search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Apple macOS 12.0 Monterey Benchmark v1.0.0 / @juliamagan #3023

Closed juliamagan closed 2 years ago

juliamagan commented 2 years ago
Related Issue
https://github.com/wazuh/wazuh/issues/12883

Description

macOS 12.0 Monterey SCA policies have been updated https://github.com/wazuh/wazuh/issues/12883. On this account, It is necessary to ensure that these policies fit with the CIS Apple macOS 12.0 Monterey Benchmark v1.0.0. Also, manual testing for the used SCA rules is required, ensuring the proposed rules work as expected.

For each check in the SCA policy checks:

The installers must also be tested:

Checks

Checks design

Check ID Check Category Description ID/Title/Description/Rationale Remediation Compliance Rules Artifact
id Category Description :black_circle: :black_circle: :black_circle: :black_circle: Artifact
All test results must have one of the following statuses:
:green_circle: All checks passed.
:red_circle: There is at least one failed result.
:yellow_circle: There is at least one expected failure or skipped test and no failures.
:black_circle: Not done yet

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Checks lists

Conclusions

All tests have been executed and the results can be found in the issue updates.

To be completed

juliamagan commented 2 years ago

Checks - Block 1 :red_circle:

Check ID | Description | ID/Title/Description/Rationale | Remediation | Compliance | Rules | Artifact -- | -- | -- | -- | -- | -- | --| **1**| **Install Updates, Patches and Additional Security Software**| | | | | | 1.1 | Ensure All Apple-provided Software Is Current (Automated)| :green_circle: | :red_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9017942/1.1.zip) | 1.2| Ensure Auto Update Is Enabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9017965/1.2.zip) | 1.3 | Ensure Download New Updates When Available is Enabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9017972/1.3.zip) | 1.4 | Ensure Installation of App Update Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9017976/1.4.zip) | 1.5 | Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9017980/1.5.zip) | 1.6 |Ensure Install of macOS Updates Is Enabled| :red_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9017982/1.6.zip) | **2** | **System Preferences**| | | | | | **2.1** | **Bluetooth**| | | | | | 2.1.1 | Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated)| :green_circle: | :red_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018242/2.1.1.zip) | 2.1.2 | Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018245/2.1.2.zip) | **2.2** |**Date & Time**| | | | | | 2.2.1 |Ensure "Set time and date automatically" Is Enabled (Automated)| :red_circle: | :yellow_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018248/2.2.1.zip) | 2.2.2 | Ensure time set is within appropriate limits (Automated)| :red_circle: | :green_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018251/2.2.2.zip) | **2.3** | **Desktop & Screen Saver**| | | | | | 2.3.1 | Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)| :green_circle: | :red_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018258/2.3.1.zip) | 2.3.2 | Ensure Screen Saver Corners Are Secure (Automated)| :green_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018267/2.3.2.zip) | **2.4** | **Sharing**| | | | | | 2.4.1 | Ensure Remote Apple Events Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018271/2.4.1.zip) | 2.4.2 |Ensure Internet Sharing Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018279/2.4.2.zip) | 2.4.3 | Ensure Screen Sharing Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018284/2.4.3.zip) | 2.4.4 |Ensure Printer Sharing Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018287/2.4.4.zip) | 2.4.5 |Ensure Remote Login Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018290/2.4.5.zip) | 2.4.6 | Ensure DVD or CD Sharing Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018294/2.4.6.zip) | 2.4.7 | Ensure Bluetooth Sharing Is Disabled (Automated)| :green_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018296/2.4.7.zip) | 2.4.8 | Ensure File Sharing Is Disabled (Automated)| :red_circle: | :red_circle: | :green_circle: | :green_circle: | πŸ”΄ - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018297/2.4.8-FAIL.zip) | 2.4.9 |Ensure Remote Management Is Disabled (Automated)| :red_circle: | :red_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018300/2.4.9.zip) | 2.4.10 | Ensure Content Caching Is Disabled (Automated)| :red_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018304/2.4.10.zip) | 2.4.11 | Ensure AirDrop Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018306/2.4.11.zip) | 2.4.12 | Ensure Media Sharing Is Disabled (Automated)| :red_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018308/2.4.12.zip) | **2.5** |**Security & Privacy**| | | | | | **2.5.1** | **Encryption**| | | | | | 2.5.1.1 | Ensure FileVault Is Enabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018310/2.5.1.1.zip) | **2.5.2** | **Firewall**| | | | | | 2.5.2.1 | Ensure Gatekeeper is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018315/2.5.2.1.zip) | 2.5.2.2 | Ensure Firewall Is Enabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018316/2.5.2.2.zip) | 2.5.2.3 | Ensure Firewall Stealth Mode Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018317/2.5.2.3.zip) | 2.5.3| Ensure Location Services Is Enabled (Automated)| :red_circle: | :red_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018322/2.5.3.zip) | 2.5.5 | Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (Automated)| :green_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018323/2.5.5.zip) | **2.7** | **Time Machine**| | | | | | 2.7.1 | Ensure Backup Up Automatically is Enabled (Automated)| :green_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018325/2.7.1.zip) | 2.8 | Ensure Wake for Network Access Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018328/2.8.zip) | 2.9 | Ensure Power Nap Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018335/2.9.zip) | 2.10 | Ensure Secure Keyboard Entry terminal.app is Enabled (Automated)| :green_circle: | :yellow_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018340/2.10.zip) | 2.11 | Ensure EFI Version Is Valid and Checked Regularly (Automated)| :red_circle: | :green_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018344/2.11.zip) | **3** | **Logging and Auditing**| | | | | | 3.1 | Ensure Security Auditing Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018379/3.1.zip) | 3.3 | Ensure install.log Is Retained for 365 or More Days and No Maximum Size (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018381/3.3.zip) | 3.5 | Ensure Access to Audit Records Is Controlled (Automated)| :red_circle: | :red_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018388/3.5.zip) | 3.6 | Ensure Firewall Logging Is Enabled and Configured (Automated)| :red_circle: | :red_circle: | :green_circle: | :yellow_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018393/3.6.zip) | **4**| **Network Configurations**| | | | | | 4.1 | Ensure Bonjour Advertising Services Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | πŸ”΄ - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018417/4.1-FAIL.zip) | 4.4 | Ensure HTTP Server Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018428/4.4.zip) | 4.5 | Ensure NFS Server Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :red_circle: | πŸ”΄ - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018430/4.5-FAIL.zip) | **5** | **System Access, Authentication and Authorization**| | | | | | **5.1** | **File System Permissions and Access Controls**| | | | | | 5.1.2| Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated)| :green_circle: | :red_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018550/5.1.2.zip) | 5.1.3 | Ensure Apple Mobile File Integrity Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018553/5.1.3.zip) | 5.1.4 | Ensure Library Validation Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018554/5.1.4.zip) | 5.1.5 | Ensure Sealed System Volume (SSV) Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | πŸ”΄ - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018556/5.1.5-FAIL.zip) | 5.1.6 | Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018560/5.1.6.zip) | 5.1.7 | Ensure No World Writable Files Exist in the System Folder (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018567/5.1.7.zip) | 5.1.8 | Ensure No World Writable Files Exist in the Library Folder (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018572/5.1.8.zip) | 5.3 | Ensure the Sudo Timeout Period Is Set to Zero (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018575/5.3.zip) | 5.4 |Ensure a Separate Timestamp Is Enabled for Each User/tty Combo (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018577/5.4.zip) | 5.6 | Ensure the "root" Account Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018579/5.6.zip) | 5.7 | Ensure Automatic Login Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018582/5.7.zip) | 5.10 | Require an administrator password to access system-wide preferences (Automated)| :green_circle: | :green_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018587/5.10.zip) | 5.11 | Ensure an administrator account cannot login to another user's active and locked session (Automated)| :green_circle: | :green_circle: | :red_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018590/5.11.zip) | 5.12 |Ensure a Custom Message for the Login Screen Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :red_circle: | πŸ”΄ - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018594/5.12-FAIL.zip) | 5.13| Ensure a Login Window Banner Exists (Automated)| :green_circle: | :green_circle: | :red_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018597/5.13.zip) | **6** | **User Accounts and Environment**| | | | | | **6.1**| **Accounts Preferences Action Items**| | | | | | 6.1.1 | Ensure Login Window Displays as Name and Password Is Enabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018671/6.1.1.zip) | 6.1.2 | Ensure Show Password Hints Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018678/6.1.2.zip) | 6.1.3 | Ensure Guest Account Is Disabled (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018681/6.1.3.zip) | 6.1.4 | Ensure Guest Access to Shared Folders Is Disabled (Automated)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018682/6.1.4.zip) | 6.1.5 | Ensure the Guest Home Folder Does Not Exist (Automated)| :green_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018683/6.1.5.zip) | 6.2 | Ensure Show All Filename Extensions Setting is Enabled (Automated)| :green_circle: | :red_circle: | :green_circle: | :red_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018685/6.2.zip) | 6.3 | Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated)a| :green_circle: | :red_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018686/6.3.zip) | ### Extra Check ID | Description | ID/Title/Description/Rationale | Remediation | Compliance | Rules | Artifact -- | -- | -- | -- | -- | -- | --| 5.15| Ensure Fast User Switching Is Disabled (Manual)| :red_circle: | :green_circle: | :green_circle: | :green_circle: | 🟒 - [Dashboard image](https://github.com/wazuh/wazuh-qa/files/9018602/5.15.zip) |
juliamagan commented 2 years ago

1. Install Updates, Patches and Additional Security Software

1.1 Ensure All Apple-provided Software Is Current (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected remediation**: ``` 1. In Terminal, run the following command to verify what packages need to be installed: sudo softwareupdate -l 2.1. In Terminal, run the following command to install all the packages that need to be updated: sudo software -i -a -R 2.2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename ``` **Current remediation**: ``` 1. In Terminal, run the following: softwareupdate -i -a 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# softwareupdate -l Software Update Tool Finding available software Software Update found the following new or updated software: * Label: Command Line Tools for Xcode-13.2 Title: Command Line Tools for Xcode, Version: 13.2, Size: 577329K, Recommended: YES, * Label: Command Line Tools for Xcode-13.3 Title: Command Line Tools for Xcode, Version: 13.3, Size: 718145K, Recommended: YES, * Label: Command Line Tools for Xcode-13.4 Title: Command Line Tools for Xcode, Version: 13.4, Size: 705462K, Recommended: YES, ``` - Expected scan result: `FAIL`

1.2 Ensure Auto Update Is Enabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected title**: ``` Ensure Auto Update Is Enabled ``` **Current title** (extra space): ``` Ensure Auto Update Is Enabled ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo profiles -P -o stdout | grep AutomaticCheckEnabled ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled 0 ``` - Expected scan result: `FAIL`

1.3 Ensure Download New Updates When Available is Enabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description** ``` In the GUI both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected. ``` **Current destcription** (missing period): ``` In the GUI both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected. ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo profiles -P -o stdout | grep AutomaticDownload ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload 0 ``` - Expected scan result: `FAIL`

1.4 Ensure Installation of App Update Is Enabled (Automated) :yellow_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - - Rules - :yellow_circle: We could add: ``` sudo profiles -P -o stdout | grep AutomaticallyInstallAppUpdates ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.commerce AutoUpdate 0 ``` - Expected scan result: `FAIL`

1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description**: ``` Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights. ``` **Current description** (comma insted of period): ``` Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights. ``` **Expected rationale** ``` Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited. ``` **Current rationale** (missing period): ``` Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall 0 sh-3.2# defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall 0 ``` - Expected scan result: `FAIL`

1.6 Ensure Install of macOS Updates Is Enabled :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: We need to add `(Automated)` in the commented title. **Expected description** ``` Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off. ``` **Current description** (missing comma): ``` Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off. ``` **Expected rationale**: ``` Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited. ``` **Current rationale** (missing period): ``` Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited ``` **Expected remediation**: ``` Open a terminal session and enter the following command to enable automatic checking and installing of macOS updates: ``` **Current remediation**: ``` Open a terminal session and enter the following command to enable install system data files and security updates: ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticallyInstallMacOSUpdates ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 0 ``` - Expected scan result: `FAIL`
juliamagan commented 2 years ago

2. System Preferences

2.1 Bluetooth

2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected remediation**: ``` Open a terminal session and enter the following command to disable Bluetooth: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP bluetoohd ``` **Current remediation**: ``` Open a terminal session and enter the following command to disable bluetooth: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP blued ``` - Compliance - :green_circle: - Rules - :red_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState 2022-06-23 15:40:09.092 defaults[2725:73556] The domain/default pair of (/Library/Preferences/com.apple.Bluetooth, ControllerPowerState) does not exist ``` ``` sh-3.2# system_profiler SPBluetoothDataType Bluetooth: Bluetooth Controller: Address: NULL State: Off Chipset: BCM_4350C2 Discoverable: Off Firmware Version: v0 c0 Product ID: 0x0001 Supported services: 0x382039 < HFP AVRCP A2DP HID Braille AACP GATT Serial > Transport: UART Vendor ID: 0x004C (Apple) ``` We should check `Connected: Yes`, not `Connectable: Yes`. - Expected scan result: `FAIL`

2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected rationale**: ``` Enabling "Show Bluetooth status in menu bar" is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active. ``` **Current rationale** (extra space and missing quotes): ``` Enabling Show Bluetooth status in menu bar is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active. ``` - Compliance - :green_circle: - Rules - :red_circle: Condition should be `all` or we could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'Bluetooth = 18' ``` - Execution: ``` sh-3.2# sudo -u root defaults -currentHost read com.apple.controlcenter.plist Bluetooth 2022-06-23 15:52:40.616 defaults[2796:76467] The domain/default pair of (com.apple.controlcenter.plist, Bluetooth) does not exist sh-3.2# sudo -u vagrant defaults -currentHost read com.apple.controlcenter.plist Bluetooth 2022-06-23 15:53:04.856 defaults[2800:76570] The domain/default pair of (com.apple.controlcenter.plist, Bluetooth) does not exist ``` - Expected scan result: `FAIL`

2.2 Date & Time

2.2.1 Ensure "Set time and date automatically" Is Enabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected rationale** ``` Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. ``` **Current destcription** (extra space): ``` Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. ``` **Remediation** We could add: ``` Run the following commands if you have not set, or need to set, a new time zone: sudo /usr/sbin/systemsetup -listtimezones sudo /usr/sbin/systemsetup -settimezone ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep forceAutomaticDateAndTime ``` - Execution: ``` sh-3.2# systemsetup -getusingnetworktime Network Time: On ``` - Expected scan result: `PASS`

2.2.2 Ensure time set is within appropriate limits (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description** ``` Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict, so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed. Note: ntpdate has been deprecated with 10.14. sntp replaces that command. ``` **Current description** ``` Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed. Note: ntpdate has been deprecated with 10.14. sntp replaces that command. ``` - Compliance - :green_circle: - Rules - :red_circle: Incomplete: ``` #- Pending check offset is in the 270.x seconds ``` - Expected scan result: `-`

2.3 Desktop & Screen Saver

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected remediation**: ``` Run the following command to verify that the idle time of the screen saver is set to 20 minutes or less (≀1200): sudo defaults -currentHost write com.apple.screensaver idleTime -int 600 ``` **Current remediation** : ``` Run the following command to verify that the idle time of the screen saver to 20 minutes or less (≀1200): sudo defaults -currentHost write com.apple.screensaver idleTime -int 600 ``` - Compliance - :green_circle: - Rules - :red_circle: We are not checking that the time is less than 20 minutes, but that the output is not: ``` The domain/default pair of (com.apple.screensaver, idleTime) does not exist ``` We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep idleTime ``` - Execution: ``` 2022-06-23 16:39:06.794 defaults[3054:87079] The domain/default pair of (com.apple.screensaver, idleTime) does not exist ``` - Expected scan result: `FAIL`

2.3.2 Ensure Screen Saver Corners Are Secure (Automated) :yellow_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-bl-corner sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-br-corner sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tl-corner sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tr-corner ``` Won't fix as the document states: ``` Verify that the output does not have 6 as a key value. Any other number, or an output that includes does not exist, is compliant. ``` - Execution: ``` sh-3.2# defaults read com.apple.dock wvous-tl-corner 2022-06-23 16:48:58.027 defaults[3109:89304] The domain/default pair of (com.apple.dock, wvous-tl-corner) does not exist sh-3.2# defaults read com.apple.dock wvous-bl-corner 2022-06-23 16:49:07.152 defaults[3112:89385] The domain/default pair of (com.apple.dock, wvous-bl-corner) does not exist sh-3.2# defaults read com.apple.dock wvous-tr-corner 2022-06-23 16:49:16.513 defaults[3113:89403] The domain/default pair of (com.apple.dock, wvous-tr-corner) does not exist sh-3.2# defaults read com.apple.dock wvous-br-corner 2022-06-23 16:49:30.946 defaults[3116:89450] The domain/default pair of (com.apple.dock, wvous-br-corner) does not exist ``` - Expected scan result: `PASS`

2.4 Sharing

2.4.1 Ensure Remote Apple Events Is Disabled (Automated) :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# systemsetup -getremoteappleevents Remote Apple Events: Off ``` - Expected scan result: `PASS`

2.4.2 Ensure Internet Sharing Is Disabled (Automated) :yellow_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep forceInternetSharingOff ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/SystemConfiguration/com.apple.nat 2022-06-23 17:18:00.653 defaults[996:5300] Domain /Library/Preferences/SystemConfiguration/com.apple.nat does not exist ``` - Expected scan result: `PASS`

2.4.3 Ensure Screen Sharing Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description**: ``` Screen Sharing allows a computer to connect to another computer on a network and display the computer’s screen. While sharing the computer’s screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer. ``` **Current description** (missing capital letter): ``` Screen sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer. ``` **Expected rationiale**: ``` Disabling Screen Sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer. ``` **Current rational** (missing capital letter): ``` Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "launchctl print-disabled system | grep -c '\"com.apple.screensharing\" => true'" 0 ``` - Expected scan result: `FAIL`

2.4.4 Ensure Printer Sharing Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description**: ``` By enabling Printer Sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead. ``` **Current description** (missing capital letter): ``` By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "cupsctl | grep _share_printers | cut -d '=' -f2" 0 ``` - Expected scan result: `PASS`

2.4.5 Ensure Remote Login Is Disabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# systemsetup -getremotelogin Remote Login: On ``` - Expected scan result: `FAIL`

2.4.6 Ensure DVD or CD Sharing Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected description** ``` DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing the sharing of an external optical drive persists when a drive is reconnected. ``` **Current description** ``` DVD or CD Sharing allows users to remotely access the system's optical drive. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "launchctl print-disabled system | grep -c '\"com.apple.ODSAgent\" => true'" 0 ``` - Expected scan result: `FAIL`

2.4.7 Ensure Bluetooth Sharing Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Remediation** In all the previous solutions we have specified the command method, and here we have specified the graphic method. We should put in all the same or put in all both. - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "PrefKeyServicesEnabled" ``` - Execution: ``` sh-3.2# defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled 2022-06-24 13:21:41.265 defaults[12749:288222] The domain/default pair of (com.apple.Bluetooth, PrefKeyServicesEnabled) does not exist ``` - Expected scan result: `FAIL`

2.4.8 Ensure File Sharing Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected description** ``` Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled. ``` **Current description** ``` Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing) ``` **Expected remediation** ``` sudo launchctl disable system/com.apple.smbd ``` **Current remediation** ``` sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "launchctl print-disabled system | grep -c '\"com.apple.smbd\" => true'" 0 ``` - Expected scan result: `FAIL`

2.4.9 Ensure Remote Management Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected description** ``` Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems. ``` **Current description** (extra capital letter) ``` Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current Screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems. ``` **Expected rationale** ``` Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring. ``` **Current rationale** (missing capital letter) ``` Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring. ``` **Expected remediation** ``` Run the following command to disable Remote Management: ``` **Current emediation** (missing captial letter) ``` Run the following command to disable remote management: ``` - Compliance - :green_circle: - Rules - :red_circle: - Execution: ``` 2022/06/24 13:51:52 sca[13003] wm_sca.c:1192 at wm_sca_do_scan(): DEBUG: Process not found. 2022/06/24 13:51:52 sca[13003] wm_sca.c:1218 at wm_sca_do_scan(): DEBUG: Result for rule 'not p:ARDAgent': 1 2022/06/24 13:51:52 sca[13003] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 29020 'Ensure Remote Management Is Disabled.' -> 1 2022/06/24 13:51:52 sca[13003] wm_sca.c:479 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2022/06/24 13:51:52 sca[13003] wm_sca.c:2802 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2022/06/24 13:51:52 sca[13003] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29020; Result: 'passed' ``` ``` sh-3.2# ps -ef | grep -e ARDAgent 501 860 1 0 5:14PM ?? 0:00.23 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent 0 13736 10342 0 1:52PM ttys001 0:00.00 grep -e ARDAgent ``` - Expected scan result: `FAIL`

2.4.10 Ensure Content Caching Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected description** ``` Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data. ``` **Current description** ``` Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data. ``` **Expected remediation** ``` Run the following command to disable Content Caching: ``` **Current remediation** ``` Run the following command in to disable content caching: ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep allowContentCaching ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.AssetCache.plist Activated 0 ``` - Expected scan result: `PASS`

2.4.11 Ensure AirDrop Is Disabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards. ``` **Expected description** ``` AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other. In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you. While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards. ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep DisableAirDrop ``` - Execution: ``` sh-3.2# defaults read com.apple.NetworkBrowser DisableAirDrop 2022-06-27 13:52:49.246 defaults[43492:1298831] The domain/default pair of (com.apple.NetworkBrowser, DisableAirDrop) does not exist ``` - Expected scan result: `FAIL`

2.4.12 Ensure Media Sharing Is Disabled (Automated) :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current title** ``` Disable Media Sharing. ``` **Expected title** ``` Ensure Media Sharing Is Disabled. ``` **Current remediation** ``` Run the following command in to disable content caching: sudo AssetCacheManagerUtil deactivate ``` **Expected remediation** ``` Run the following command to disable Media Sharing: sudo -u defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0 ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep homeSharingUIStatus sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep legacySharingUIStatus sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep mediaSharingUIStatus ``` - Execution: ``` sh-3.2# defaults read com.apple.amp.mediasharingd home-sharing-enabled 2022-06-27 13:53:24.736 defaults[43497:1299014] The domain/default pair of (com.apple.amp.mediasharingd, home-sharing-enabled) does not exist ``` - Expected scan result: `FAIL`

2.5 Security & Privacy

2.5.1 Encryption

2.5.1.1 Ensure FileVault Is Enabled (Automated) - :red_circle:
Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. Filevault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details: ``` **Expected description** ``` FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# fdesetup status FileVault is Off. ``` - Expected scan result: `FAIL`

2.5.2 Firewall

2.5.2.1 Ensure Gatekeeper is Enabled (Automated) - :yellow_circle:
Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AllowIdentifiedDevelopers sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableAssessment ``` - Execution: ``` sh-3.2# spctl --status assessments enabled ``` - Expected scan result: `PASS`
2.5.2.2 Ensure Firewall Is Enabled (Automated) - :red_circle:
Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall. ``` **Expected description** (extra space) ``` A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall. ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableFirewall ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.alf globalstate 0 ``` - Expected scan result: `FAIL`
2.5.2.3 Ensure Firewall Stealth Mode Is Enabled (Automated) - :yellow_circle:
Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableStealthMode ``` - Execution: ``` sh-3.2# /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode Stealth mode disabled ``` - Expected scan result: `FAIL`

2.5.3 Ensure Location Services Is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. Users do not need to change the time or the time zone, the computer will do it for them. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied. For the purpose of asset management and time and log management with mobile computers location services simplify some processes. There are some use cases where it is important that the computer not be able to report it's exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge. ``` **Expected description** ``` macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. With the operating system verifying the location, users do not need to change the time or the time zone. The computer will change them based on the user's location. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied. Location Services simplify some processes, for the purpose of asset management and time and log management, with mobile computers. There are some use cases where it is important that the computer not be able to report its exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge. ``` **Current rationale** ``` Location services are helpful in most use cases and can simplify log and time management where computers change time zones. ``` **Expected rationale** ``` Location Services are helpful in most use cases and can simplify log and time management where computers change time zones. ``` **Current remediation** ``` Run the following command to enable location services: ``` **Expected remediation** ``` Run the following command to enable Location Services: ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "launchctl list | grep -c com.apple.locationd" 1 ``` - Expected scan result: `PASS`

2.5.5 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current remediation** ``` For each needed user, run the following command to enable limited ad tracking: sudo -u defaults -currentHost write /Users//Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false ``` **Expected remediation** ``` Run the following commands: sudo /usr/bin/defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false sudo /bin/chmod 644 /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist sudo /usr/sbin/chgrp admin /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep allowDiagnosticSubmission ``` - Execution: ``` sh-3.2# defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit 0 ``` - Expected scan result: `PASS`

2.7 Time Machine

2.7.1 Ensure Backup Up Automatically is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current remediation** ``` Run the following enable TimeMachine: sudo sudo tmutil setdestination -a /Volumes/ && sudo tmutil enable ``` **Expected remediation** ``` Run the following command to enable automatic backups if Time Machine is enabled: sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "AutoBackup" ``` - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup 2022-06-27 13:59:07.464 defaults[43534:1300236] The domain/default pair of (/Library/Preferences/com.apple.TimeMachine.plist, AutoBackup) does not exist ``` - Expected scan result: `FAIL`

2.8 Ensure Wake for Network Access Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. Theie macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals. ``` **Expected description** (typo) ``` This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "pmset -g | grep -e womp" sh-3.2# ``` - Expected scan result: `FAIL`

2.9 Ensure Power Nap Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` This features allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS features are meant to allow the computer to resume activity as needed regardless of physical security controls. Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. ``` **Expected description** (typo) ``` This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks. ``` **Current rationale** ``` Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. ``` **Expected rationale** ``` Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "pmset -g everything | grep -e powernap" sh-3.2# ``` - Expected scan result: `FAIL`

2.10 Ensure Secure Keyboard Entry terminal.app is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: **Remediation** Again we have specified the graphical method instead of the terminal method, we should have a standard and always use the same one or both. - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep SecureKeyboardEntry ``` - Execution: ``` sh-3.2# defaults read -app Terminal SecureKeyboardEntry 2022-06-27 13:52:12.870 defaults[43489:1298721] The domain/default pair of (com.apple.Terminal, SecureKeyboardEntry) does not exist ``` - Expected scan result: `FAIL`

2.11 Ensure EFI Version Is Valid and Checked Regularly (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Current description** ``` In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days. ``` **Expected description** ``` In order to mitigate firmware attacks Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days. ``` - Compliance - :green_circle: - Rules - :red_circle: Missing: ``` sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check ``` - Execution: ``` sh-3.2# sh -c "system_profiler SPiBridgeDataType | grep \"T2\"" sh-3.2# ``` ``` sh-3.2# sh -c "launchctl list | grep com.apple.driver.eficheck" - 0 com.apple.driver.eficheck ``` - Expected scan result: `FAIL`
juliamagan commented 2 years ago

