macOS Ventura SCA policy - check 2.3.4 to 2.14.1

[72nomada]

Target version	Related issue	Related PR
4.4.x	#3850	https://github.com/wazuh/wazuh/pull/16027

Check Id and Name	Status	Extra
2.3.4 Time Machine
2.3.4.1 Ensure Backup Automatically is Enabled If Time Machine Is Enabled (Automated)
2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (Automated)
2.4 Control Center
2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled (Automated)
2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated)
2.5 Siri & Spotlight
2.5.1 Audit Siri Settings (Manual)
2.6 Privacy & Security
2.6.1 Location Services
2.6.1.1 Ensure Location Services Is Enabled (Automated)
2.6.1.2 Ensure Location Services Is in the Menu Bar (Automated)
2.6.1.3 Audit Location Services Access (Manual)
2.6.2 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (Automated)
2.6.3 Ensure Limit Ad Tracking Is Enabled (Automated)
2.6.4 Ensure Gatekeeper Is Enabled (Automated)
2.6.5 Ensure FileVault Is Enabled (Automated)
2.6.6 Audit Lockdown Mode (Manual)
2.6.7 Ensure an Administrator Password Is Required to Access System-Wide Preferences (Manual)
2.7 Desktop & Dock
2.7.1 Ensure Screen Saver Corners Are Secure (Automated)
2.8 Displays
2.8.1 Audit Universal Control Settings (Manual)
2.9 Battery (Energy Saver)
2.9.1 Ensure Power Nap Is Disabled for Intel Macs (Automated)
2.9.2 Ensure Wake for Network Access Is Disabled (Automated)
2.9.3 Ensure the OS is not Activate When Resuming from Sleep (Automated)
2.10 Lock Screen
2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)
2.10.2 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (Automated)
2.10.3 Ensure a Custom Message for the Login Screen Is Enabled (Automated)
2.10.4 Ensure Login Window Displays as Name and Password Is Enabled (Automated)
2.10.5 Ensure Show Password Hints Is Disabled (Automated)
2.11 Touch ID & Password (Login Password)
2.11.1 Ensure Users' Accounts Do Not Have a Password Hint (Automated)
2.11.2 Audit Touch ID and Wallet & Apple Pay Settings (Manual)
2.12 Users & Groups
2.12.1 Ensure Guest Account Is Disabled (Automated)
2.12.2 Ensure Guest Access to Shared Folders Is Disabled (Automated)
2.12.3 Ensure Automatic Login Is Disabled (Automated)
2.13 Passwords
2.13.1 Audit Passwords System Preference Setting (Manual)
2.14 Notifications
2.14.1 Audit Notification & Focus Settings (Manual)

[Rebits]

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
macOS	Ventura	Local
ubuntu	20	Vagrant	-

Tested packages

wazuh-manager	wazuh-agent
4.4.1	4.4.1

Note macOS Ventura sca policy will be included manually in the agent. The development package will be used for the final validation

Status

• [x] In progress
• [x] Pending Review
• [x] QA Manager approved (@juliamagan )
• [x] Development team leader approved (@72nomada )

Conclusion :yellow_circle:

macOS policy fulfills correctly the CIS benchmark. However, it was detected some unexpected behavior in macOS Ventura commands output gathering, in which some lines are ignored. Check https://github.com/wazuh/wazuh/issues/16760 for more information

Some of the changes implemented in this review:

• Correct some check compliance values
• Included new checks
• Change the conditions in some policy checks to match SCA benchmark
• Include audit rule logic to take into account default values

[Rebits]

Testing results :red_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16027/commits/eaaa5b84aaa125a7ed6ffe873cc1425ad921c564

---

Automatic testing

The description, impact, rationale, and remediation fields will be checked manually in case of a false positive in the automatic report. However, compliance will be checked automatically.

Compliance :red_circle:

The SCA Policy comparing tool with automated parsed policy has detected some unexpected compliance values. Along with errors, there are some nonexisting compliance values or wrong mappings according to the CSC It is required to check the following failed check: ``` =========================== short test summary info ============================ FAILED test_compare_policy.py::test_policy[2.2.1-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[2.2.2-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[2.3.2.1-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.2.2-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.1-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.2-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.3-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.4-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.5-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.6-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.7-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.8-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.3.9-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.4.1-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.3.4.2-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.6.1.1-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.6.1.2-compliance] - AssertionErr... FAILED test_compare_policy.py::test_policy[2.6.4-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[2.6.5-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[2.9.1-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[2.9.2-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[2.10.3-compliance] - AssertionErro... FAILED test_compare_policy.py::test_policy[2.10.4-compliance] - AssertionErro... FAILED test_compare_policy.py::test_policy[2.10.5-compliance] - AssertionErro... FAILED test_compare_policy.py::test_policy[2.12.1-compliance] - AssertionErro... FAILED test_compare_policy.py::test_policy[2.12.2-compliance] - AssertionErro... FAILED test_compare_policy.py::test_policy[2.12.3-compliance] - AssertionErro... FAILED test_compare_policy.py::test_policy[3.2-compliance] - AssertionError: ... FAILED test_compare_policy.py::test_policy[4.1-compliance] - AssertionError: ... FAILED test_compare_policy.py::test_policy[4.2-compliance] - AssertionError: ... FAILED test_compare_policy.py::test_policy[4.3-compliance] - AssertionError: ... FAILED test_compare_policy.py::test_policy[5.2.7-compliance] - AssertionError... FAILED test_compare_policy.py::test_policy[5.4-compliance] - AssertionError: ... FAILED test_compare_policy.py::test_policy[5.5-compliance] - AssertionError: ... FAILED test_compare_policy.py::test_policy[5.7-compliance] - AssertionError: ... ================ 35 failed, 69 passed, 624 deselected in 0.50s ================= ``` The detailed report can be checked here: [compliance_results.txt](https://github.com/wazuh/wazuh-qa/files/11210903/compliance_results.txt)

Manual testing

2.3.4.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Missing `>` at the end of the section. - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine').objectForKey('AutoBackup')" sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine').objectForKey('LastDestinationID')" ```

Alert

``` 2023/04/13 11:12:15 sca[3480] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30020 'Ensure Backup Automatically is Enabled If Time Machine Is Enabled.' 2023/04/13 11:12:15 sca[3480] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30020 'Ensure Backup Automatically is Enabled If Time Machine Is Enabled.' -> 1 2023/04/13 11:12:16 sca[3480] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30020; Result: 'passed' ```

2.3.4.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# sh -c "defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted" ```

Alert

``` 2023/04/13 11:16:11 sca[3607] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30021 'Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled.' 2023/04/13 11:16:11 sca[3607] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30021 'Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled.' -> 1 2023/04/13 11:16:11 sca[3607] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30021; Result: 'passed' ```

2.4.1 :black_circle:

Not implemented. Expected due to SCA limitations

2.4.2 :black_circle:

Not implemented. Expected due to sca limitations

2.5.1 :black_circle:

Not implemented. Expected due to sca limitations

2.6.1.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# sh -c "launchctl list | grep -c com.apple.locationd" 1 sh-3.2# sudo -u _locationd /usr/bin/osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd').objectForKey('LocationServicesEnabled')" 1 ```

Alert

``` sh-3.2# pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\[' | grep 30022 2023/04/13 11:22:18 sca[3782] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30022 'Ensure Location Services Is Enabled.' 2023/04/13 11:22:18 sca[3782] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30022 'Ensure Location Services Is Enabled.' -> 1 2023/04/13 11:22:18 sca[3782] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30022; Result: 'passed' ```

2.6.1.2 :yellow_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Regarding audit of this check: ``` The output will be either true, the icon is in the menu bar, or fales, the icon is not in the menu bar ``` In our check, we assert it is enabled but this value could be false depending to the organization parameters.

Rules details

Command output

``` sh-3.2# defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices 2023-04-13 11:37:51.898 defaults[4151:40826] The domain/default pair of (/Library/Preferences/com.apple.locationmenu.plist, ShowSystemServices) does not exist sh-3.2# ```

Alert

``` 2023/04/13 11:43:42 sca[4287] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30023 'Ensure Location Services Is in the Menu Bar.' 2023/04/13 11:43:42 sca[4287] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30023 'Ensure Location Services Is in the Menu Bar.' -> 0 2023/04/13 11:43:43 sca[4287] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30023; Result: 'failed' ```

2.6.1.3 :black_circle:

Not implemented. Expected. Manual check

2.6.2 :black_circle:

Not implemented. Expected due to sca limitations

2.6.3 :black_circle:

Not implemented. Expected due to sca limitations

2.6.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# /usr/bin/sudo /usr/sbin/spctl --status assessments enabled ```

Alert

``` 2023/04/13 11:48:01 sca[4420] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30024 'Ensure Gatekeeper Is Enabled.' 2023/04/13 11:48:01 sca[4420] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30024 'Ensure Gatekeeper Is Enabled.' -> 1 2023/04/13 11:48:01 sca[4420] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30024; Result: 'passed' ```

2.6.5 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Condition should be all instead of any > Default value is false, so second rule work as expected

Rules details

Command output

``` sh-3.2# fdesetup status FileVault is Off. sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX').objectForKey('dontAllowFDEDisable') " ```

Alert

``` 2023/04/13 11:52:43 sca[4566] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30025 'Ensure FileVault Is Enabled.' 2023/04/13 11:52:43 sca[4566] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30025 'Ensure FileVault Is Enabled.' -> 0 2023/04/13 11:52:43 sca[4566] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30025; Result: 'failed' ```

2.6.6 :black_circle:

Not implemented. Manual check

2.6.7 :red_circle:

Can we implemete this check? ``` sh-3.2# /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep false ```

2.7.1 :black_circle:

Not implemented. Expected due to SCA limitations

2.8.1 :black_circle:

Not implemented. Expected due to SCA limitations

2.9.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Unexpected passed: ``` 2023/04/13 12:08:23 sca[5076] wm_sca.c:1128 at wm_sca_do_scan(): DEBUG: Running command: 'sh -c "pmset -g custom | grep powernap | grep -c 1"' 2023/04/13 12:08:23 sca[5076] wm_sca.c:1623 at wm_sca_read_command(): DEBUG: Executing command 'sh -c "pmset -g custom | grep powernap | grep -c 1"', and testing output with pattern 'r:^0$' 2023/04/13 12:08:23 sca[5076] wm_sca.c:1629 at wm_sca_read_command(): DEBUG: Command 'sh -c "pmset -g custom | grep powernap | grep -c 1"' returned code 1 2023/04/13 12:08:23 sca[5076] wm_sca.c:1895 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^0$)(0) -> 1 ``` Pending @72nomada feedback

Rules details

Command output

``` sh-3.2# sh -c "pmset -g custom | grep powernap | grep -c 1" 2 ```

Alert

``` sh-3.2# pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\[' | grep 30026 2023/04/13 11:59:25 sca[4767] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30026 'Ensure Power Nap Is Disabled for Intel Macs.' 2023/04/13 11:59:25 sca[4767] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30026 'Ensure Power Nap Is Disabled for Intel Macs.' -> 1 2023/04/13 11:59:26 sca[4767] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30026; Result: 'passed' ```

2.9.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# sh -c "pmset -g | grep -e womp" womp 0 sh-3.2# sh -c "profiles -P -o stdout | grep 'Wake On LAN'" sh-3.2# sh -c "profiles -P -o stdout | grep 'Wake On Modem Ring'" ```

Alert

``` 2023/04/13 13:08:35 sca[6664] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30027 'Ensure Wake for Network Access Is Disabled.' 2023/04/13 13:08:35 sca[6664] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30027 'Ensure Wake for Network Access Is Disabled.' -> 1 2023/04/13 13:08:35 sca[6664] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30027; Result: 'passed' ```

2.9.3 :black_circle:

Not implemented. Expected due to SCA limitations

2.10.1 :red_circle:

Why this check can not be implemented?

2.10.2 :red_circle:

Why this check can not be implemented?

2.10.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('LoginwindowText')" sh-3.2# ```

Alert

``` 2023/04/13 13:12:57 sca[6800] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30028 'Ensure a Custom Message for the Login Screen Is Enabled.' 2023/04/13 13:12:57 sca[6800] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30028 'Ensure a Custom Message for the Login Screen Is Enabled.' -> 0 2023/04/13 13:12:57 sca[6800] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30028; Result: 'failed' ```

2.10.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: > Default value is false so rule work as expected in this case

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('SHOWFULLNAME')" ```

Alert

``` sh-3.2# pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\[' | grep 30029 2023/04/13 13:30:45 sca[7285] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30029 'Ensure Login Window Displays as Name and Password Is Enabled.' 2023/04/13 13:30:45 sca[7285] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30029 'Ensure Login Window Displays as Name and Password Is Enabled.' -> 0 2023/04/13 13:30:46 sca[7285] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30029; Result: 'failed' ```

2.10.5 :yellow_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: RetriesUntilHint in the environment is set as default as disabled. Making th check fails. However the documentation does not make reference to this value: https://developer.apple.com/documentation/devicemanagement/loginwindow In this case I should suggest mark this check as passed and follow strictly CIS benchmark, although developer feedback is required.

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('RetriesUntilHint')" ```

Alert

``` sh-3.2# pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\[' | grep 30030 2023/04/13 13:32:01 sca[7411] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30030 'Ensure Show Password Hints Is Disabled.' 2023/04/13 13:32:01 sca[7411] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30030 'Ensure Show Password Hints Is Disabled.' -> 0 2023/04/13 13:32:01 sca[7411] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 30030; Result: 'failed' 2023/04/13 13:32:06 sca[7411] wm_sca.c:256 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"check","id":2124972720,"policy":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","check":{"id":30030,"title":"Ensure Show Password Hints Is Disabled.","description":"Password hints are user-created text displayed when an incorrect password is used for an account.","rationale":"Password hints make it easier for unauthorized persons to gain access to systems by displaying information provided by the user to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user.","remediation":"Graphical Method: Perform the following steps to disable password hints from being shown: 1. Open System Settings 2. Select Lock Screen 3. Set 'Show password hints' to disabled Terminal Method: Run the following command to disable password hints: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 ; Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is RetriesUntilHint 3. The key must be set to 0.","compliance":{"cis":"2.10.5","cis_csc_v8":"4.1","cis_csc_v7":"5.1","cmmc_v2.0":"AC.1.002,CM.2.061,SC.3.180","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,CM.L2-3.4.1,CM.L2-3.4.6,CM.L2-3.4.2,CM.L2-3.4.7","pci_dss_3.2.1":"2.2,11.5","pci_dss_4.0":"1.1.1,1.2.1,1.2.6,1.5.1,1.2.7,2.1.1,2.2.1","iso_27001-2013":"A.8.1.3,A.14.2.5","mitre_techniques":"T1110,T1003,T1081,T1097,T1178,T1072,T1067,T1495,T1019,T1177,T1485,T1486,T1491,T1488,T1487,T1490,T1146,T1148,T1015,T1133,T1200,T1076,T1051,T1176,T1501,T1087,T1098,T1139,T1197,T1092,T1136,T1011,T1147,T1130,T1174,T1053,T1166,T1206,T1503,T1214,T1187,T1208,T1142,T1075,T1201,T1145,T1184,T1537,T1078,T1077,T1134,T1017,T1088,T1175,T1190,T1210,T1525,T1215,T1086,T1055,T1505,T1035,T1218,T1169,T1100,T1047,T1084,T1028,T1156,T1196,T1530,T1089,T1073,T1157,T1054,T1070,T1037,T1036,T1096,T1034,T1150,T1504,T1494,T1489,T1198,T1165,T1492,T1080,T1209,T1112,T1058,T1173,T1137,T1539,T1535,T1506,T1138,T1044,T1199","nist_sp_800-53":"AU-2,CM-1,CM-2,CM-6,CM-7,IA-5,IA-6,SC-20,SC-21,CM-7(1),CM-9,SA-10","soc_2":"CC7.1,CC8.1"},"rules":["c:osascript -l JavaScript -e \"$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('RetriesUntilHint')\" -> r:^0$"],"condition":"any","command":"osascript -l JavaScript -e \"$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('RetriesUntilHint')\"","result":"failed"}} ```

2.11.1 :red_circle:

Why this check is not implemented?

2.11.2 :black_circle:

Not implemented. Expected due to sca limitations.

2.12.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX').objectForKey('DisableGuestAccount') > " sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('GuestEnabled') > " 0 sh-3.2# ```

Alert

``` 2023/04/13 13:43:18 sca[7793] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30031 'Ensure Guest Account Is Disabled.' 2023/04/13 13:43:18 sca[7793] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30031 'Ensure Guest Account Is Disabled.' -> 1 ```

2.12.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# sysadminctl -smbGuestAccess status 2023-04-13 13:45:26.102 sysadminctl[7891:93741] SMB guest access disabled. ```

Alert

``` 2023/04/13 13:45:54 sca[7903] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30032 'Ensure Guest Access to Shared Folders Is Disabled.' 2023/04/13 13:45:54 sca[7903] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30032 'Ensure Guest Access to Shared Folders Is Disabled.' -> 1 ```

2.12.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('com.apple.login.mcx.DisableAutoLoginClient')" sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('autoLoginUser')" ```

Alert

``` 2023/04/13 13:59:34 sca[8242] wm_sca.c:986 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 30033 'Ensure Automatic Login Is Disabled.' 2023/04/13 13:59:34 sca[8242] wm_sca.c:1241 at wm_sca_do_scan(): DEBUG: Result for check id: 30033 'Ensure Automatic Login Is Disabled.' -> 1 ```

2.13.1 :black_circle:

Not implemented. Expected due to SCA limitations

2.14.1 :black_circle:

Not implemented. Expected due to SCA limitations

[jk-olaoluwa]

https://github.com/wazuh/wazuh-qa/issues/3852#issuecomment-1506527955

2.6.1.2 🔴 - The rule is fine, won't change 2.6.5 🔴 - Solved 2.6.7 🔴 - Solved 2.9.1 🔴 - Solved 2.10.1 🔴 - we are not implementing this because the check requires user profiles 2.10.2 🔴 - Solved 2.10.5 🔴 - Solved 2.11.1 🔴 - Solved

https://github.com/wazuh/wazuh/pull/16027/commits/95067663050c453c7a813d005158f02fc29a854c

[Rebits]

Testing results :red_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16027/commits/03564c1b7a9b6c26ea96732b5ba58c3154623d18

---

2.6.1.2 :green_circle:

**Rules**: :green_circle: - Rule is correct

2.6.5 :green_circle:

**Rules**: :green_circle:

2.6.7 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: It is not required using grep.

Rules details

Command output

``` sh-3.2# sh-3.2# security authorizationdb read system.preferences | grep -A1 shared shared YES (0) sh-3.2# ```

Alert

``` 2023/04/18 15:03:27 sca[21116] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31042) -> 0 2023/04/18 15:03:27 sca[21116] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31042) -> 0 2023/04/18 15:03:27 sca[21116] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 31042 'Ensure an Administrator Password Is Required to Access System-Wide Preferences.' 2023/04/18 15:03:27 sca[21116] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check id: 31042 'Ensure an Administrator Password Is Required to Access System-Wide Preferences.' -> 0 ```

2.9.1 :yellow_circle:

SCA ignore some lines in macOS Ventura. This produces false positives. Furhter research is required - **Rules**: :yellow_circle: ``` > sh-3.2# sh -c "pmset -g custom" Battery Power: Sleep On Power Button 1 lowpowermode 0 standby 1 ttyskeepawake 1 hibernatemode 3 powernap 1 hibernatefile /var/vm/sleepimage displaysleep 2 womp 0 networkoversleep 0 sleep 1 lessbright 1 tcpkeepalive 1 disksleep 10 AC Power: Sleep On Power Button 1 lowpowermode 0 standby 1 ttyskeepawake 1 hibernatemode 3 powernap 1 hibernatefile /var/vm/sleepimage displaysleep 10 womp 1 networkoversleep 0 sleep 1 tcpkeepalive 1 disksleep 10 sh-3.2# ``` *** ``` 2023/04/18 14:49:20 sca[21072] wm_sca.c:151 at wm_sca_main(): INFO: Module started. 2023/04/18 14:49:20 sca[21072] wm_sca.c:190 at wm_sca_main(): INFO: Loaded policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:20 sca[21072] wm_sca.c:328 at wm_sca_start(): INFO: Starting Security Configuration Assessment scan. 2023/04/18 14:49:20 sca[21072] wm_sca.c:443 at wm_sca_read_files(): DEBUG: Calculating hash for policy file '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check Requirements check 'Check Apple macOS version.' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1001 at wm_sca_do_scan(): DEBUG: Rule aggregation strategy for this check is 'any' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1002 at wm_sca_do_scan(): DEBUG: Initial rule-aggregator value por this type of rule is '0' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1003 at wm_sca_do_scan(): DEBUG: Beginning rules evaluation. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1028 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:sw_vers -> r:^ProductVersion:\t*\s*13\p' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1142 at wm_sca_do_scan(): DEBUG: Running command: 'sw_vers' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1637 at wm_sca_read_command(): DEBUG: Executing command 'sw_vers', and testing output with pattern 'r:^ProductVersion:\t*\s*13\p' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1643 at wm_sca_read_command(): DEBUG: Command 'sw_vers' returned code 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^ProductVersion:\t*\s*13\p)(ProductName: macOS) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^ProductVersion:\t*\s*13\p)(ProductName: macOS) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^ProductVersion:\t*\s*13\p)(ProductVersion: 13.1) -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^ProductVersion:\t*\s*13\p)(ProductVersion: 13.1) -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1699 at wm_sca_read_command(): DEBUG: Result for (r:^ProductVersion:\t*\s*13\p)(sw_vers) -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1145 at wm_sca_do_scan(): DEBUG: Command output matched. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1232 at wm_sca_do_scan(): DEBUG: Result for rule 'c:sw_vers -> r:^ProductVersion:\t*\s*13\p': 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1239 at wm_sca_do_scan(): DEBUG: Breaking from rule aggregator 'any' with found = 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check Requirements check 'Check Apple macOS version.' -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:488 at wm_sca_read_files(): INFO: Starting evaluation of policy: '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 31045 'Ensure Power Nap Is Disabled for Intel Macs.' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1001 at wm_sca_do_scan(): DEBUG: Rule aggregation strategy for this check is 'all' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1002 at wm_sca_do_scan(): DEBUG: Initial rule-aggregator value por this type of rule is '1' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1003 at wm_sca_do_scan(): DEBUG: Beginning rules evaluation. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1028 at wm_sca_do_scan(): DEBUG: Considering rule: 'not c:pmset -g -> r:powernap\s*\t*1' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1047 at wm_sca_do_scan(): DEBUG: Rule is negated. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1142 at wm_sca_do_scan(): DEBUG: Running command: 'pmset -g' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1637 at wm_sca_read_command(): DEBUG: Executing command 'pmset -g', and testing output with pattern 'r:powernap\s*\t*1' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1643 at wm_sca_read_command(): DEBUG: Command 'pmset -g' returned code 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)(System-wide power settings:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)(System-wide power settings:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)(Currently in use:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)(Currently in use:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( Sleep On Power Button 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( Sleep On Power Button 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( hibernatefile /var/vm/sleepimage) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( hibernatefile /var/vm/sleepimage) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( networkoversleep 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( networkoversleep 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( disksleep 10) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( disksleep 10) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( sleep 1 (sleep prevented by TeamViewer, powerd, coreaudiod)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( sleep 1 (sleep prevented by TeamViewer, powerd, coreaudiod)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( hibernatemode 3) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( hibernatemode 3) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( ttyskeepawake 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( ttyskeepawake 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( displaysleep 2 (display sleep prevented by TeamViewer)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( displaysleep 2 (display sleep prevented by TeamViewer)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( lowpowermode 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( lowpowermode 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( womp 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( womp 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)(EMPTY_LINE) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)(EMPTY_LINE) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1699 at wm_sca_read_command(): DEBUG: Result for (r:powernap\s*\t*1)(pmset -g) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1232 at wm_sca_do_scan(): DEBUG: Result for rule 'not c:pmset -g -> r:powernap\s*\t*1': 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check id: 31045 'Ensure Power Nap Is Disabled for Intel Macs.' -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:493 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2023/04/18 14:49:20 sca[21072] wm_sca.c:2817 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2023/04/18 14:49:20 sca[21072] wm_sca.c:2820 at wm_sca_hash_integrity(): DEBUG: ID: 31045; Result: 'passed' 2023/04/18 14:49:23 sca[21072] wm_sca.c:2450 at wm_sca_send_summary(): DEBUG: Sending summary event for file: 'cis_apple_macOS_13.x.yml' 2023/04/18 14:49:23 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"summary","scan_id":576335861,"name":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","file":"cis_apple_macOS_13.x.