Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor for table changes #24781

Open
wants to merge 1 commit into
base: feature-cis511
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 9 additions & 34 deletions ee/cis/macos-15/cis-policy-queries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2521,15 +2521,15 @@ spec:
/usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
Or like this if there is a need for excutable access:
/usr/bin/sudo /bin/chmod -R og-rw /Users/<username>
query: SELECT 1 WHERE NOT EXISTS (
SELECT 1 FROM file WHERE (
path LIKE '/Users/%'
AND path != '/Users/Shared/'
AND mode != "0700"
AND mode !="0701"
AND mode !="0710"
AND mode !="0711"
));
query: |
SELECT 1 FROM find_cmd
WHERE directory = '/System/Volumes/Data/Users'
AND type = 'd'
AND mindepth = '1'
AND maxdepth = '1'
AND not_perm = '700'
AND path NOT LIKE '%/Shared'
AND path NOT LIKE '%/Guest';
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: sharon-fdm
Expand Down Expand Up @@ -3464,28 +3464,3 @@ spec:
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Home Folders Are Secure
platforms: macOS
platform: darwin
description: |
By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.
resolution: |
Terminal method:
For each user, run the following command to secure all home folders:
/usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
query: |
SELECT 1 FROM find_cmd
WHERE directory = '/System/Volumes/Data/Users'
AND type = 'd'
AND mindepth = '1'
AND maxdepth = '1'
AND not_perm = '700'
AND path NOT LIKE '%/Shared'
AND path NOT LIKE '%/Guest';
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: defensivedepth
Loading