Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Apple macOS 12.0 Monterey Benchmark v1.0.0 / @mauromalara

Related Issue
https://github.com/wazuh/wazuh/issues/12883

Description

macOS 12.0 Monterey SCA policies have been updated https://github.com/wazuh/wazuh/issues/12883. On this account, It is necessary to ensure that these policies fit with the CIS Apple macOS 12.0 Monterey Benchmark v1.0.0. Also, manual testing for the used SCA rules is required, ensuring the proposed rules work as expected.

OS: macOS 12.0 Monterey
SCA policy file: cis_apple_macOS_12.0.yml
Tests

For each check in the SCA policy checks:

The title, description, rationale, remediation, and compliance must correspond to the ones in the check of the corresponding CIS benchmark file found in https://downloads.cisecurity.org/#/.
The check command found in the CIS benchmark file should work as expected and must match the rule specified in the check of the yml file.

The installers must also be tested:

Check the scan is executed automatically when installing.
Check the scan result.

Checks

Checks design

Check ID	Check Category	Description	ID/Title/Description/Rationale	Remediation	Compliance	Rules	Artifact
id	Category	Description	:black_circle:	:black_circle:	:black_circle:	:black_circle:	Artifact

All test results must have one of the following statuses:
:green_circle:	All checks passed.
:red_circle:	There is at least one failed result.
:yellow_circle:	There is at least one expected failure or skipped test and no failures.
:black_circle:	Not done yet

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Checks lists

Checks summary

Conclusions

WIP

Task: Global checks 🟢

Package S3 path	Package reference
warehouse-pullrequests > 4.3 > macos	0.commit52994d4

Installer use `cis_apple_macOS_12.0.yml` policy 🟢

```bash # ls /Library/Ossec/ruleset/sca/ cis_apple_macOS_12.0.yml ``` ```bash # pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\[' 2022/06/29 23:53:01 sca[4305] wm_sca.c:141 at wm_sca_main(): INFO: Module started. 2022/06/29 23:53:01 sca[4305] wm_sca.c:180 at wm_sca_main(): INFO: Loaded policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml' ```

Check IDs are consistent 🟢

* I create the following script in Python to check it: ```Python import yaml import numpy def check_consecutive(check_ids): n = len(check_ids) - 1 return (sum(numpy.diff(sorted(check_ids)) == 1) >= n) with open('./cis_apple_macOS_12.0.yml', 'r') as policy_yaml: check_ids = [check['id'] for check in yaml.safe_load(policy_yaml)['checks']] print(check_consecutive(check_ids)) ```

Task: Checks summary :red_circle:

Summary table

SCA Scan results

![SCA_scan_results](https://user-images.githubusercontent.com/39094716/177216559-d0a620ff-6ed3-4c37-a090-39991387c29f.png)

CSV with the scan results

[cis_apple_macos_12.x.csv](https://github.com/wazuh/wazuh-qa/files/9042035/cis_apple_macos_12.x.csv)

1 Install Updates, Patches and Additional Security Software

1.1 Ensure All Apple-provided Software Is Current. :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

``` sh-3.2# softwareupdate -l Software Update Tool Finding available software Software Update found the following new or updated software: * Label: Command Line Tools for Xcode-13.2 Title: Command Line Tools for Xcode, Version: 13.2, Size: 577329K, Recommended: YES, * Label: Command Line Tools for Xcode-13.3 Title: Command Line Tools for Xcode, Version: 13.3, Size: 718145K, Recommended: YES, * Label: Command Line Tools for Xcode-13.4 Title: Command Line Tools for Xcode, Version: 13.4, Size: 705462K, Recommended: YES, * Label: macOS Monterey 12.4-21F79 Title: macOS Monterey 12.4, Version: 12.4, Size: 4431197K, Recommended: YES, Action: restart, ```

Check event (expected result: FAIL) :green_circle:

``` {"type":"check","id":333955627,"policy":"CIS Apple macOS 12.0 Monterey Benchmark","policy_id":"cis_apple_macos_12.x","check":{"id":29000,"title":"Ensure All Apple-provided Software Is Current.","description":"Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.","rationale":"It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.","remediation":"1. In Terminal, run the following command to verify what packages need to be installed: sudo softwareupdate -l. 2.1. In Terminal, run the following command to install all the packages that need to be updated: sudo software -i -a -R. 2.2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename'","compliance":{"cis":"1.1","cis_level":"1"},"rules":["c:softwareupdate -l -> r:No new software available"],"condition":"all","command":"softwareupdate -l","result":"failed"}} ```

1.2 Ensure Auto Update Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled 0 ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 18:35:43 sca[26892] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29001; Result: 'failed' ```

1.3 Ensure Download New Updates When Available is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticDownload ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 18:49:05 sca[26990] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29002; Result: 'failed' ```

1.4 Ensure Installation of App Update Is Enabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation: :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L84) typing mistake: '-' separated from 'bool') - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdate 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticallyInstallAppUpdates ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:16:01 sca[27200] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29003; Result: 'failed' ```

1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall 0 sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall 0 ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:24:29 sca[27313] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29004; Result: 'failed' ```

1.6 Ensure Install of macOS Updates Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticallyInstallMacOSUpdates ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:27:09 sca[27357] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29005; Result: 'failed' ```

2 System Preferences

2.1 Bluetooth

2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation: :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L137) the command is different from the one proposed in the benchmark) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState 2022-07-01 19:30:29.862 defaults[27405:718269] The domain/default pair of (/Library/Preferences/com.apple.Bluetooth, ControllerPowerState) does not exist sh-3.2# sudo /usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | grep -m1 'Connected: Yes' ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:33:44 sca[27454] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29006; Result: 'failed' ```

2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant defaults -currentHost read com.apple.controlcenter.plist Bluetooth 2022-07-01 19:35:57.668 defaults[27494:719851] The domain/default pair of (com.apple.controlcenter.plist, Bluetooth) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'Bluetooth = 18' ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:37:26 sca[27515] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29007; Result: 'failed' ```

2.2 Date & Time

2.2.1 Ensure "Set time and date automatically" Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/sbin/systemsetup -getusingnetworktime Network Time: On sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep forceAutomaticDateAndTime ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:40:28 sca[27557] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29008; Result: 'passed' ```

2.2.2 Ensure time set is within appropriate limits :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo systemsetup -getnetworktimeserver Network Time Server: time.euro.apple.com sh-3.2# sudo sntp time.euro.apple.com | grep +/- +0.083240 +/- 0.040415 time.euro.apple.com 17.253.108.253 ```

**reason**: Apparently the check fails because it used a fixed time server (c:sh -c "sntp time.apple.com < [here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L189))

Check event (expected result: PASSED) :red_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29009; Result: 'failed' ```

2.3 Desktop & Screen Saver

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L200) the remediation is incomplete and there is a typing mistake: '.. of the screen saver to...', it should be: '.. of the screen saver is set to...') - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

**Note**: The script `2.3.1.sh` has the same content as the one proposed in CIS benchmark. ```Bash sh-3.2# bash 2.3.1.sh Checking User: '/Users/vagrant': 2022-07-01 20:15:50.813 defaults[28765:731214] The domain/default pair of (/Users/vagrant/Library/Preferences/ByHost/com.apple.screensaver.54F743D0-8842-8F48-A6E5-EC6BFA292CEA.plist, idleTime) does not exist sh-3.2# sudo /usr/bin/defaults -currentHost read com.apple.screensaver idleTime 2022-07-01 20:32:59.214 defaults[28887:735145] The domain/default pair of (com.apple.screensaver, idleTime) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep idleTime ```

**reason**: The expected output of the rule should not be 'does not exist' ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L206)), this causes (apparently) the rule to passes and, as the condition is 'any', also the check to passes successfully. **The CIS benchmark says**: "Note: If the output of the script includes The domain/default pair of (com.apple.screensaver, idleTime) does not exist for any user, then the setting has not been changed from the default. Follow the remediation instructions to set the idle time to match your organization's policy."

Check event (expected result: FAILED) :red_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29010; Result: 'passed' ```

2.3.2 Ensure Screen Saver Corners Are Secure 🟡

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-tl-corner 2022-07-01 20:34:54.480 defaults[28910:735568] The domain/default pair of (com.apple.dock, wvous-tl-corner) does not exist sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-bl-corner 2022-07-01 20:35:59.848 defaults[28917:735811] The domain/default pair of (com.apple.dock, wvous-bl-corner) does not exist sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-tr-corner 2022-07-01 20:36:08.139 defaults[28922:735896] The domain/default pair of (com.apple.dock, wvous-tr-corner) does not exist sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-br-corner 14 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-bl-corner sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-br-corner sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tl-corner sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tr-corner ```

Check event (expected result: PASSED) :yellow_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29011; Result: 'passed' ```

**WARNING Reason**: some rules are absent: ``` $ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-bl-corner $ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-br-corner $ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tl-corner $ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tr-corner ```

2.4 Sharing

2.4.1 Ensure Remote Apple Events Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/sbin/systemsetup -getremoteappleevents Remote Apple Events: Off ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29012; Result: 'passed' ```

2.4.2 Ensure Internet Sharing Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | grep -i Enabled 2022-07-01 20:47:27.243 defaults[29013:738401] Domain /Library/Preferences/SystemConfiguration/com.apple.nat does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep forceInternetSharingOff ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29013; Result: 'passed' ```

2.4.3 Ensure Screen Sharing Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.screensharing" => true' 0 ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29014; Result: 'failed' ```

2.4.4 Ensure Printer Sharing Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo cupsctl | grep _share_printers | cut -d'=' -f2 0 ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29015; Result: 'passed' ```

2.4.5 Ensure Remote Login Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo systemsetup -getremotelogin Remote Login: On ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29016; Result: 'failed' ```

2.4.6 Ensure DVD or CD Sharing Is Disabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L303) rationale is not the same as the benchmark) - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.ODSAgent" => true' 0 ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29017; Result: 'failed' ```

2.4.7 Ensure Bluetooth Sharing Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled 2022-07-01 21:22:10.910 defaults[29263:746136] The domain/default pair of (com.apple.Bluetooth, PrefKeyServicesEnabled) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "PrefKeyServicesEnabled" ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29018; Result: 'failed' ```

2.4.8 Ensure File Sharing Is Disabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.smbd" => true' 0 ```

Check event (expected result: FAILED) :red_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29019; Result: 'passed' ```

**reason**: The check was supposed to fail, but the result was "passed". When you enable File Sharing the result is 0 (I mean 0 = enabled, 1 = disabled): ```Bash sh-3.2# sudo launchctl enable system/com.apple.smbd sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.smbd" => true' 0 ```

2.4.9 Ensure Remote Management Is Disabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L344) there is an extra space before '/kickstart') - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo ps -ef | grep -e ARDAgent 501 16092 1 0 11:00PM ?? 0:00.23 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent 0 29359 24454 0 9:36PM ttys000 0:00.01 grep -e ARDAgent ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29020; Result: 'failed' ```

2.4.10 Ensure Content Caching Is Disabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L357) there is a typing mistake: '...command in to...' should be: '...command in Terminal...') - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.AssetCache.plist Activated 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep allowContentCaching ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29021; Result: 'failed' ```

2.4.11 Ensure AirDrop Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.Network Browser DisableAirDrop 2022-07-01 21:52:42.032 defaults[29472:752801] The domain/default pair of (com.apple.NetworkBrowser, DisableAirDrop) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep DisableAirDrop ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29022; Result: 'failed' ```

2.4.12 Ensure Media Sharing Is Disabled :red_circle:

- title :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L386) the title is incorrect) - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L389) there is an extra '- ' before 'enabled' in the command) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant defaults read com.apple.amp.mediasharing d home-sharing-enabled 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep homeSharingUIStatus sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep legacySharingUIStatus sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep mediaSharingUIStatus ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29023; Result: 'passed' ```

2.5 Security & Privacy

2.5.1 Encryption

2.5.1.1 Ensure FileVault Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo fdesetup status FileVault is Off. ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29024; Result: 'failed' ```

2.5.2 Firewall

2.5.2.1 Ensure Gatekeeper is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/sbin/spctl --status assessments enabled sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AllowIdentifiedDevelopers sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableAssessment ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29025; Result: 'passed' ```

2.5.2.2 Ensure Firewall Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableFirewall ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29026; Result: 'failed' ```

2.5.2.3 Ensure Firewall Stealth Mode Is Enabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L468) there is an extra ':' before sudo) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/sbin/system_profiler SPFirewallDataType | /usr/bin/grep "Stealth Mode: Yes" | /usr/bin/awk -F ": " '{print $2}' | /usr/bin/xargs sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableStealthMode ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29027; Result: 'failed' ```

2.5.3 Ensure Location Services Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl list | grep -c com.apple.locationd 1 ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29028; Result: 'passed' ```

2.5.5 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep allo wDiagnosticSubmission ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29029; Result: 'passed' ```

2.7 Time Machine

2.7.1 Ensure Backup Up Automatically is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup 2022-07-01 22:35:41.949 defaults[29879:763436] The domain/default pair of (/Library/Preferences/com.apple.TimeMachine.plist, AutoBackup) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "AutoBackup" ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29030; Result: 'failed' ```

2.8 Ensure Wake for Network Access Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo pmset -g | grep -e womp ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29031; Result: 'failed' ```

2.9 Ensure Power Nap Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo pmset -g everything | grep -c 'powernap 1' 0 ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29032; Result: 'passed' ```

2.10 Ensure Secure Keyboard Entry terminal.app is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant /usr/bin/defaults read -app Terminal Sec ureKeyboardEntry 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep SecureKeyboardEntry ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29033; Result: 'failed' ```

2.11 Ensure EFI Version Is Valid and Checked Regularly :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check ReadBinaryFromKernel: No matching services found. Either this system is not supported by eficheck, or you need to re-load the kext IntegrityCheck: couldn't get EFI contents from kext sh-3.2# sudo system_profiler SPiBridgeDataType | grep "T2" sh-3.2# sudo launchctl list | grep com.apple.driver.eficheck - 0 com.apple.driver.eficheck ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29034; Result: 'passed' ```

3 Logging and Auditing

3.1 Ensure Security Auditing Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl list | grep -i auditd 132 0 com.apple.auditd ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29035; Result: 'passed' ```

3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo grep -i ttl /etc/asl/com.apple.install sh-3.2# sudo grep -i all_max= /etc/asl/com.apple.install * file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]: $Message' rotate=seq compress file_max=50M all_max=150M size_only ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29036; Result: 'failed' ```

3.5 Ensure Access to Audit Records Is Controlled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo ls -le /etc/security/audit_control -r-- 1 root wheel 358 Oct 18 2021 /etc/security/audit_control sh-3.2# sudo ls -le /var/audit/ total 1072 -r--r-- 1 root wheel 240451 Nov 17 2021 20211117094230.crash_recovery -r--r-- 1 root wheel 112746 Nov 17 2021 20211117104632.crash_recovery -r--r-- 1 root wheel 10976 Nov 17 2021 20211117150859.crash_recovery -r--r-- 1 root wheel 10407 Nov 22 2021 20211122112057.crash_recovery -r--r-- 1 root wheel 11947 Nov 22 2021 20211122155115.crash_recovery -r--r-- 1 root wheel 18669 Nov 23 2021 20211123081323.crash_recovery -r--r-- 1 root wheel 12768 Nov 23 2021 20211123085337.crash_recovery -r--r-- 1 root wheel 11793 Nov 23 2021 20211123092331.crash_recovery -r--r-- 1 root wheel 8442 Nov 23 2021 20211123093436.crash_recovery -r--r-- 1 root wheel 13573 Nov 23 2021 20211123093755.crash_recovery -r--r-- 1 root wheel 10253 Nov 23 2021 20211123094231.crash_recovery -r--r-- 1 root wheel 17682 Nov 23 2021 20211123115708.crash_recovery -r--r-- 1 root wheel 42738 Jul 1 23:45 20220629151156.not_terminated lrwxr-xr-x 1 root wheel 40 Jun 29 17:11 current -> /var/audit/20220629151156.not_terminated ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29037; Result: 'passed' ```

3.6 Ensure Firewall Logging Is Enabled and Configured :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L664) the last command has an invalid parameter, it is the output of the command itself) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/sbin/system_profiler SPFirewallDataType | /usr/bin/grep Logging Firewall Logging: Yes sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.alf.plist loggingoption 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableLogging sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep Logg ingOption ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29038; Result: 'failed' ```

4 Network Configurations

4.1 Ensure Bonjour Advertising Services Is Disabled :red_circle:

- title :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L682) The title is not the same as the one in the benchmark) - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements 2022-07-02 00:08:29.241 defaults[30547:784310] The domain/default pair of (/Library/Preferences/com.apple.mDNSResponder.plist, NoMulticastAdvertisements) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "NoMulticastAdvertisements" ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29039; Result: 'failed' ```

4.4 Ensure HTTP Server Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true' 0 ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29040; Result: 'failed' ```

4.5 Ensure NFS Server Is Disabled :red_circle:

- title :green_circle: - description :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L713) there is a typing mistake: 'end- user' should be 'end-user') - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.nfsd" => true' 0 sh-3.2# sudo cat /etc/exports cat: /etc/exports: No such file or directory ```

**reason**: Seems that the `condition` is not set correctly (maybe it should be `all` not `none` -- [here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L719))

Check event (expected result: FAILED) :red_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29041; Result: 'passed' ```

5 System Access, Authentication and Authorization

5.1 File System Permissions and Access Controls

5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L738) 'Successfully enabled System Integrity Protection....' is the output of the command; the last step does not appear, which is '5. Reboot the computer' regarding the CIS benchmark) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/csrutil status System Integrity Protection status: enabled. ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29042; Result: 'passed' ```

5.1.3 Ensure Apple Mobile File Integrity Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" 0 ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29043; Result: 'passed' ```

5.1.4 Ensure Library Validation Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation 2022-07-02 00:23:11.696 defaults[30697:787862] The domain/default pair of (/Library/Preferences/com.apple.security.libraryvalidation.plist, DisableLibraryValidation) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep DisableLibraryValidation ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29044; Result: 'failed' ```

5.1.5 Ensure Sealed System Volume (SSV) Is Enabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L787) 'Successfully enabled System authenticated root. Restart the machine for the changes to take effect.' is the output of the command) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/csrutil authenticated-root status Authenticated Root status: enabled ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29045; Result: 'passed' ```

5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications :red_circle:

- title :green_circle: - description :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L802) There is a typing mistake: 'world- writable' should be 'world-writable' ... there is an extra space) - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/find /Applications -iname "*.app" -type d -perm -2 -ls ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29046; Result: 'passed' ```

5.1.7 Ensure No World Writable Files Exist in the System Folder :red_circle:

- title :green_circle: - description :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L815) There is an extra space in '/System/Volumes/Data/System Directory') - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/find /System/Volumes/Data/System -type d - perm -2 -ls ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29047; Result: 'passed' ```

5.1.8 Ensure No World Writable Files Exist in the Library Folder :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sh -c "find /System/Volumes/Data/Library -type d -perm -2 -ls 2> /dev/null | grep -v 'Caches|Audio'" 77277 0 drwxrwxrwx 2 _coreaudiod _coreaudiod 64 Oct 18 2021 /System/Volumes/Data/Library/Preferences/Audio/Data 81585 0 drwxrwxrwt 6 root admin 192 Nov 17 2021 /System/Volumes/Data/Library/Caches ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29048; Result: 'failed' ```

5.3 Ensure the Sudo Timeout Period Is Set to Zero :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/grep -e "timestamp" /etc/sudoers ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29049; Result: 'failed' ```

5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/grep -E -s '!tty_tickets' /etc/sudoers /etc/sudoers.d/* sh-3.2# sudo /usr/bin/grep -E -s 'timestamp_type' /etc/sudoers /etc/sudoers.d/* ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29050; Result: 'passed' ```

5.6 Ensure the "root" Account Is Disabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L888) 'username = root user password: ' is part of the output of the command) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/dscl . -read /Users/root AuthenticationAuthority No such key: AuthenticationAuthority ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29051; Result: 'passed' ```

5.7 Ensure Automatic Login Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.app le.loginwindow autoLoginUser vagrant sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "com.apple.login.mcx.DisableAutoLoginClient" ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29052; Result: 'failed' ```

5.10 Require an administrator password to access system-wide preferences :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L919) 'YES (0)' is part of the output of the command, but not part of the command itself) - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep false ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29053; Result: 'failed' ```

5.11 Ensure an administrator account cannot login to another user's active and locked session :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L934) the number must be 5.11) - cis_level :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' 1 ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29054; Result: 'passed' ```

5.12 Ensure a Custom Message for the Login Screen Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText 2022-07-02 00:47:01.407 defaults[30947:793716] The domain/default pair of (/Library/Preferences/com.apple.loginwindow.plist, LoginwindowText) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "LoginwindowText" ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29055; Result: 'failed' ```

5.13 Ensure a Login Window Banner Exists :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis :green_circle: - cis_level :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L965) the level is incorrect) - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /bin/cat /Library/Security/PolicyBanner.* cat: /Library/Security/PolicyBanner.*: No such file or directory ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29056; Result: 'failed' ```

5.15 Ensure Fast User Switching Is Disabled :red_circle:

- description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - title :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L974) the title is not the same as the one in CIS benchmark) - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled 1 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep MultipleSessionEnabled ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29057; Result: 'failed' ```

6 User Accounts and Environment

6.1 Accounts Preferences Action Items

6.1.1 Ensure Login Window Displays as Name and Password Is Enabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'SHOWFULLNAME' ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29058; Result: 'failed' ```

6.1.2 Ensure Show Password Hints Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint 3 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'RetriesUntilHint' ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29059; Result: 'failed' ```

6.1.3 Ensure Guest Account Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled 0 sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableGuestAccount' sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableGuestAccount' ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29060; Result: 'passed' ```

6.1.4 Ensure Guest Access to Shared Folders Is Disabled :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess 2022-07-04 16:45:10.028 defaults[2519:16290] The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AllowGuestAccess ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29061; Result: 'passed' ```

6.1.5 Ensure the Guest Home Folder Does Not Exist :green_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - remediation :green_circle: - cis_level :green_circle: - cis :green_circle: - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo /bin/ls /Users/ | /usr/bin/grep Guest ```

Check event (expected result: PASSED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29062; Result: 'passed' ```

6.2 Ensure Show All Filename Extensions Setting is Enabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - cis_level :green_circle: - cis :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L1066) the command is different from the one in the benchmark) - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant /usr/bin/defaults read /Users/vagrant/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions 2022-07-04 16:49:28.073 defaults[2640:17521] The domain/default pair of (/Users/vagrant/Library/Preferences/.GlobalPreferences.plist, AppleShowAllExtensions) does not exist ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29063; Result: 'failed' ```

6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled :red_circle:

- title :green_circle: - description :green_circle: - rationale :green_circle: - cis_level :green_circle: - cis :green_circle: - remediation :red_circle: ([here](https://github.com/wazuh/wazuh/blob/52994d41cb47e02103c2846d438f3ec763783939/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml#L1079) there is an extra space in the command ‘…Library/Preference s…’) - rule: ⬇️

Execution :green_circle:

```Bash sh-3.2# sudo -u vagrant /usr/bin/defaults read /Users/vagrant/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads 2022-07-04 16:52:52.440 defaults[2736:18441] The domain/default pair of (/Users/vagrant/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari, AutoOpenSafeDownloads) does not exist sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutoOpenSafeDownloads ```

Check event (expected result: FAILED) :green_circle:

```Bash 2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29064; Result: 'failed' ```

1.1 Ensure All Apple-provided Software Is Current: Dashboard screenshot 🟡

Screenshot

![image](https://user-images.githubusercontent.com/39094716/177211263-f481b443-7db5-4c92-915b-a32600809a7d.png)

Initially, the result was Failed (as you can see in this comment), but after connecting the agent with another manager the result was Not Applicable. So, I have attached the SCA output in debug mode: sca_output.txt

The first result was:

{"type":"check","id":333955627,"policy":"CIS Apple macOS 12.0 Monterey Benchmark","policy_id":"cis_apple_macos_12.x","check":{"id":29000,"title":"Ensure All Apple-provided Software Is Current.","description":"Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.","rationale":"It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.","remediation":"1. In Terminal, run the following command to verify what packages need to be installed: sudo softwareupdate -l. 2.1. In Terminal, run the following command to install all the packages that need to be updated: sudo software -i -a -R. 2.2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename'","compliance":{"cis":"1.1","cis_level":"1"},"rules":["c:softwareupdate -l -> r:No new software available"],"condition":"all","command":"softwareupdate -l","result":"failed"}}

Update: 13/07/2022

Checks review (Conclusion: All changes were applied correctly. 🟢)

All changes were reviewed with @72nomada.

#### 1.1 Ensure All Apple-provided Software Is Current (Automated) - [ ] Fixed - [ ] Won't be fixed - [x] Misinformed #### 1.4 Ensure Installation of App Update Is Enabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.2.2 Ensure time set is within appropriate limits (Automated) - [ ] Fixed - [x] Won't be fixed - [ ] Misinformed #### 2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.3.2 Ensure Screen Saver Corners Are Secure (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.4.6 Ensure DVD or CD Sharing Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.4.8 Ensure File Sharing Is Disabled (Automated) - [ ] Fixed - [ ] Won't be fixed - [x] Misinformed #### 2.4.9 Ensure Remote Management Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.4.10 Ensure Remote Management Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.4.12 Ensure Media Sharing Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 2.5.2.3 Ensure Firewall Stealth Mode Is Enabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 3.6 Ensure Firewall Logging Is Enabled and Configured (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 4.1 Ensure Bonjour Advertising Services Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 4.5 Ensure NFS Server Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.1.5 Ensure Sealed System Volume (SSV) Is Enabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.1.7 Ensure No World Writable Files Exist in the System Folder (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.6 Ensure the "root" Account Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.10 Require an administrator password to access system-wide preferences (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.11 Ensure an administrator account cannot login to another user's active and locked session (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.13 Ensure a Login Window Banner Exists (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 5.15 Ensure Fast User Switching Is Disabled (Manual) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 6.2 Ensure Show All Filename Extensions Setting is Enabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed #### 6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated) - [x] Fixed - [ ] Won't be fixed - [ ] Misinformed

wazuh / wazuh-qa