refactor[rules] Updated rules

Updated check/fixes for specific services Updated CIS references
2026-02-03 14:03:24 +00:00 · 2025-08-28 10:36:47 -04:00
parent 9ef4feedce
commit 6739174663
7 changed files with 26 additions and 63 deletions
--- a/rules/os/os_httpd_disable.yaml
+++ b/rules/os/os_httpd_disable.yaml
@@ -1,16 +1,24 @@
 id: os_httpd_disable
 title: Disable the Built-in Web Server
 discussion: |
-  The built-in web server is a non-essential service built into macOS and _MUST_ be disabled.
+  The built-in web server which is managed by launchd is a non-essential service built into macOS and _MUST_ be disabled and not running.

  NOTE: The built in web server service is disabled at startup by default macOS.
 check: |
-  /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => disabled'
+  result="FAIL"
+  disabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"org.apache.httpd" => disabled')
+  running=$(/bin/launchctl print system/org.apache.httpd 2>/dev/null)
+  
+  if [[ -z "$running" ]] && [[ ! -z "$disabled" ]]; then
+    result="PASS"
+  fi
+  echo $result
 result:
-  integer: 1
+  string: PASS
 fix: |
  [source,bash]
  ----
+  /usr/sbin/apachectl stop 2>/dev/null
  /bin/launchctl disable system/org.apache.httpd
  ----
 references:
--- a/rules/os/os_show_filename_extensions_enable.yaml
+++ b/rules/os/os_show_filename_extensions_enable.yaml
@@ -1,50 +0,0 @@
-id: os_show_filename_extensions_enable
-title: Enable Show All Filename Extensions
-discussion: |
-  Show all filename extensions _MUST_ be enabled in the Finder.
-
-  [NOTE]
-  ====
-  The check and fix are for the currently logged in user. To get the currently logged in user, run the following.
-  [source,bash]
-  ----
-  CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
-  ----
-  ====
-check: |
-  /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null
-result:
-  boolean: 1
-fix: |
-  [source,bash]
-  ----
-  /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true
-  ----
-references:
-  cce:
-    - CCE-95297-8
-  cci:
-    - N/A
-  800-53r5:
-    - N/A
-  800-53r4:
-    - N/A
-  srg:
-    - N/A
-  disa_stig:
-    - N/A
-  800-171r3:
-    - N/A
-  cis:
-    benchmark:
-      - 6.1.1 (level 1)
-    controls v8:
-      - 2.3
-macOS:
-  - '26.0'
-tags:
-  - cis_lvl1
-  - cis_lvl2
-  - cisv8
-mobileconfig: false
-mobileconfig_info:
--- a/rules/os/os_tftpd_disable.yaml
+++ b/rules/os/os_tftpd_disable.yaml
@@ -7,12 +7,20 @@ discussion: |

  NOTE: TFTP service is disabled at startup by default macOS.
 check: |
-  /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => disabled'
+  result="FAIL"
+  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.tftpd" => enabled')
+  running=$(/bin/launchctl print system/com.apple.tftpd 2>/dev/null)
+  
+  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
+    result="PASS"
+  fi
+  echo $result
 result:
-  integer: 1
+  string: PASS
 fix: |
  [source,bash]
  ----
+  /bin/launchctl bootout system/com.apple.tftpd 
  /bin/launchctl disable system/com.apple.tftpd
  ----
  The system may need to be restarted for the update to take effect.
--- a/rules/supplemental/supplemental_cis_manual.yaml
+++ b/rules/supplemental/supplemental_cis_manual.yaml
@@ -16,6 +16,7 @@ discussion: |
  2.1.1.6 Audit Find My Mac +
  2.1.2 Audit App Store Password Settings +
  2.3.3.11 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +
+  2.4.1 Audit Menu Bar and Control Center Icons + 
  2.5.2.2 Ensure Listen for Siri is Disabled +
  2.6.1.3 Audit Location Services Access +
  2.6.2.1 Audit Full Disk Access for Applications +
@@ -29,6 +30,7 @@ discussion: |
  2.15.1 Audit Notification & Focus Settings +
  2.16.1 Audit Wallet & Apple Pay Settings +
  2.17.1 Audit Internet Accounts for Authorized Use +
+  6.1.1 Audit Finder Preferences +
  6.5.1 Audit Passwords System Preference Setting +
  |===

--- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml
+++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml
@@ -28,15 +28,13 @@ references:
    - N/A
  cis:
    benchmark:
-      - 2.4.2 (level 1)
+      - N/A
    controls v8:
      - 4.8
      - 13.9
 macOS:
  - '26.0'
 tags:
-  - cis_lvl1
-  - cis_lvl2
  - cisv8
 mobileconfig: true
 mobileconfig_info:
--- a/rules/system_settings/system_settings_software_update_enforce.yaml
+++ b/rules/system_settings/system_settings_software_update_enforce.yaml
@@ -30,15 +30,13 @@ references:
    - 03.13.03
  cis:
    benchmark:
-      - 1.2 (level 1)
+      - N/A
    controls v8:
      - 7.3
      - 7.4
 macOS:
  - '26.0'
 tags:
-  - cis_lvl1
-  - cis_lvl2
  - cisv8
 mobileconfig: true
 mobileconfig_info:
--- a/rules/system_settings/system_settings_wifi_menu_enable.yaml
+++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml
@@ -28,7 +28,7 @@ references:
    - N/A
  cis:
    benchmark:
-      - 2.4.1 (level 1)
+      - N/A
    controls v8:
      - 4.8
      - 12.6
@@ -37,7 +37,6 @@ macOS:
 tags:
  - cis_lvl1
  - cis_lvl2
-  - cisv8
 mobileconfig: true
 mobileconfig_info:
  com.apple.controlcenter: