From 64fd989a59360717ac98d264b3aa7e5577a0ac7e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 18 Oct 2022 21:50:16 -0400 Subject: [PATCH 1/7] refactor [rules] Updated check to use xmllint Updated to use xmllint and read xpath instead of grep | grep --- .../system_settings_system_wide_preferences_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index 6183d473..036b0f16 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -8,7 +8,7 @@ check: | authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") result="1" for section in $authDBs; do - if [[ $(/usr/bin/security authorizationdb read "$section" 2> /dev/null | /usr/bin/grep -A 1 "shared" | /usr/bin/grep -c "") -ne 1 ]]; then + if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-sibling::*[1])' -) != "false" ]]; then result="0" fi done From e807a191c627738a7ad453211843754d7b201e5b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 18 Oct 2022 22:12:39 -0400 Subject: [PATCH 2/7] refactor [rules] Updated library validation rule Removed CIS Benchmark numbers from library validation and removed from baseline files --- baselines/cis_lvl1.yaml | 1 - baselines/cis_lvl2.yaml | 1 - rules/os/os_library_validation_enabled.yaml | 4 +--- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index ae5e34b8..ef5bd5a3 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -40,7 +40,6 @@ profile: - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure - - os_library_validation_enabled - os_mobile_file_integrity_enable - os_nfsd_disable - os_password_hint_remove diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index f9550ed2..fdc890d7 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -51,7 +51,6 @@ profile: - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure - - os_library_validation_enabled - os_mobile_file_integrity_enable - os_nfsd_disable - os_password_hint_remove diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 1128e781..b53059d9 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -28,15 +28,13 @@ references: - N/A cis: benchmark: - - 5.1.4 (level 1) + - N/A controls v8: - 2.3 - 2.6 macOS: - "13.0" tags: - - cis_lvl1 - - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: From 3d6f7c6f1f7ea5c2a4745ca3b269358d68078fa1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 10:21:15 -0400 Subject: [PATCH 3/7] refactor[rules] More CIS Ventura Benchmark updates * Updates to benchmark numbers in rules * Removed system_settings_location_services_audit --- ...os_safari_open_safe_downloads_disable.yaml | 2 +- .../os_terminal_secure_keyboard_enable.yaml | 2 +- .../system_settings_firewall_enable.yaml | 2 +- ...stem_settings_location_services_audit.yaml | 38 ------------------- ...em_settings_remote_management_disable.yaml | 2 +- ...system_settings_time_server_configure.yaml | 2 +- 6 files changed, 5 insertions(+), 43 deletions(-) delete mode 100644 rules/system_settings/system_settings_location_services_audit.yaml diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index a16006c2..e42c7e89 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -23,7 +23,7 @@ references: - N/A cis: benchmark: - - 6.3 (level 1) + - 6.3.1 (level 1) controls v8: - 9 macOS: diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 6486dee3..1e8394a1 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -20,7 +20,7 @@ references: - N/A cis: benchmark: - - 2.10 (level 1) + - 6.4.1 (level 1) controls v8: - 4.8 macOS: diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index b050a0f0..18fb7a9f 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -46,7 +46,7 @@ references: - 3.13.5 cis: benchmark: - - 2.3.2.1 (level 1) + - 2.2.1 (level 1) controls v8: - 4.1 - 4.5 diff --git a/rules/system_settings/system_settings_location_services_audit.yaml b/rules/system_settings/system_settings_location_services_audit.yaml deleted file mode 100644 index de7f13a8..00000000 --- a/rules/system_settings/system_settings_location_services_audit.