diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 35a983a9..a07219e5 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -61,6 +61,7 @@ profile: - os_password_sharing_disable - os_personalized_advertising_disable - os_require_managed_pasteboard_enforce + - os_safari_force_fraud_warning_enable - os_safari_cookies_set - os_safari_password_autofill_disable - os_screenshots_disable @@ -71,6 +72,7 @@ profile: - os_siri_when_locked_disabled - os_ssl_for_exchange_activesync_enable - os_supervised_mdm_require + - os_untrusted_tls_disable - os_usb_accessories_when_locked_disable - os_voice_dialing_when_locked_disabled - section: "passwordpolicy" diff --git a/baselines/cis_lvl1_byod.yaml b/baselines/cis_lvl1_byod.yaml index 0cd7dddd..33ee2929 100644 --- a/baselines/cis_lvl1_byod.yaml +++ b/baselines/cis_lvl1_byod.yaml @@ -24,6 +24,7 @@ profile: - os_force_encrypted_backups_enable - os_mail_move_messages_disable - os_personalized_advertising_disable + - os_safari_force_fraud_warning_enable - os_safari_cookies_set - os_show_control_center_lock_screen_disable - os_show_notification_center_lock_screen_disable diff --git a/baselines/cis_lvl1_enterprise.yaml b/baselines/cis_lvl1_enterprise.yaml index c92da7ac..8efd7ff6 100644 --- a/baselines/cis_lvl1_enterprise.yaml +++ b/baselines/cis_lvl1_enterprise.yaml @@ -33,6 +33,7 @@ profile: - os_new_device_proximity_disable - os_password_proximity_disable - os_personalized_advertising_disable + - os_safari_force_fraud_warning_enable - os_safari_cookies_set - os_show_control_center_lock_screen_disable - os_show_notification_center_lock_screen_disable diff --git a/baselines/cis_lvl2_byod.yaml b/baselines/cis_lvl2_byod.yaml index 1c012ad6..7cdd6060 100644 --- a/baselines/cis_lvl2_byod.yaml +++ b/baselines/cis_lvl2_byod.yaml @@ -26,10 +26,12 @@ profile: - os_mail_maildrop_disable - os_mail_move_messages_disable - os_personalized_advertising_disable + - os_safari_force_fraud_warning_enable - os_safari_cookies_set - os_show_control_center_lock_screen_disable - os_show_notification_center_lock_screen_disable - os_siri_when_locked_disabled + - os_untrusted_tls_disable - os_voice_dialing_when_locked_disabled - section: "passwordpolicy" rules: diff --git a/baselines/cis_lvl2_enterprise.yaml b/baselines/cis_lvl2_enterprise.yaml index 3b8f327c..f36a4285 100644 --- a/baselines/cis_lvl2_enterprise.yaml +++ b/baselines/cis_lvl2_enterprise.yaml @@ -39,11 +39,13 @@ profile: - os_pairing_non_configurator_hosts_disable - os_password_proximity_disable - os_personalized_advertising_disable + - os_safari_force_fraud_warning_enable - os_safari_cookies_set - os_screenshots_disable - os_show_control_center_lock_screen_disable - os_show_notification_center_lock_screen_disable - os_siri_when_locked_disabled + - os_untrusted_tls_disable - os_usb_accessories_when_locked_disable - os_voice_dialing_when_locked_disabled - section: "passwordpolicy" diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index ca64c5b2..a15dfcf2 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -45,12 +45,14 @@ profile: - os_pairing_non_configurator_hosts_disable - os_password_proximity_disable - os_personalized_advertising_disable + - os_safari_force_fraud_warning_enable - os_safari_cookies_set - os_safari_password_autofill_disable - os_screenshots_disable - os_show_control_center_lock_screen_disable - os_show_notification_center_lock_screen_disable - os_siri_when_locked_disabled + - os_untrusted_tls_disable - os_usb_accessories_when_locked_disable - os_voice_dialing_when_locked_disabled - section: "passwordpolicy" diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index fe68d248..3487d049 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -108,10 +108,10 @@ titles: 800-171: NIST 800-171 Rev 2 cis_lvl1: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1) cis_lvl2: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2) - cis_lvl1_byod: CIS Apple iOS 17 v1.1.0 Benchmark (Level 1) - End-User Owned Devices - cis_lvl2_byod: CIS Apple iOS 17 v1.1.0 Benchmark (Level 2) - End-User Owned Devices - cis_lvl1_enterprise: CIS Apple iOS 17 v1.1.0 Benchmark (Level 1) - Institutionally-Owned Devices - cis_lvl2_enterprise: CIS Apple iOS 17 v1.1.0 Benchmark (Level 2) - Institutionally-Owned Devices + cis_lvl1_byod: CIS Apple iOS 17 v1.0.0 Benchmark (Level 1) - End-User Owned Devices + cis_lvl2_byod: CIS Apple iOS 17 v1.0.0 Benchmark (Level 2) - End-User Owned Devices + cis_lvl1_enterprise: CIS Apple iOS 17 v1.0.0 Benchmark (Level 1) - Institutionally-Owned Devices + cis_lvl2_enterprise: CIS Apple iOS 17 v1.0.0 Benchmark (Level 2) - Institutionally-Owned Devices cisv8: CIS Controls Version 8 cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 diff --git a/rules/os/os_untrusted_tls_disable.yaml b/rules/os/os_untrusted_tls_disable.yaml new file mode 100644 index 00000000..34d33df2 --- /dev/null +++ b/rules/os/os_untrusted_tls_disable.yaml @@ -0,0 +1,38 @@ +id: os_untrusted_tls_disable +title: "Ensure Allow Users to Accept Untrusted TLS Certificates is set to Disabled" +discussion: | + Users _MUST_ not be allowed to accept self-signed or unverified certificates. +check: " " +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93465-3 + cci: + - N/A + 800-53r5: + - N/A + disa_stig: + - N/A + sfr: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.2.1.6 (level 2 - End-User Owned Devices) + - 3.2.1.13 (level 2 - Institutionally-Owned Devices) + controls v8: + - 4.1 +iOS: + - "17.0" +tags: + - ios + - cis_lvl2_byod + - cis_lvl2_enterprise + - cisv8 +supervised: false +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowUntrustedTLSPrompt: false