refactor[rules] Added DDM check and info and move

Moved 1 rule to os
Created software update rules for DDM

rules/os/system_settings_software_update_app_update_enforce.yaml

@@ -1,4 +1,4 @@
-id: system_settings_software_update_app_update_enforce
+id: os_software_update_app_update_enforce
 title: Enforce Software Update App Update Updates Automatically
 discussion: |
   Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled.

rules/system_settings/system_settings_download_software_update_enforce.yaml

@@ -0,0 +1,43 @@
+id: system_settings_download_software_update_enforce
+title: Enforce Software Update Downloads Updates Automatically using DDM.
+discussion: |
+  Software Update _MUST_ be configured to enforce automatic downloads of updates from Apple and that the user cannot modify the setting within System Settings.
+check: |
+  /usr/bin/plutil -convert json /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist -o - | /usr/bin/jq --raw-output .'SUCorePersistedStatePolicyFields.SUCoreDDMDeclarationGlobalSettings.automaticallyDownload' 
+result:
+  integer: 1
+fix: |
+  This is implemented by Declarative Device Management (DDM).
+references:
+  cce:
+    - CCE-95403-2
+  cci:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r3:
+    - N/A
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - 7.3
+      - 7.4
+macOS:
+  - '26.0'
+tags:
+  - cisv8
+  - ddm
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+  declarationtype: com.apple.configuration.softwareupdate.settings
+  ddm_key: 
+    AutomaticActions: Download
+  ddm_value: AlwaysOn

rules/system_settings/system_settings_security_update_install.yaml

@@ -0,0 +1,54 @@
+id: system_settings_security_update_install
+title: Enforce Automatic Installs of Available Security Updates using DDM.
+discussion: |
+  Ensure that available security updates are installed as soon as they are available from Apple and that the user cannot modify the setting within System Settings.
+check: |
+  /usr/bin/plutil -convert json /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist -o - | /usr/bin/jq --raw-output .'SUCorePersistedStatePolicyFields.SUCoreDDMDeclarationGlobalSettings.automaticallyInstallSystemAndSecurityUpdates'
+result:
+  integer: 1
+fix: |
+  This is implemented by Declarative Device Management (DDM).
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - SI-2
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r3:
+    - 03.14.01
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - 7.3
+      - 7.4
+      - 7.7
+  cmmc:
+    - SI.L1-3.14.1
+    - SI.L1-3.14.4
+macOS:
+  - '26.0'
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - cisv8
+  - cnssi-1253_low
+  - cnssi-1253_high
+  - cmmc_lvl2
+  - cmmc_lvl1
+  - cnssi-1253_moderate
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+  declarationtype: com.apple.configuration.softwareupdate.settings
+  ddm_key: 
+    AutomaticActions: InstallSecurityUpdate
+  ddm_value: AlwaysOn

rules/system_settings/system_settings_software_update_enforce.yaml

@@ -1,44 +0,0 @@
-id: system_settings_software_update_enforce
-title: Enforce Software Update Automatically
-discussion: |
-  Software Update _MUST_ be configured to enforce automatic update is enabled.
-check: |
-  /usr/bin/osascript -l JavaScript << EOS
-  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
-  .objectForKey('AutomaticCheckEnabled').js
-  EOS
-result:
-  string: 'true'
-fix: |
-  This is implemented by a Configuration Profile.
-references:
-  cce:
-    - CCE-95404-0
-  cci:
-    - N/A
-  800-53r5:
-    - SI-2(5)
-  800-53r4:
-    - N/A
-  srg:
-    - N/A
-  disa_stig:
-    - N/A
-  800-171r3:
-    - 03.14.01
-    - 03.14.02
-    - 03.13.03
-  cis:
-    benchmark:
-      - N/A
-    controls v8:
-      - 7.3
-      - 7.4
-macOS:
-  - '26.0'
-tags:
-  - cisv8
-mobileconfig: true
-mobileconfig_info:
-  com.apple.SoftwareUpdate:
-    AutomaticCheckEnabled: true