system_wide_preferences moved to sysprefs

2026-03-03 17:02:01 +00:00 · 2021-04-08 17:00:55 -04:00
parent 02515c83c8
commit eb55eaacd2
1 changed files with 50 additions and 0 deletions
--- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml
+++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml
@@ -0,0 +1,50 @@
+id: sysprefs_system_wide_preferences_configure
+title: "Require Administrator Password to Modify System-Wide Preferences"
+discussion: |
+  The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. 
+
+  Some Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations.
+check: |
+  /usr/bin/security authorizationdb read system.preferences 2> /dev/null |  /usr/bin/grep -A 1 "<key>shared</key>" | /usr/bin/grep -c "<false/>"
+result:
+  integer: 1
+fix: |
+  [source,bash]
+  ----
+  /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist
+  /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist
+  /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
+  ----
+references:
+  cce:
+    - CCE-85389-5
+  800-53r5:
+    - AC-6
+    - AC-6(2)
+    - AC-6(1)
+  800-53r4:
+    - AC-6
+    - AC-6(1)
+    - AC-6(2)
+  disa_stig:
+    - APPL-11-002069
+  srg:
+    - SRG-OS-000378-GPOS-00163
+  cci:
+    - CCI-001958
+  800-171r2:
+    - 3.1.5
+    - 3.1.6
+macOS:
+  - "11.0"
+tags:
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
+  - cnssi-1253
+  - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info: