From 8596b751d3c1d2ff4e72c37b065e5076e45e7742 Mon Sep 17 00:00:00 2001
From: Bob Gendler <robert.gendler@nist.gov>
Date: Thu, 4 Apr 2024 10:50:11 -0400
Subject: [PATCH] refactor[rules] update rule, remove rule

Removed rule
Added AIOS-17-011700 to supplemental_stig
Fixed payload in pwpolicy_force_pin_enable
---
 rules/os/os_share_location_data_disable.yaml  | 37 -------------------
 rules/pwpolicy/pwpolicy_force_pin_enable.yaml |  2 +-
 rules/supplemental/supplemental_stig.yaml     |  3 +-
 3 files changed, 2 insertions(+), 40 deletions(-)
 delete mode 100644 rules/os/os_share_location_data_disable.yaml

diff --git a/rules/os/os_share_location_data_disable.yaml b/rules/os/os_share_location_data_disable.yaml
deleted file mode 100644
index 64e7f3f3..00000000
--- a/rules/os/os_share_location_data_disable.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-id: os_share_location_data_disable
-title: "Ensure Sharing of Location Data is Disabled"
-discussion: |
-  Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DoD user's location, movements, and patterns in those movements over time. An adversary could use this information to target the user or gather intelligence on the user's likely activities. Using commercial cloud services to store and handle location data could leave the data vulnerable to breach, particularly by sophisticated adversaries. Disabling the use of such services mitigates this risk.
-check: ' '
-fix: This is implemented by a Configuration Profile
-references:
-  cce:
-    - CCE-93447-1
-  cci:
-    - CCI-000048
-  800-53r5:
-    - AC-20
-  sfr:
-    - 'FMT_SMF_EXT.1.1 #47'
-  disa_stig:
-    - AIOS-17-011700
-  800-171r2:
-    - N/A
-  cis:
-    benchmark:
-      - N/A
-    controls v8:
-      - N/A
-iOS:
-  - "17.0"
-tags:
-  - ios
-  - 800-53r5_low
-  - 800-53r5_moderate
-  - 800-53r5_high
-  - manual
-  - ios_stig
-severity: medium
-supervised: false
-mobileconfig: false
-mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_force_pin_enable.yaml b/rules/pwpolicy/pwpolicy_force_pin_enable.yaml
index 67ba22bc..1bbe1255 100644
--- a/rules/pwpolicy/pwpolicy_force_pin_enable.yaml
+++ b/rules/pwpolicy/pwpolicy_force_pin_enable.yaml
@@ -34,5 +34,5 @@ tags:
 severity: high
 mobileconfig: 'true'
 mobileconfig_info:
-  payload_domain:
+  com.apple.mobiledevice.passwordpolicy:
     forcePIN: true
diff --git a/rules/supplemental/supplemental_stig.yaml b/rules/supplemental/supplemental_stig.yaml
index db6e6674..829c86e8 100644
--- a/rules/supplemental/supplemental_stig.yaml
+++ b/rules/supplemental/supplemental_stig.yaml
@@ -2,8 +2,6 @@ id: supplemental_stig
 title: "DISA STIG Supplemental"
 discussion: |
   These controls are controls that require additional considerations for your environment. 
-
-  Please refer to your vendor's MDM documentation for instructions on how to implement these controls.
   
   [cols="20%h, 80%a"]
   |===
@@ -31,6 +29,7 @@ discussion: |
   AIOS-17-712000| A managed photo app must be used to take and store work-related photos.
   |AIOS-17-012650| Apple iOS/iPadOS 17 must implement the management setting: approved Apple Watches must be managed by an MDM.
   |AIOS-17-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
+  |AIOS-17-011700| Apple iOS/iPadOS 17 must implement the management setting: not share location data through iCloud.
   |===
 check: |
 fix: |