Global checks

Installer use cis_apple_macOS_12.0.yml policy :green_circle:

``` sh-3.2# ls /Library/Ossec/ruleset/sca/ cis_apple_macOS_12.0.yml ``` ``` sh-3.2# pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\[' 2022/06/24 12:08:02 sca[10309] wm_sca.c:141 at wm_sca_main(): INFO: Module started. 2022/06/24 12:08:02 sca[10309] wm_sca.c:180 at wm_sca_main(): INFO: Loaded policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml' ```

Checks IDs are consistent :green_circle:

Consistency means that checks are ordered sorted from least to greatest by their ids. In this case we can check easily this using the following command: ``` sh-3.2# cat /Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml | grep "\- id" | cut -d':' -f2 | tr -d ' ' > f1 sh-3.2# seq 29000 29064 > f2 sh-3.2# diff f1 f2 ```
juliamagan commented 2 years ago

3. Logging and Auditing

3.1 Ensure Security Auditing Is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :red_circle: Why did we check the whole line before, including the 0, and now we only check the name? **Note**: It is not necessary to check the whole line to find if the auditd is loaded. - Execution: ``` sh-3.2# sh -c "launchctl list | grep -i auditd" 132 0 com.apple.auditd ``` - Expected scan result: `PASS`

3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected description**: ``` macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. The default value has an "all_max" file limitation, no reference to a minimum retention and a less precise rotation argument. The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year and depending on the applications a size restriction could compromise the ability to store a full year. While this Benchmark is not scoring for a rotation flag the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired. Please review the File Rotation section in the man page for more information. β€’ The maximum file size limitation string should be removed "all_max=" β€’ An organization appropriate retention should be added "ttl=" β€’ The rotation should be set with timestamps "rotate=utc" or "rotate=local" ``` **Current description**: ``` macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# grep -i ttl /etc/asl/com.apple.install sh-3.2# ``` ``` sh-3.2# grep -i all_max= /etc/asl/com.apple.install * file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]: $Message' rotate=seq compress file_max=50M all_max=150M size_only ``` - Expected scan result: `FAIL`

3.5 Ensure Access to Audit Records Is Controlled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description** ``` The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files. ``` **Current description** ``` The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files. ``` **Expected rationale** ``` Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated, but the authoritative files should be protected from unauthorized changes. ``` **Current destcription**: ``` KAudit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes. ``` **Remediation** Missing two commands ``` sudo chmod -R o-rw /etc/security/audit_control sudo chmod -R o-rw /var/audit/ ``` - Compliance - :green_circle: - Rules - :red_circle: We are not checking permissions, only the owner and group. - Execution: ``` sh-3.2# ls -le /etc/security/audit_control -r-------- 1 root wheel 358 18 oct 2021 /etc/security/audit_control ``` ``` sh-3.2# ls -le /var/audit/ total 1064 -r--r----- 1 root wheel 240451 17 nov 2021 20211117094230.crash_recovery -r--r----- 1 root wheel 112746 17 nov 2021 20211117104632.crash_recovery -r--r----- 1 root wheel 10976 17 nov 2021 20211117150859.crash_recovery -r--r----- 1 root wheel 10407 22 nov 2021 20211122112057.crash_recovery -r--r----- 1 root wheel 11947 22 nov 2021 20211122155115.crash_recovery -r--r----- 1 root wheel 18669 23 nov 2021 20211123081323.crash_recovery -r--r----- 1 root wheel 12768 23 nov 2021 20211123085337.crash_recovery -r--r----- 1 root wheel 11793 23 nov 2021 20211123092331.crash_recovery -r--r----- 1 root wheel 8442 23 nov 2021 20211123093436.crash_recovery -r--r----- 1 root wheel 13573 23 nov 2021 20211123093755.crash_recovery -r--r----- 1 root wheel 10253 23 nov 2021 20211123094231.crash_recovery -r--r----- 1 root wheel 17682 23 nov 2021 20211123115708.crash_recovery -r--r----- 1 root wheel 39804 27 jun 17:21 20220623151227.not_terminated lrwxr-xr-x 1 root wheel 40 23 jun 17:12 current -> /var/audit/20220623151227.not_terminated ``` - Expected scan result: `PASS`

3.6 Ensure Firewall Logging Is Enabled and Configured (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description** ``` The socketfilter firewall is what is used when the firewall is turned on in the Security Preference Pane. In order to appropriately monitor what access is allowed and denied logging must be enabled. The logging level must be set to "detailed" to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine firewall connection attempts. ``` **Current description** ``` The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled. ``` **Expected rationale** ``` In order to troubleshoot the successes and failures of a firewall, detailed logging should be enabled. ``` **Current rationale** ``` In order to troubleshoot the successes and failures of a firewall logging should be enabled. ``` **Remediation** Missing command: ``` sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail ``` - Compliance - :green_circle: - Rules - :yellow_circle: We could add: ``` sudo /usr/sbin/system_profiler SPFirewallDataType | /usr/bin/grep Logging sudo /usr/bin/defaults read /Library/Preferences/com.apple.alf.plist loggingoption ``` - Execution: ``` sh-3.2# /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode Log mode is on ``` - Expected scan result: `PASS`
juliamagan commented 2 years ago

4. Network Configurations

4.1 Ensure Bonjour Advertising Services Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected rationale** ``` Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I'm here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed. ``` **Current rationale** ``` Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements 2022-06-28 11:13:52.585 defaults[51666:1584250] The domain/default pair of (/Library/Preferences/com.apple.mDNSResponder.plist, NoMulticastAdvertisements) does not exist ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep NoMulticastAdvertisements" sh-3.2# ``` - Expected scan result: `FAIL`

4.4 Ensure HTTP Server Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :red_circle:: Condition should be `all` **NOTE**: The `any` condition will work as the `all` condition. - Execution: ``` sh-3.2# sh -c "launchctl print-disabled system | grep -c '\"org.apache.httpd\" => true'" 0 ``` - Expected scan result: `FAIL`

4.5 Ensure NFS Server Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :red_circle: Rule condition is none, but `1` in second rule is expected. **NOTE** - the expected `1` is the count of the lines from the `grep` command, it is not the answer from the `launch` command - Execution: ``` sh-3.2# cat /etc/exports cat: /etc/exports: No such file or directory ``` ``` sh-3.2# sh -c "launchctl print-disabled system | grep -c '\"com.apple.nfsd\" => true'" 0 ``` - Expected scan result: `PASS`, when fixed: `FAIL`
juliamagan commented 2 years ago

5. System Access, Authentication and Authorization

5.1 File System Permissions and Access Controls

5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Remediation** Missing step 5: reboot the computer - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# csrutil status System Integrity Protection status: enabled. ``` - Expected scan result: `PASS`

5.1.3 Ensure Apple Mobile File Integrity Is Enabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "nvram -p | grep -c \"amfi_get_out_of_my_way=1\"" 0 ``` - Expected scan result: `PASS`

5.1.4 Ensure Library Validation Is Enabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation 2022-06-28 12:15:50.102 defaults[52106:1598265] The domain/default pair of (/Library/Preferences/com.apple.security.libraryvalidation.plist, DisableLibraryValidation) does not exist ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep DisableLibraryValidation" sh-3.2# ``` - Expected scan result: `FAIL`

5.1.5 Ensure Sealed System Volume (SSV) Is Enabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# csrutil authenticated-root status Authenticated Root status: enabled ``` - Expected scan result: `PASS`

5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# find /Applications -iname "*.app" -type d -perm -2 -ls 2> /dev/null sh-3.2# echo $? 0 ``` - Expected scan result: `PASS`

5.1.7 Ensure No World Writable Files Exist in the System Folder (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# find /System/Volumes/Data/System -type d -perm -2 -ls 2> /dev/null sh-3.2# echo $? 0 ``` - Expected scan result: `PASS`

5.1.8 Ensure No World Writable Files Exist in the Library Folder (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "find /System/Volumes/Data/Library -type d -perm -2 -ls 2> /dev/null | grep -v 'Caches|Audio'" 77277 0 drwxrwxrwx 2 _coreaudiod _coreaudiod 64 18 oct 2021 /System/Volumes/Data/Library/Preferences/Audio/Data 81585 0 drwxrwxrwt 6 root admin 192 17 nov 2021 /System/Volumes/Data/Library/Caches ``` - Expected scan result: `FAIL`

5.3 Ensure the Sudo Timeout Period Is Set to Zero (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` 2022/06/28 15:03:36 sca[53178] wm_sca.c:1601 at wm_sca_check_file_list_for_contents(): DEBUG: Match not found in file '/etc/sudoers'. Continuing. 2022/06/28 15:03:36 sca[53178] wm_sca.c:1605 at wm_sca_check_file_list_for_contents(): DEBUG: Result for (r:^\s*\t*Defaults\s*\t*timestamp_timeout=0)(/etc/sudoers) -> 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:1218 at wm_sca_do_scan(): DEBUG: Result for rule 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*timestamp_timeout=0': 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:1225 at wm_sca_do_scan(): DEBUG: Breaking from rule aggregator 'all' with found = 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 29049 'Ensure the Sudo Timeout Period Is Set to Zero.' -> 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:479 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2022/06/28 15:03:36 sca[53178] wm_sca.c:2802 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2022/06/28 15:03:36 sca[53178] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29049; Result: 'failed'hes ``` ``` sh-3.2# grep -e "timestamp" /etc/sudoers sh-3.2# ``` - Expected scan result: `FAIL`

5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` 2022/06/28 15:03:36 sca[53178] wm_sca.c:1601 at wm_sca_check_file_list_for_contents(): DEBUG: Match not found in file '/etc/sudoers'. Continuing. 2022/06/28 15:03:36 sca[53178] wm_sca.c:1605 at wm_sca_check_file_list_for_contents(): DEBUG: Result for (r:^\s*\t*Defaults\s*\t*timestamp_timeout=0)(/etc/sudoers) -> 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:1218 at wm_sca_do_scan(): DEBUG: Result for rule 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*timestamp_timeout=0': 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:1225 at wm_sca_do_scan(): DEBUG: Breaking from rule aggregator 'all' with found = 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 29049 'Ensure the Sudo Timeout Period Is Set to Zero.' -> 0 2022/06/28 15:03:36 sca[53178] wm_sca.c:479 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2022/06/28 15:03:36 sca[53178] wm_sca.c:2802 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2022/06/28 15:03:36 sca[53178] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29049; Result: 'failed'hes ``` ``` sh-3.2# sudo /usr/bin/grep -E -s '!tty_tickets' /etc/sudoers /etc/sudoers.d/* sh-3.2# sudo /usr/bin/grep -E -s 'timestamp_type' /etc/sudoers /etc/sudoers.d/* sh-3.2# ``` - Expected scan result: `PASS`

5.6 Ensure the "root" Account Is Disabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# dscl . -read /Users/root AuthenticationAuthority No such key: AuthenticationAuthority ``` - Expected scan result: `PASS`

5.7 Ensure Automatic Login Is Disabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser vagrant ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep com.apple.login.mcx.DisableAutoLoginClient" sh-3.2# ``` - Expected scan result: `FAIL`

5.10 Require an administrator password to access system-wide preferences (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :red_circle: Missing `2> /dev/null` **NOTE**: it is not necessary and we avoid errors that can create a not desired file if the command isn't correct. - Execution: ``` sh-3.2# sh -c "security authorizationdb read system.preferences | grep -A1 shared | grep false" YES (0) ``` - Expected scan result: `FAIL`

5.11 Ensure an administrator account cannot login to another user's active and locked session (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :red_circle:: **Expected** ``` - cis: ["5.11"] ``` **Current** ``` - cis: ["5.12"] ``` Also, a link in `References` has an extra space - Rules - :green_circle: - Execution: ``` sh-3.2# sh -c "security authorizationdb read system.login.screensaver 2>&1 | grep -c 'use-login-window-ui'" 1 ``` - Expected scan result: `PASS`