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: system_settings_location_services_audit -title: "Audit Location Services" -discussion: | - The organization _MUST_ audit which applications have access to location services. -check: | - sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }' -result: - string: "a list containing approved applications." -fix: | - Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services. -references: - cce: - - CCE-91961-3 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - disa_stig: - - N/A - srg: - - N/A - cis: - benchmark: - - 2.5.4 (level 2) - controls v8: - - 2.3 - - 4.1 -macOS: - - "13.0" -tags: - - cis_lvl2 - - cisv8 - - cis_manual - - manual -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 25746cbd..1b7ecc6b 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -30,7 +30,7 @@ references: - N/A cis: benchmark: - - 2.4.3 (level 1) + - 2.3.3.6 (level 1) controls v8: - 4.1 - 4.8 diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index 82786e9a..c2bed40f 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -31,7 +31,7 @@ references: - 3.3.7 cis: benchmark: - - 2.2.1 (level 1) + - 2.3.2.1 (level 1) controls v8: - 8.4 macOS: From 23c93c3294f85c1066fd78ad10a3d5bf1f16c97a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 10:24:08 -0400 Subject: [PATCH 4/7] refactor[baselines]: updated cis_lvl2 baseline Removed system_settings_location_services_audit --- baselines/cis_lvl2.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index fdc890d7..56b62cbb 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -96,7 +96,6 @@ profile: - system_settings_hot_corners_secure - system_settings_install_macos_updates_enforce - system_settings_internet_sharing_disable - - system_settings_location_services_audit - system_settings_location_services_enable - system_settings_location_services_menu_enforce - system_settings_loginwindow_loginwindowtext_enable From 207d82534c66d481c076790546021cd7bded72fd Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 10:25:23 -0400 Subject: [PATCH 5/7] refactor[baselines]: Updated all_rules Removed system_settings_location_services_audit rule. --- baselines/all_rules.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 71c8857f..142b3539 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -205,7 +205,6 @@ profile: - system_settings_install_macos_updates_enforce - system_settings_internet_accounts_disable - system_settings_internet_sharing_disable - - system_settings_location_services_audit - system_settings_location_services_disable - system_settings_location_services_enable - system_settings_location_services_menu_enforce From 84405d8db934caf5119f3766f634da43a0aa509f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 10:41:18 -0400 Subject: [PATCH 6/7] refactor[rules] Updates to supplemental_cis_manual Updated CIS manual controls to match CIS Ventura benchmark --- rules/supplemental/supplemental_cis_manual.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 9cb3079a..cdc54b06 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -9,7 +9,7 @@ discussion: | |System Settings |Recommendations - | 2.1.1.1 Audit iCloud Keychain + + |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + @@ -42,7 +42,9 @@ discussion: | 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + - 5.5 Ensure login keychain is locked when the computer sleeps + + 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + + 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + + 5.5 Ensure Login Keychain is Locked when the Computer Sleeps + |=== [cols="15%h, 85%a"] From 8b3bdac7c24714c09cc151bf3824f74a42bb33cd Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 14:08:27 -0400 Subject: [PATCH 7/7] fix [generate_scap] Updated authdb check Added oval generation for new authdb check for Ventura --- scripts/generate_scap.py | 52 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index 887d5bb3..a5b2a463 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -2254,7 +2254,57 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,key) - x += 1 + + else: + if "authorizationdb" in rule_yaml['check']: + regex = r"=\(.*.\)" + matchy_match = [] + matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) + for matchNum, match in enumerate(matches, start=1): + matchy_match = match.group().replace('=(',"").replace(")","").replace('"','').split() + + oval_definition = oval_definition + ''' + + + {} + + + {} + + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion']) + + for match in matchy_match: + + oval_definition = oval_definition + ''' + + '''.format(rule_yaml['id'] + "+" + match, x) + oval_test = oval_test + ''' + + + + '''.format(match,x,x,x) + key="shared" + value="" + if "false" in rule_yaml["check"]: + value="false" + else: + value="true" + + oval_object = oval_object + ''' + + {} + boolean(//key[text()="{}"]/following-sibling::{}) + '''.format(match,x,match,key,value) + + oval_state = oval_state + ''' + + + true + '''.format(match,x) + x += 1 + + oval_definition = oval_definition + "" + continue if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']: oval_definition = oval_definition + '''