added cis rules

includes/supported_payloads.yaml

@@ -87,6 +87,7 @@ payloads_types:
   - com.apple.security.FDERecoveryRedirect
   - com.apple.security.certificatetransparency
   - com.apple.security.firewall
+  - com.apple.security.libraryvalidation
   - com.apple.security.pem
   - com.apple.security.pkcs1
   - com.apple.security.pkcs12

rules/cis_lvl1.txt

@@ -2,12 +2,7 @@ Recommendation #	Title
 Time Machine
 2.7.2	Ensure Time Machine Volumes Are Encrypted
 	File System Permissions and Access Controls
-5.1.3	Ensure Apple Mobile File Integrity Is Enabled
-5.1.4	Ensure Library Validation Is Enabled
 5.1.6	Ensure Appropriate Permissions Are Enabled for System Wide Applications
 5.1.7	Ensure No World Writable Files Exist in the System Folder
 	Password Management
-5.12	Ensure a Custom Message for the Login Screen Is Enabled
-5.14	Ensure Users' Accounts Do Not Have a Password Hint
-	Accounts Preferences Action Items
-6.1.5	Ensure the Guest Home Folder Does Not Exist
+5.14	Ensure Users' Accounts Do Not Have a Password Hint

rules/cis_lvl2.txt

@@ -1,6 +1,4 @@
 Recommendation #	Title
-	Time Machine
-2.7.1	Ensure Backup Up Automatically is Enabled
 	File System Permissions and Access Controls
 5.1.8	Ensure No World Writable Files Exist in the Library Folder
 	Password Management

rules/os/os_guest_folder_removed.yaml

@@ -0,0 +1,38 @@
+id: os_guest_folder_removed
+title: "Remove Guest Folder if Present""
+discussion:   
+  The guest folder _MUST_ be deleted if present.
+check: |
+  /bin/ls /Users/ | /usr/bin/grep -c "Guest"
+result:
+  integer: 0
+fix: |
+  [source,bash]
+  ----
+  /bin/rm -Rf /Users/Guest
+  ----
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 6.1.5 (level 1)
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl1
+  - cis_lvl2
+mobileconfig: false
+mobileconfig_info:

rules/os/os_library_validation_enabled.yaml

@@ -0,0 +1,44 @@
+id: os_library_validation_enabled
+title: "Enable Library Validation"
+discussion:   
+  Library validation  _MUST_ be enabled.
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableLibraryValidation = 0'
+result:
+  integer: 1
+fix: |
+  [source,bash]
+  ----
+  This is implemented by a Configuration Profile.
+  ----
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 5.1.4 (level 1)
+    v8:
+      - 2.3
+      - 2.6
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl1
+  - cis_lvl2
+  - cisv8
+mobileconfig: true
+mobileconfig_info:
+  com.apple.security.libraryvalidation:
+    DisableLibraryValidation: false

rules/os/os_mobile_file_integrity_enable.yaml

@@ -0,0 +1,42 @@
+id: os_mobile_file_integrity_enable
+title: "Enable Apple Mobile File Integrity"
+discussion:   
+  Mobile file integrity _MUST_ be ebabled.
+check: |
+  /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
+result:
+  integer: 0
+fix: |
+  [source,bash]
+  ----
+  /usr/sbin/nvram boot-args=""
+  ----
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 5.1.3 (level 1)
+    v8:
+      - 2.3
+      - 2.6
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl1
+  - cis_lvl2
+  - cisv8
+mobileconfig: false
+mobileconfig_info:

rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml

@@ -0,0 +1,37 @@
+id: sysprefs_loginwindow_loginwindowtext_enable
+title: "Configure Login Window to Show A Custom Message"
+discussion: |
+  The login window _MUST_ be configured to show a custom access warning message. 
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'LoginwindowText'
+result: 
+  integer: 1
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4: 
+    - N/A
+  srg:
+    - N/A
+  disa_stig: 
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark: 
+      - 6.1.1 (level 1)
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl1
+  - cis_lvl2
+mobileconfig: true
+mobileconfig_info:
+  com.apple.loginwindow:
+    LoginwindowText: "Approved message goes here"

rules/sysprefs/sysprefs_time_machine_auto_backup.yaml

@@ -0,0 +1,38 @@
+id: sysprefs_time_machine_auto_backup_enable
+title: "Configure Time Machine for Automatic Backups"
+discussion: |
+  Automatic backups _MUST_ be enabled when using Time Machine. 
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoBackup = 1'
+result: 
+  integer: 1
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4: 
+    - N/A
+  srg:
+    - N/A
+  disa_stig: 
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark: 
+      - 2.7.2 (level 2)
+    v8:
+      - 11.2
+macOS:
+  - "12.0"
+tags:
+  - cis_lvl2
+mobileconfig: true
+mobileconfig_info:
+  com.apple.TimeMachine:
+    AutoBackup: true