diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml index b951471b..bd82a51f 100644 --- a/includes/supported_payloads.yaml +++ b/includes/supported_payloads.yaml @@ -87,6 +87,7 @@ payloads_types: - com.apple.security.FDERecoveryRedirect - com.apple.security.certificatetransparency - com.apple.security.firewall + - com.apple.security.libraryvalidation - com.apple.security.pem - com.apple.security.pkcs1 - com.apple.security.pkcs12 diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 2ee1d3b7..b77d37cb 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -2,12 +2,7 @@ Recommendation # Title Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted File System Permissions and Access Controls -5.1.3 Ensure Apple Mobile File Integrity Is Enabled -5.1.4 Ensure Library Validation Is Enabled 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder Password Management -5.12 Ensure a Custom Message for the Login Screen Is Enabled -5.14 Ensure Users' Accounts Do Not Have a Password Hint - Accounts Preferences Action Items -6.1.5 Ensure the Guest Home Folder Does Not Exist \ No newline at end of file +5.14 Ensure Users' Accounts Do Not Have a Password Hint \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 48f24914..6ffc69fa 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,6 +1,4 @@ Recommendation # Title - Time Machine -2.7.1 Ensure Backup Up Automatically is Enabled File System Permissions and Access Controls 5.1.8 Ensure No World Writable Files Exist in the Library Folder Password Management diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml new file mode 100644 index 00000000..dd99fdef --- /dev/null +++ b/rules/os/os_guest_folder_removed.yaml @@ -0,0 +1,38 @@ +id: os_guest_folder_removed +title: "Remove Guest Folder if Present"" +discussion: + The guest folder _MUST_ be deleted if present. +check: | + /bin/ls /Users/ | /usr/bin/grep -c "Guest" +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/rm -Rf /Users/Guest + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 6.1.5 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml new file mode 100644 index 00000000..67cd82f0 --- /dev/null +++ b/rules/os/os_library_validation_enabled.yaml @@ -0,0 +1,44 @@ +id: os_library_validation_enabled +title: "Enable Library Validation" +discussion: + Library validation _MUST_ be enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableLibraryValidation = 0' +result: + integer: 1 +fix: | + [source,bash] + ---- + This is implemented by a Configuration Profile. + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 5.1.4 (level 1) + v8: + - 2.3 + - 2.6 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.security.libraryvalidation: + DisableLibraryValidation: false \ No newline at end of file diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml new file mode 100644 index 00000000..b66df95c --- /dev/null +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -0,0 +1,42 @@ +id: os_mobile_file_integrity_enable +title: "Enable Apple Mobile File Integrity" +discussion: + Mobile file integrity _MUST_ be ebabled. +check: | + /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/nvram boot-args="" + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 5.1.3 (level 1) + v8: + - 2.3 + - 2.6 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml new file mode 100644 index 00000000..5adda5a1 --- /dev/null +++ b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml @@ -0,0 +1,37 @@ +id: sysprefs_loginwindow_loginwindowtext_enable +title: "Configure Login Window to Show A Custom Message" +discussion: | + The login window _MUST_ be configured to show a custom access warning message. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'LoginwindowText' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 6.1.1 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 +mobileconfig: true +mobileconfig_info: + com.apple.loginwindow: + LoginwindowText: "Approved message goes here" diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml new file mode 100644 index 00000000..36169852 --- /dev/null +++ b/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml @@ -0,0 +1,38 @@ +id: sysprefs_time_machine_auto_backup_enable +title: "Configure Time Machine for Automatic Backups" +discussion: | + Automatic backups _MUST_ be enabled when using Time Machine. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoBackup = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.7.2 (level 2) + v8: + - 11.2 +macOS: + - "12.0" +tags: + - cis_lvl2 +mobileconfig: true +mobileconfig_info: + com.apple.TimeMachine: + AutoBackup: true \ No newline at end of file