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":1,"failed":0,"invalid":0,"total_checks":1,"score":100,"start_time":1681822160,"end_time":1681822160,"hash":"284d1e8c4918248233df17642bbb940c001e1fa856c18aab86ba6dbe7813eb13","hash_file":"265f893a14e54afcb72f68bc8478846c337d0ca66d7f9bed679e0f45c4fe7887","first_scan":1} 2023/04/18 14:49:23 sca[21072] wm_sca.c:507 at wm_sca_read_files(): INFO: Evaluation finished for policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:23 sca[21072] wm_sca.c:308 at wm_sca_send_policies_scanned(): DEBUG: Sending scanned policies. 2023/04/18 14:49:23 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"policies","policies":["cis_macOS_13"]} 2023/04/18 14:49:23 sca[21072] wm_sca.c:338 at wm_sca_start(): INFO: Security Configuration Assessment scan finished. Duration: 3 seconds. 2023/04/18 14:49:23 sca[21072] wm_sca.c:324 at wm_sca_start(): DEBUG: Sleeping until: 2023/04/19 02:49:20 2023/04/18 14:49:25 sca[21072] wm_sca.c:2889 at wm_sca_dump_db_thread(): DEBUG: Sending first scan results for policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:25 sca[21072] wm_sca.c:2897 at wm_sca_dump_db_thread(): DEBUG: Dumping results to SCA DB for policy '/Library/Ossec/ruleset/sca/macos.yml' (Policy index: 0) 2023/04/18 14:49:25 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"check","id":576335861,"policy":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","check":{"id":31045,"title":"Ensure Power Nap Is Disabled for Intel Macs.","description":"Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.","rationale":"Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.","remediation":"Graphical Method: Perform the following steps to disable Power Nap: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Power Nap to disabled 4. Select UPS (if applicable) 5. Set Power Nap to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Power Adapter (for laptops only) 4. Set Power Nap to disabled 5. Select Battery 6. Set Power Nap to disabled 7. Select UPS (if applicable) 8. Set Power Nap to disabled Terminal Method: Run the following command to disable Power Nap: $ /usr/bin/sudo /usr/bin/pmset -a powernap 0.","compliance":{"cis":"2.9.1","cis_csc_v8":"4.1,4.8","cis_csc_v7":"5.1,9.2","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,CM.L2-3.4.1,CM.L2-3.4.2,CM.L2-3.4.6,CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","iso_27001-2013":"A.13.1.3,A.14.2.5,A.8.1.3","mitre_techniques":"T1003,T1011,T1015,T1017,T1019,T1028,T1034,T1035,T1036,T1037,T1044,T1047,T1051,T1053,T1054,T1055,T1058,T1067,T1070,T1072,T1073,T1075,T1076,T1077,T1078,T1080,T1081,T1084,T1086,T1087,T1088,T1089,T1092,T1096,T1097,T1098,T1100,T1110,T1112,T1130,T1133,T1134,T1136,T1137,T1138,T1139,T1142,T1145,T1146,T1147,T1148,T1150,T1156,T1157,T1165,T1166,T1169,T1173,T1174,T1175,T1176,T1177,T1178,T1184,T1187,T1190,T1196,T1197,T1198,T1199,T1200,T1201,T1206,T1208,T1209,T1210,T1214,T1215,T1218,T1485,T1486,T1487,T1488,T1489,T1490,T1491,T1492,T1494,T1495,T1501,T1503,T1504,T1505,T1506,T1525,T1530,T1535,T1537,T1539","nist_sp_800-53":"CM-7(1),CM-9,SA-10","pci_dss_3.2.1":"1.1.6,1.2.1,11.5,2.2,2.2.2,2.2.5","pci_dss_4.0":"1.1.1,1.2.1,1.2.5,1.2.6,1.2.7,1.5.1,2.1.1,2.2.1,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6,CC7.1,CC8.1"},"rules":["not c:pmset -g -> r:powernap\\s*\\t*1"],"condition":"all","command":"pmset -g","result":"passed"}} 2023/04/18 14:49:30 sca[21072] wm_sca.c:2926 at wm_sca_dump_db_thread(): DEBUG: Sending end of dump control event. 2023/04/18 14:49:30 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"dump_end","policy_id":"cis_macOS_13","elements_sent":1,"scan_id":576335861} 2023/04/18 14:49:32 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"summary","scan_id":576335861,"name":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","file":"cis_apple_macOS_13.x.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":1,"failed":0,"invalid":0,"total_checks":1,"score":100,"start_time":1681822160,"end_time":1681822160,"hash":"284d1e8c4918248233df17642bbb940c001e1fa856c18aab86ba6dbe7813eb13","hash_file":"265f893a14e54afcb72f68bc8478846c337d0ca66d7f9bed679e0f45c4fe7887","force_alert":"1"} 2023/04/18 14:49:32 sca[21072] wm_sca.c:2945 at wm_sca_dump_db_thread(): DEBUG: Finished dumping scan results to SCA DB for policy 'cis_macOS_13' (0) (1) 2023/04/18 14:49:35 sca[21072] wm_sca.c:2889 at wm_sca_dump_db_thread(): DEBUG: Sending first scan results for policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:35 sca[21072] wm_sca.c:2897 at wm_sca_dump_db_thread(): DEBUG: Dumping results to SCA DB for policy '/Library/Ossec/ruleset/sca/macos.yml' (Policy index: 0) 2023/04/18 14:49:35 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"check","id":576335861,"policy":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","check":{"id":31045,"title":"Ensure Power Nap Is Disabled for Intel Macs.","description":"Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.","rationale":"Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.","remediation":"Graphical Method: Perform the following steps to disable Power Nap: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Power Nap to disabled 4. Select UPS (if applicable) 5. Set Power Nap to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Power Adapter (for laptops only) 4. Set Power Nap to disabled 5. Select Battery 6. Set Power Nap to disabled 7. Select UPS (if applicable) 8. Set Power Nap to disabled Terminal Method: Run the following command to disable Power Nap: $ /usr/bin/sudo /usr/bin/pmset -a powernap 0.","compliance":{"cis":"2.9.1","cis_csc_v8":"4.1,4.8","cis_csc_v7":"5.1,9.2","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,CM.L2-3.4.1,CM.L2-3.4.2,CM.L2-3.4.6,CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","iso_27001-2013":"A.13.1.3,A.14.2.5,A.8.1.3","mitre_techniques":"T1003,T1011,T1015,T1017,T1019,T1028,T1034,T1035,T1036,T1037,T1044,T1047,T1051,T1053,T1054,T1055,T1058,T1067,T1070,T1072,T1073,T1075,T1076,T1077,T1078,T1080,T1081,T1084,T1086,T1087,T1088,T1089,T1092,T1096,T1097,T1098,T1100,T1110,T1112,T1130,T1133,T1134,T1136,T1137,T1138,T1139,T1142,T1145,T1146,T1147,T1148,T1150,T1156,T1157,T1165,T1166,T1169,T1173,T1174,T1175,T1176,T1177,T1178,T1184,T1187,T1190,T1196,T1197,T1198,T1199,T1200,T1201,T1206,T1208,T1209,T1210,T1214,T1215,T1218,T1485,T1486,T1487,T1488,T1489,T1490,T1491,T1492,T1494,T1495,T1501,T1503,T1504,T1505,T1506,T1525,T1530,T1535,T1537,T1539","nist_sp_800-53":"CM-7(1),CM-9,SA-10","pci_dss_3.2.1":"1.1.6,1.2.1,11.5,2.2,2.2.2,2.2.5","pci_dss_4.0":"1.1.1,1.2.1,1.2.5,1.2.6,1.2.7,1.5.1,2.1.1,2.2.1,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6,CC7.1,CC8.1"},"rules":["not c:pmset -g -> r:powernap\\s*\\t*1"],"condition":"all","command":"pmset -g","result":"passed"}} ```

2.10.1 :black_circle:

Not implemented. Expected due to SCA limitations

2.10.2 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: - Wrong references - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver').objectForKey('askForPassword')" sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver').objectForKey('askForPasswordDelay')" ```

Alert

``` 2023/04/18 14:31:00 sca[18131] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31049) -> 0 2023/04/18 14:31:00 sca[18131] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31049) -> 0 2023/04/18 14:31:00 sca[18131] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 31049 'Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.' 2023/04/18 14:31:00 sca[18131] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check id: 31049 'Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.' -> 0 2023/04/18 14:31:01 sca[18131] wm_sca.c:2820 at wm_sca_hash_integrity(): DEBUG: ID: 31049; Result: 'failed' ```

2.10.5 :green_circle:

- **Rules**: :green_circle: ``` sh-3.2# osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow').objectForKey('RetriesUntilHint')" sh-3.2# ``` ``` 2023/04/18 14:26:39 sca[17167] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31052) -> 0 2023/04/18 14:26:39 sca[17167] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31052) -> 0 2023/04/18 14:26:40 sca[17167] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 31052 'Ensure Show Password Hints Is Disabled.' 2023/04/18 14:26:40 sca[17167] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check id: 31052 'Ensure Show Password Hints Is Disabled.' -> 1 ```

2.11.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` sh-3.2# dscl . -list /Users hint sh-3.2# ```

Alert

``` 2023/04/18 14:24:06 sca[16212] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31053) -> 0 2023/04/18 14:24:06 sca[16212] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)(grep 31053) -> 0 2023/04/18 14:24:07 sca[16212] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 31053 'Ensure Users' Accounts Do Not Have a Password Hint.' 2023/04/18 14:24:07 sca[16212] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check id: 31053 'Ensure Users' Accounts Do Not Have a Password Hint.' -> 1 ```

[jk-olaoluwa]

https://github.com/wazuh/wazuh-qa/issues/3852#issuecomment-1513102044

2.6.7 🔴 - won't change 2.10.2 🔴 - Solved

https://github.com/wazuh/wazuh/pull/16027/commits/0933eabc74fe89a053b188f1c5cd3eefd2c63ec7

[Rebits]

Testing results :yellow_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/commit/0933eabc74fe89a053b188f1c5cd3eefd2c63ec7

---

2.10.2 :green_circle:

**References**: :green_circle:

2.9.1 :yellow_circle:

SCA ignore some lines in macOS Ventura. This produces false positives. Furhter research is required - **Rules**: :yellow_circle: ``` > sh-3.2# sh -c "pmset -g custom" Battery Power: Sleep On Power Button 1 lowpowermode 0 standby 1 ttyskeepawake 1 hibernatemode 3 powernap 1 hibernatefile /var/vm/sleepimage displaysleep 2 womp 0 networkoversleep 0 sleep 1 lessbright 1 tcpkeepalive 1 disksleep 10 AC Power: Sleep On Power Button 1 lowpowermode 0 standby 1 ttyskeepawake 1 hibernatemode 3 powernap 1 hibernatefile /var/vm/sleepimage displaysleep 10 womp 1 networkoversleep 0 sleep 1 tcpkeepalive 1 disksleep 10 sh-3.2# ``` *** ``` 2023/04/18 14:49:20 sca[21072] wm_sca.c:151 at wm_sca_main(): INFO: Module started. 2023/04/18 14:49:20 sca[21072] wm_sca.c:190 at wm_sca_main(): INFO: Loaded policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:20 sca[21072] wm_sca.c:328 at wm_sca_start(): INFO: Starting Security Configuration Assessment scan. 2023/04/18 14:49:20 sca[21072] wm_sca.c:443 at wm_sca_read_files(): DEBUG: Calculating hash for policy file '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check Requirements check 'Check Apple macOS version.' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1001 at wm_sca_do_scan(): DEBUG: Rule aggregation strategy for this check is 'any' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1002 at wm_sca_do_scan(): DEBUG: Initial rule-aggregator value por this type of rule is '0' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1003 at wm_sca_do_scan(): DEBUG: Beginning rules evaluation. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1028 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:sw_vers -> r:^ProductVersion:\t*\s*13\p' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1142 at wm_sca_do_scan(): DEBUG: Running command: 'sw_vers' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1637 at wm_sca_read_command(): DEBUG: Executing command 'sw_vers', and testing output with pattern 'r:^ProductVersion:\t*\s*13\p' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1643 at wm_sca_read_command(): DEBUG: Command 'sw_vers' returned code 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^ProductVersion:\t*\s*13\p)(ProductName: macOS) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^ProductVersion:\t*\s*13\p)(ProductName: macOS) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^ProductVersion:\t*\s*13\p)(ProductVersion: 13.1) -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^ProductVersion:\t*\s*13\p)(ProductVersion: 13.1) -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1699 at wm_sca_read_command(): DEBUG: Result for (r:^ProductVersion:\t*\s*13\p)(sw_vers) -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1145 at wm_sca_do_scan(): DEBUG: Command output matched. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1232 at wm_sca_do_scan(): DEBUG: Result for rule 'c:sw_vers -> r:^ProductVersion:\t*\s*13\p': 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1239 at wm_sca_do_scan(): DEBUG: Breaking from rule aggregator 'any' with found = 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check Requirements check 'Check Apple macOS version.' -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:488 at wm_sca_read_files(): INFO: Starting evaluation of policy: '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1000 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 31045 'Ensure Power Nap Is Disabled for Intel Macs.' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1001 at wm_sca_do_scan(): DEBUG: Rule aggregation strategy for this check is 'all' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1002 at wm_sca_do_scan(): DEBUG: Initial rule-aggregator value por this type of rule is '1' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1003 at wm_sca_do_scan(): DEBUG: Beginning rules evaluation. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1028 at wm_sca_do_scan(): DEBUG: Considering rule: 'not c:pmset -g -> r:powernap\s*\t*1' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1047 at wm_sca_do_scan(): DEBUG: Rule is negated. 2023/04/18 14:49:20 sca[21072] wm_sca.c:1142 at wm_sca_do_scan(): DEBUG: Running command: 'pmset -g' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1637 at wm_sca_read_command(): DEBUG: Executing command 'pmset -g', and testing output with pattern 'r:powernap\s*\t*1' 2023/04/18 14:49:20 sca[21072] wm_sca.c:1643 at wm_sca_read_command(): DEBUG: Command 'pmset -g' returned code 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)(System-wide power settings:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)(System-wide power settings:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)(Currently in use:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)(Currently in use:) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( Sleep On Power Button 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( Sleep On Power Button 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( hibernatefile /var/vm/sleepimage) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( hibernatefile /var/vm/sleepimage) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( networkoversleep 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( networkoversleep 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( disksleep 10) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( disksleep 10) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( sleep 1 (sleep prevented by TeamViewer, powerd, coreaudiod)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( sleep 1 (sleep prevented by TeamViewer, powerd, coreaudiod)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( hibernatemode 3) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( hibernatemode 3) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( ttyskeepawake 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( ttyskeepawake 1) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( displaysleep 2 (display sleep prevented by TeamViewer)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( displaysleep 2 (display sleep prevented by TeamViewer)) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( lowpowermode 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( lowpowermode 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)( womp 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)( womp 0) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1909 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:powernap\s*\t*1)(EMPTY_LINE) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1912 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:powernap\s*\t*1)(EMPTY_LINE) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1699 at wm_sca_read_command(): DEBUG: Result for (r:powernap\s*\t*1)(pmset -g) -> 0 2023/04/18 14:49:20 sca[21072] wm_sca.c:1232 at wm_sca_do_scan(): DEBUG: Result for rule 'not c:pmset -g -> r:powernap\s*\t*1': 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:1255 at wm_sca_do_scan(): DEBUG: Result for check id: 31045 'Ensure Power Nap Is Disabled for Intel Macs.' -> 1 2023/04/18 14:49:20 sca[21072] wm_sca.c:493 at wm_sca_read_files(): DEBUG: Calculating hash for scanned results. 2023/04/18 14:49:20 sca[21072] wm_sca.c:2817 at wm_sca_hash_integrity(): DEBUG: Concatenating check results: 2023/04/18 14:49:20 sca[21072] wm_sca.c:2820 at wm_sca_hash_integrity(): DEBUG: ID: 31045; Result: 'passed' 2023/04/18 14:49:23 sca[21072] wm_sca.c:2450 at wm_sca_send_summary(): DEBUG: Sending summary event for file: 'cis_apple_macOS_13.x.yml' 2023/04/18 14:49:23 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"summary","scan_id":576335861,"name":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","file":"cis_apple_macOS_13.x.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":1,"failed":0,"invalid":0,"total_checks":1,"score":100,"start_time":1681822160,"end_time":1681822160,"hash":"284d1e8c4918248233df17642bbb940c001e1fa856c18aab86ba6dbe7813eb13","hash_file":"265f893a14e54afcb72f68bc8478846c337d0ca66d7f9bed679e0f45c4fe7887","first_scan":1} 2023/04/18 14:49:23 sca[21072] wm_sca.c:507 at wm_sca_read_files(): INFO: Evaluation finished for policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:23 sca[21072] wm_sca.c:308 at wm_sca_send_policies_scanned(): DEBUG: Sending scanned policies. 2023/04/18 14:49:23 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"policies","policies":["cis_macOS_13"]} 2023/04/18 14:49:23 sca[21072] wm_sca.c:338 at wm_sca_start(): INFO: Security Configuration Assessment scan finished. Duration: 3 seconds. 