From eb55eaacd245a74ff4ec9b11ca8b7eb51c34def0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 8 Apr 2021 17:00:55 -0400 Subject: [PATCH] system_wide_preferences moved to sysprefs --- ...efs_system_wide_preferences_configure.yaml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml new file mode 100644 index 00000000..cfcbbd42 --- /dev/null +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -0,0 +1,50 @@ +id: sysprefs_system_wide_preferences_configure +title: "Require Administrator Password to Modify System-Wide Preferences" +discussion: | + The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. + + Some Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations. +check: | + /usr/bin/security authorizationdb read system.preferences 2> /dev/null | /usr/bin/grep -A 1 "shared" | /usr/bin/grep -c "" +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist + /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist + /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist + ---- +references: + cce: + - CCE-85389-5 + 800-53r5: + - AC-6 + - AC-6(2) + - AC-6(1) + 800-53r4: + - AC-6 + - AC-6(1) + - AC-6(2) + disa_stig: + - APPL-11-002069 + srg: + - SRG-OS-000378-GPOS-00163 + cci: + - CCI-001958 + 800-171r2: + - 3.1.5 + - 3.1.6 +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file