5.12 Ensure a Custom Message for the Login Screen Is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :red_circle: - Execution: The condition should be `any` ``` sh-3.2# defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText 2022-06-28 16:48:02.113 defaults[53858:1658858] The domain/default pair of (/Library/Preferences/com.apple.loginwindow.plist, LoginwindowText) does not exist ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep LoginwindowText" sh-3.2# ``` - Expected scan result: `FAIL`

5.13 Ensure a Login Window Banner Exists (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :red_circle:: **Expected** ``` - cis_level: ["2"] ``` **Current** ``` - cis_level: ["1"] ``` - Rules - :green_circle: - Execution: ``` 2022/06/28 16:56:18 sca[53920] wm_sca.c:1177 at wm_sca_do_scan(): DEBUG: Check directory rule result: 0 2022/06/28 16:56:18 sca[53920] wm_sca.c:1218 at wm_sca_do_scan(): DEBUG: Result for rule 'd:/Library/Security -> r:^PolicyBanner': 0 2022/06/28 16:56:18 sca[53920] wm_sca.c:1225 at wm_sca_do_scan(): DEBUG: Breaking from rule aggregator 'all' with found = 0 2022/06/28 16:56:18 sca[53920] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 29056 'Ensure a Login Window Banner Exists.' -> 0 2022/06/28 16:56:18 sca[53920] wm_sca.c:479 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2022/06/28 16:56:18 sca[53920] wm_sca.c:2802 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2022/06/28 16:56:18 sca[53920] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29056; Result: 'failed' ``` ``` sh-3.2# sudo /bin/cat /Library/Security/PolicyBanner.* cat: /Library/Security/PolicyBanner.*: No such file or directory ``` - Expected scan result: `FAIL`

5.15 Ensure Fast User Switching Is Disabled (Manual) - :red_circle:

It is not supposed to be implemented but it is.

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected title** ``` Ensure Fast User Switching Is Disabled. ``` **Current title** ``` Disable Fast User Switching. ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled 1 ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep MultipleSessionEnabled" sh-3.2# ``` - Expected scan result: `FAIL`
juliamagan commented 2 years ago

6. User Accounts and Environment

6.1 Accounts Preferences Action Items

6.1.1 Ensure Login Window Displays as Name and Password Is Enabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 0 ``` ```sh-3.2# sh -c "profiles -P -o stdout | grep SHOWFULLNAME" sh-3.2# ``` - Expected scan result: `FAIL`

6.1.2 Ensure Show Password Hints Is Disabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint 3 ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep RetriesUntilHint" sh-3.2# ``` - Expected scan result: `FAIL`

6.1.3 Ensure Guest Account Is Disabled (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled 0 ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep DisableGuestAccount" sh-3.2# sh -c "profiles -P -o stdout | grep EnableGuestAccount" sh-3.2# ``` - Expected scan result: `PASS`

6.1.4 Ensure Guest Access to Shared Folders Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: Missing period in title - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess 2022-06-28 17:33:04.928 defaults[54204:1669390] The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep AllowGuestAccess" sh-3.2# ``` - Expected scan result: `PASS`

6.1.5 Ensure the Guest Home Folder Does Not Exist (Automated) - :green_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :green_circle: - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` 2022/06/28 17:38:21 sca[54245] wm_sca.c:796 at wm_sca_resolve_symlink(): DEBUG: Path '/Users/Guest' does not exists, or points to an unexistent path -> RETURN_NOT_FOUND: No such file or directory 2022/06/28 17:38:21 sca[54245] wm_sca.c:1177 at wm_sca_do_scan(): DEBUG: Check directory rule result: 0 2022/06/28 17:38:21 sca[54245] wm_sca.c:1218 at wm_sca_do_scan(): DEBUG: Result for rule 'd:/Users/Guest': 0 2022/06/28 17:38:21 sca[54245] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 29062 'Ensure the Guest Home Folder Does Not Exist.' -> 1 2022/06/28 17:38:21 sca[54245] wm_sca.c:479 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2022/06/28 17:38:21 sca[54245] wm_sca.c:2802 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2022/06/28 17:38:21 sca[54245] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29062; Result: 'passed' ``` ``` sh-3.2# sudo /bin/ls /Users/ | /usr/bin/grep Guest sh-3.2# ``` - Expected scan result: `PASS`

6.2 Ensure Show All Filename Extensions Setting is Enabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected remediation** ``` sudo -u /usr/bin/defaults write /Users//Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true ``` **Current remediation** ``` defaults write NSGlobalDomain AppleShowAllExtensions -bool true ``` - Compliance - :green_circle: - Rules - :red_circle: **Expected command** ``` sudo -u /usr/bin/defaults read /Users//Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions ``` **Current command** ``` defaults read NSGlobalDomain AppleShowAllExtensions ``` **NOTE**: The current SCA implementation doesn't allow the use of loops or user names definition in an array The current output will be : ``` ❯ defaults read NSGlobalDomain AppleShowAllExtensions 1 ❯ sudo defaults read NSGlobalDomain AppleShowAllExtensions Password: 2022-07-02 11:21:37.103 defaults[4641:148515] The domain/default pair of (kCFPreferencesAnyApplication, AppleShowAllExtensions) does not exist ``` - Execution: ``` sh-3.2# defaults read NSGlobalDomain AppleShowAllExtensions 2022-06-28 17:43:43.908 defaults[54282:1671746] The domain/default pair of (kCFPreferencesAnyApplication, AppleShowAllExtensions) does not exist ``` - Expected scan result: `FAIL`

6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated) - :red_circle:

Details - ID - :green_circle: - Title, description, rationale, remediation - :red_circle: Extra space in remediation command: ``` "Run the following command to disable safe files from not opening in Safari: sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preference s/com.apple.Safari AutoOpenSafeDownloads -bool false" ``` - Compliance - :green_circle: - Rules - :green_circle: - Execution: ``` sh-3.2# defaults read com.apple.Safari AutoOpenSafeDownloads 2022-06-28 17:49:07.604 defaults[54312:1672888] The domain/default pair of (com.apple.Safari, AutoOpenSafeDownloads) does not exist ``` ``` sh-3.2# sh -c "profiles -P -o stdout | grep AutoOpenSafeDownloads" sh-3.2# ``` - Expected scan result: `FAIL`
juliamagan commented 2 years ago

Dashboard checks

image

cis_apple_macos_12.x.csv