2023/04/18 14:49:23 sca[21072] wm_sca.c:324 at wm_sca_start(): DEBUG: Sleeping until: 2023/04/19 02:49:20 2023/04/18 14:49:25 sca[21072] wm_sca.c:2889 at wm_sca_dump_db_thread(): DEBUG: Sending first scan results for policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:25 sca[21072] wm_sca.c:2897 at wm_sca_dump_db_thread(): DEBUG: Dumping results to SCA DB for policy '/Library/Ossec/ruleset/sca/macos.yml' (Policy index: 0) 2023/04/18 14:49:25 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"check","id":576335861,"policy":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","check":{"id":31045,"title":"Ensure Power Nap Is Disabled for Intel Macs.","description":"Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.","rationale":"Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.","remediation":"Graphical Method: Perform the following steps to disable Power Nap: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Power Nap to disabled 4. Select UPS (if applicable) 5. Set Power Nap to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Power Adapter (for laptops only) 4. Set Power Nap to disabled 5. Select Battery 6. Set Power Nap to disabled 7. Select UPS (if applicable) 8. Set Power Nap to disabled Terminal Method: Run the following command to disable Power Nap: $ /usr/bin/sudo /usr/bin/pmset -a powernap 0.","compliance":{"cis":"2.9.1","cis_csc_v8":"4.1,4.8","cis_csc_v7":"5.1,9.2","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,CM.L2-3.4.1,CM.L2-3.4.2,CM.L2-3.4.6,CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","iso_27001-2013":"A.13.1.3,A.14.2.5,A.8.1.3","mitre_techniques":"T1003,T1011,T1015,T1017,T1019,T1028,T1034,T1035,T1036,T1037,T1044,T1047,T1051,T1053,T1054,T1055,T1058,T1067,T1070,T1072,T1073,T1075,T1076,T1077,T1078,T1080,T1081,T1084,T1086,T1087,T1088,T1089,T1092,T1096,T1097,T1098,T1100,T1110,T1112,T1130,T1133,T1134,T1136,T1137,T1138,T1139,T1142,T1145,T1146,T1147,T1148,T1150,T1156,T1157,T1165,T1166,T1169,T1173,T1174,T1175,T1176,T1177,T1178,T1184,T1187,T1190,T1196,T1197,T1198,T1199,T1200,T1201,T1206,T1208,T1209,T1210,T1214,T1215,T1218,T1485,T1486,T1487,T1488,T1489,T1490,T1491,T1492,T1494,T1495,T1501,T1503,T1504,T1505,T1506,T1525,T1530,T1535,T1537,T1539","nist_sp_800-53":"CM-7(1),CM-9,SA-10","pci_dss_3.2.1":"1.1.6,1.2.1,11.5,2.2,2.2.2,2.2.5","pci_dss_4.0":"1.1.1,1.2.1,1.2.5,1.2.6,1.2.7,1.5.1,2.1.1,2.2.1,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6,CC7.1,CC8.1"},"rules":["not c:pmset -g -> r:powernap\\s*\\t*1"],"condition":"all","command":"pmset -g","result":"passed"}} 2023/04/18 14:49:30 sca[21072] wm_sca.c:2926 at wm_sca_dump_db_thread(): DEBUG: Sending end of dump control event. 2023/04/18 14:49:30 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"dump_end","policy_id":"cis_macOS_13","elements_sent":1,"scan_id":576335861} 2023/04/18 14:49:32 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"summary","scan_id":576335861,"name":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","file":"cis_apple_macOS_13.x.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":1,"failed":0,"invalid":0,"total_checks":1,"score":100,"start_time":1681822160,"end_time":1681822160,"hash":"284d1e8c4918248233df17642bbb940c001e1fa856c18aab86ba6dbe7813eb13","hash_file":"265f893a14e54afcb72f68bc8478846c337d0ca66d7f9bed679e0f45c4fe7887","force_alert":"1"} 2023/04/18 14:49:32 sca[21072] wm_sca.c:2945 at wm_sca_dump_db_thread(): DEBUG: Finished dumping scan results to SCA DB for policy 'cis_macOS_13' (0) (1) 2023/04/18 14:49:35 sca[21072] wm_sca.c:2889 at wm_sca_dump_db_thread(): DEBUG: Sending first scan results for policy '/Library/Ossec/ruleset/sca/macos.yml' 2023/04/18 14:49:35 sca[21072] wm_sca.c:2897 at wm_sca_dump_db_thread(): DEBUG: Dumping results to SCA DB for policy '/Library/Ossec/ruleset/sca/macos.yml' (Policy index: 0) 2023/04/18 14:49:35 sca[21072] wm_sca.c:270 at wm_sca_send_alert(): DEBUG: Sending event: {"type":"check","id":576335861,"policy":"SCA policy for Apple macOS 13.x Ventura based on CIS benchmark for Apple macOS 13.x Ventura. 11-14-2022","policy_id":"cis_macOS_13","check":{"id":31045,"title":"Ensure Power Nap Is Disabled for Intel Macs.","description":"Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.","rationale":"Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.","remediation":"Graphical Method: Perform the following steps to disable Power Nap: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Power Nap to disabled 4. Select UPS (if applicable) 5. Set Power Nap to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Power Adapter (for laptops only) 4. Set Power Nap to disabled 5. Select Battery 6. Set Power Nap to disabled 7. Select UPS (if applicable) 8. Set Power Nap to disabled Terminal Method: Run the following command to disable Power Nap: $ /usr/bin/sudo /usr/bin/pmset -a powernap 0.","compliance":{"cis":"2.9.1","cis_csc_v8":"4.1,4.8","cis_csc_v7":"5.1,9.2","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,CM.L2-3.4.1,CM.L2-3.4.2,CM.L2-3.4.6,CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","iso_27001-2013":"A.13.1.3,A.14.2.5,A.8.1.3","mitre_techniques":"T1003,T1011,T1015,T1017,T1019,T1028,T1034,T1035,T1036,T1037,T1044,T1047,T1051,T1053,T1054,T1055,T1058,T1067,T1070,T1072,T1073,T1075,T1076,T1077,T1078,T1080,T1081,T1084,T1086,T1087,T1088,T1089,T1092,T1096,T1097,T1098,T1100,T1110,T1112,T1130,T1133,T1134,T1136,T1137,T1138,T1139,T1142,T1145,T1146,T1147,T1148,T1150,T1156,T1157,T1165,T1166,T1169,T1173,T1174,T1175,T1176,T1177,T1178,T1184,T1187,T1190,T1196,T1197,T1198,T1199,T1200,T1201,T1206,T1208,T1209,T1210,T1214,T1215,T1218,T1485,T1486,T1487,T1488,T1489,T1490,T1491,T1492,T1494,T1495,T1501,T1503,T1504,T1505,T1506,T1525,T1530,T1535,T1537,T1539","nist_sp_800-53":"CM-7(1),CM-9,SA-10","pci_dss_3.2.1":"1.1.6,1.2.1,11.5,2.2,2.2.2,2.2.5","pci_dss_4.0":"1.1.1,1.2.1,1.2.5,1.2.6,1.2.7,1.5.1,2.1.1,2.2.1,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6,CC7.1,CC8.1"},"rules":["not c:pmset -g -> r:powernap\\s*\\t*1"],"condition":"all","command":"pmset -g","result":"passed"}} ```

2.6.7 :green_circle:

After a meeting with @72nomada this check will be not refactored. It is impossible to determine if the desired string is immediately after the expected text without using grep.

[juliamagan]

Closing conclusion 👍🏼

macOS policy fulfills correctly the CIS benchmark. However, it was detected some unexpected behavior in macOS Ventura commands output gathering, in which some lines are ignored. Check https://github.com/wazuh/wazuh/issues/16760 for more information.