config checks: CIS OSX benchmarks for 10.12 sierra

[kristovatlas]

https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf

[kristovatlas]

There are two profiles included:

Level 1 (~73 items) Items in this profile intend to:

• be practical and prudent;
• provide a clear security benefit; and
• not inhibit the utility of the technology beyond acceptable means.

Level 2 (~38 items) This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:

• are intended for environments or use cases where security is paramount
• acts as defense in depth measure
• may negatively inhibit the utility or performance of the technology.

Maybe "level 1" items would be required and "level 2" items would be recommended/experimental.

[kristovatlas]

• [x] 1.1 Verify all Apple provided software is current (Level 1) Already included
• [ ] 1.2 Enable Auto Update (Level 1) not present
• [ ] 1.3 Enable app update installs (Level 1) *not present
• [ ] 1.4 Enable system data files and security update installs (Level 1) *not present**
• [ ] 1.5 Enable OS X update installs (Level 1) not present
• [ ] 2.1.1 Turn off Bluetooth, if no paired devices exist (Level 1) Currently we test on/off and suggest off as experimental. we can change this to required: devices paired | off, and keep completely off as an experimental setting. This way users who don't use bluetooth can keep it off.
• [ ] 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Level 1) not present
• [ ] 2.1.3 Show Bluetooth status in menu bar (Level 1) not present
• [ ] 2.2.1 Enable "Set time and date automatically" (Level 2) This is the opposite of what we're currently recommending. Maybe we should go with CIS on this. See: https://github.com/kristovatlas/osx-config-check/issues/181
• [ ] 2.2.2 Ensure time set is within appropriate limits (Level 1) not present
• [ ] 2.2.3 Restrict NTP server to loopback interface (Level 1) not present
• [ ] 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Level 1) may be partially implemented currently -- review
• [ ] 2.3.2 Secure screen saver corners not present
• [ ] 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Level 1) not present
• [ ] 2.3.4 Set a screen corner to Start Screen Saver (Level 1) not present
• [x] 2.4.1 Disable Remote Apple Events (Level 1) Already included
• [x] 2.4.2 Disable Internet Sharing (Level 1) Already included
• [ ] 2.4.3 Disable Screen Sharing (Level 1) not present
• [x] 2.4.4 Disable Printer Sharing (Level 1) Already included
• [x] 2.4.5 Disable Remote Login (Level 1) Already included
• [ ] 2.4.6 Disable DVD or CD Sharing (Level 1) not present
• [ ] 2.4.7 Disable Bluetooth Sharing (Level 1) not present
• [ ] 2.4.8 Disable File Sharing (Level 1) Already included but possibly broken due to lack of sudo for fix
• [x] 2.4.9 Disable Remote Management (Level 1) Already included
• [ ] 2.5.1 Disable "Wake for network access" (Level 2) not present

(list WIP only about 22.5% done, still need to add through 8.2)

[kristovatlas]

CIS has checks dating back to previous versions of OS X, but we may want some checks to be OSX version-specific to avoid false positives. This might be mostly cleanly achieved by adding a function to api that gets the osx version (sw_vers -productVersion) and early-exits from the bash line with a return value. If there are other checks we can do for other versions, the early-exit value can be a value that neither constitutes an explicit pass nor fail; otherwise it should constitute an explicit pass as we don't want to deduct points when we have no known config check for the user's OSX version.

Alternatively to that last point, we could also add a new time of test result e.g. "inconclusive" or count that check as "skipped." This could be achieved by adding a new optional field to the fix section of the Hjson syntax called "explicit_skip" or "explicit_inconclusive".