
 2.5.1.3	Ensure all user storage CoreStorage volumes are encrypted
 	Time Machine
 2.7.2	Ensure Time Machine Volumes Are Encrypted
-2.8	Ensure Wake for Network Access Is Disabled
-2.10	Ensure Secure Keyboard Entry terminal.app is Enabled
 2.11	Ensure EFI Version Is Valid and Checked Regularly
 2.12	Audit Automatic Actions for Optical Media
 2.13	Audit Siri Settings
--- a/rules/cis_lvl2.txt
+++ b/rules/cis_lvl2.txt
@@ -1,5 +1,4 @@
 Recommendation #	Title
-1.7	Audit Computer Name
 2.3.2	Ensure Screen Saver Corners Are Secure
 	Security & Privacy
 2.5.4	Audit Location Services Access
--- a/rules/os/os_terminal_secure_keyboard_enable.yaml
+++ b/rules/os/os_terminal_secure_keyboard_enable.yaml
@@ -0,0 +1,40 @@
+id: os_terminal_secure_keyboard_enable
+title: "Ensure Secure Keyboard Entry Terminal.app is Enabled"
+discussion: |
+  Secure keyboard entry _MUST_ be enabled in Terminal.app. 
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SecureKeyboardEntry = 1'
+result:
+  integer: 1
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  disa_stig:
+    - N/A
+  srg:
+    - N/A
+  cci: 
+    - N/A    
+  800-171r2:
+    - N/A
+  cis_lvl1:
+    - 2.10
+  cis_lvl2:
+    - N/A
+  cisv8:
+    - 4.8
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl1
+  - cisv8
+mobileconfig: true
+mobileconfig_info:
+  com.apple.Terminal:
+    SecureKeyboardEntry: false
--- a/rules/sysprefs/sysprefs_computer_name_audit.yaml
+++ b/rules/sysprefs/sysprefs_computer_name_audit.yaml
@@ -0,0 +1,42 @@
+id: sysprefs_computer_name_audit
+title: "Audit Computer Name"
+discussion: |
+  The organization _MUST_ audit a systems computer name.
+check: |
+  /usr/sbin/scutil --get ComputerName
+result: 
+  string: "an organizations approved computer name."
+fix: |
+  Set the computer name back to an approved naming convention.
+
+  [source,bash]
+  ----
+  /usr/sbin/scutil --set ComputerName <approved_scheme>
+  ----
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4: 
+    - N/A
+  disa_stig: 
+    - N/A
+  srg:
+    - N/A
+  cis_lvl1:
+    - N/A
+  cis lvl2:
+    - 1.7
+  cisv8: 
+    - 1.1
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl2
+  - cisv8
+  - manual
+mobileconfig: false
+mobileconfig_info:
--- a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml
+++ b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml
@@ -0,0 +1,41 @@
+id: sysprefs_wake_network_access_disable
+title: "Ensure Wake for Network Access Is Disabled"
+discussion: |
+  Wake for network access _MUST_ be disabled.
+check: |
+  /usr/bin/pmset -g custom | /usr/bin/awk '/womp/{print $2}'
+result:
+  integer: 0
+fix: |
+  [source,bash]
+  ----
+  /usr/bin/pmset -a womp 0
+  ----
+references:
+  cce:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  disa_stig:
+    - N/A
+  srg:
+    - N/A
+  cci:
+    - N/A    
+  800-171r2:
+    - N/A
+  cis_lvl1:
+    - 2.8
+  cis_lvl2:
+    - N/A
+  cisv8:
+    - 4.8
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl1
+  - cisv8
+mobileconfig: false
+mobileconfig_info: