fix[rules] os_untrusted_tls_disable

Added os_untrusted_tls_disable
2026-03-18 06:32:12 +00:00 · 2023-11-13 12:06:26 -05:00
parent 2561cb9c6b
commit 93cdeca1a5
8 changed files with 52 additions and 4 deletions
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -61,6 +61,7 @@ profile:
      - os_password_sharing_disable
      - os_personalized_advertising_disable
      - os_require_managed_pasteboard_enforce
+      - os_safari_force_fraud_warning_enable
      - os_safari_cookies_set
      - os_safari_password_autofill_disable
      - os_screenshots_disable
@@ -71,6 +72,7 @@ profile:
      - os_siri_when_locked_disabled
      - os_ssl_for_exchange_activesync_enable
      - os_supervised_mdm_require
+      - os_untrusted_tls_disable
      - os_usb_accessories_when_locked_disable
      - os_voice_dialing_when_locked_disabled
  - section: "passwordpolicy"
--- a/baselines/cis_lvl1_byod.yaml
+++ b/baselines/cis_lvl1_byod.yaml
@@ -24,6 +24,7 @@ profile:
      - os_force_encrypted_backups_enable
      - os_mail_move_messages_disable
      - os_personalized_advertising_disable
+      - os_safari_force_fraud_warning_enable
      - os_safari_cookies_set
      - os_show_control_center_lock_screen_disable
      - os_show_notification_center_lock_screen_disable
--- a/baselines/cis_lvl1_enterprise.yaml
+++ b/baselines/cis_lvl1_enterprise.yaml
@@ -33,6 +33,7 @@ profile:
      - os_new_device_proximity_disable
      - os_password_proximity_disable
      - os_personalized_advertising_disable
+      - os_safari_force_fraud_warning_enable
      - os_safari_cookies_set
      - os_show_control_center_lock_screen_disable
      - os_show_notification_center_lock_screen_disable
--- a/baselines/cis_lvl2_byod.yaml
+++ b/baselines/cis_lvl2_byod.yaml
@@ -26,10 +26,12 @@ profile:
      - os_mail_maildrop_disable
      - os_mail_move_messages_disable
      - os_personalized_advertising_disable
+      - os_safari_force_fraud_warning_enable
      - os_safari_cookies_set
      - os_show_control_center_lock_screen_disable
      - os_show_notification_center_lock_screen_disable
      - os_siri_when_locked_disabled
+      - os_untrusted_tls_disable
      - os_voice_dialing_when_locked_disabled
  - section: "passwordpolicy"
    rules:
--- a/baselines/cis_lvl2_enterprise.yaml
+++ b/baselines/cis_lvl2_enterprise.yaml
@@ -39,11 +39,13 @@ profile:
      - os_pairing_non_configurator_hosts_disable
      - os_password_proximity_disable
      - os_personalized_advertising_disable
+      - os_safari_force_fraud_warning_enable
      - os_safari_cookies_set
      - os_screenshots_disable
      - os_show_control_center_lock_screen_disable
      - os_show_notification_center_lock_screen_disable
      - os_siri_when_locked_disabled
+      - os_untrusted_tls_disable
      - os_usb_accessories_when_locked_disable
      - os_voice_dialing_when_locked_disabled
  - section: "passwordpolicy"
--- a/baselines/cisv8.yaml
+++ b/baselines/cisv8.yaml
@@ -45,12 +45,14 @@ profile:
      - os_pairing_non_configurator_hosts_disable
      - os_password_proximity_disable
      - os_personalized_advertising_disable
+      - os_safari_force_fraud_warning_enable
      - os_safari_cookies_set
      - os_safari_password_autofill_disable
      - os_screenshots_disable
      - os_show_control_center_lock_screen_disable
      - os_show_notification_center_lock_screen_disable
      - os_siri_when_locked_disabled
+      - os_untrusted_tls_disable
      - os_usb_accessories_when_locked_disable
      - os_voice_dialing_when_locked_disabled
  - section: "passwordpolicy"
--- a/includes/mscp-data.yaml
+++ b/includes/mscp-data.yaml
@@ -108,10 +108,10 @@ titles:
  800-171: NIST 800-171 Rev 2
  cis_lvl1: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)
  cis_lvl2: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2)
-  cis_lvl1_byod: CIS Apple iOS 17 v1.1.0 Benchmark (Level 1) - End-User Owned Devices
-  cis_lvl2_byod: CIS Apple iOS 17 v1.1.0 Benchmark (Level 2) - End-User Owned Devices
-  cis_lvl1_enterprise: CIS Apple iOS 17 v1.1.0 Benchmark (Level 1) - Institutionally-Owned Devices
-  cis_lvl2_enterprise: CIS Apple iOS 17 v1.1.0 Benchmark (Level 2) - Institutionally-Owned Devices
+  cis_lvl1_byod: CIS Apple iOS 17 v1.0.0 Benchmark (Level 1) - End-User Owned Devices
+  cis_lvl2_byod: CIS Apple iOS 17 v1.0.0 Benchmark (Level 2) - End-User Owned Devices
+  cis_lvl1_enterprise: CIS Apple iOS 17 v1.0.0 Benchmark (Level 1) - Institutionally-Owned Devices
+  cis_lvl2_enterprise: CIS Apple iOS 17 v1.0.0 Benchmark (Level 2) - Institutionally-Owned Devices
  cisv8: CIS Controls Version 8
  cmmc_lvl1: US CMMC 2.0 Level 1
  cmmc_lvl2: US CMMC 2.0 Level 2
--- a/rules/os/os_untrusted_tls_disable.yaml
+++ b/rules/os/os_untrusted_tls_disable.yaml
@@ -0,0 +1,38 @@
+id: os_untrusted_tls_disable
+title: "Ensure Allow Users to Accept Untrusted TLS Certificates is set to Disabled"
+discussion: |
+  Users _MUST_ not be allowed to accept self-signed or unverified certificates.
+check: " "
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - CCE-93465-3
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  disa_stig:
+    - N/A
+  sfr:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 2.2.1.6 (level 2 - End-User Owned Devices)
+      - 3.2.1.13 (level 2 - Institutionally-Owned Devices)
+    controls v8:
+      - 4.1
+iOS:
+  - "17.0"
+tags:
+  - ios
+  - cis_lvl2_byod
+  - cis_lvl2_enterprise
+  - cisv8
+supervised: false
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    allowUntrustedTLSPrompt: false