From daa0a2c4ddcb28b4fa24f3156fcd21b59e3f2b03 Mon Sep 17 00:00:00 2001
From: Bob Gendler <robert.gendler@nist.gov>
Date: Tue, 9 Aug 2022 14:55:03 -0400
Subject: [PATCH] issue #150

---
 rules/os/os_software_update_deferral.yaml | 54 +++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 rules/os/os_software_update_deferral.yaml

diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml
new file mode 100644
index 00000000..ef165666
--- /dev/null
+++ b/rules/os/os_software_update_deferral.yaml
@@ -0,0 +1,54 @@
+id: os_software_update_deferral
+title: "Ensure Software Update Deferment Is Less Than or Equal to 30 Days"
+discussion: |
+  Software updates _MUST_ be deferred for $ODV days or less.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  function run() {
+    let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('enforcedSoftwareUpdateDelay')) || 0
+    if ( timeout <= $ODV ) {
+      return("true")
+    } else {
+      return("false")
+    }
+  }
+  EOS
+result:
+  string: "true"
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 1.7 (level 1)
+    controls v8:
+      - N/A
+macOS:
+  - "12.0"
+odv: 
+  hint: "Number of days."
+  recommended: 30
+  cis_lvl1: 30
+  cis_lvl2: 30
+tags:
+  - cis_lvl1
+  - cis_lvl2
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    enforcedSoftwareUpdateDelay: $ODV