Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add missing CIS checks #24787

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions ee/cis/macos-15/cis-policy-queries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1890,6 +1890,7 @@ spec:
4. Verify that Share Mac Analytics is not enabled
5. Verify that Share with App Developers is not enabled
6. Verify that Improve Siri & Dictation is not enabled
7. Verify that Improve Assistive Voice Features is not enabled
query: |
SELECT 1 WHERE
EXISTS (
Expand All @@ -1906,6 +1907,13 @@ spec:
(value = 0 OR value = 'false') AND
username = ''
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.Accessibility' AND
name='AXSAudioDonationSiriImprovementEnabled' AND
(value = 0 OR value = 'false') AND
username = ''
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.applicationaccess' AND
Expand Down Expand Up @@ -3464,3 +3472,40 @@ spec:
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure Logging Is Enabled for Sudo (MDM Required)
platforms: macOS
platform: darwin
description: |
In order to properly monitor the use of the sudo command, logs events for any use of sudo should be captured in the unified log.
resolution: |
Ask your system administrator to deploy a script that will configure:
/usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers
Remove the line, or comment out with # before the line, 'Defaults !log_allowed'
query: |
SELECT 1
FROM file_lines
WHERE path = '/etc/sudoers'
AND (
-- No matching line
NOT EXISTS (
SELECT 1
FROM file_lines
WHERE path = '/etc/sudoers'
AND line LIKE '%!log_allowed%'
)
-- OR line exists but is commented
OR EXISTS (
SELECT 1
FROM file_lines
WHERE path = '/etc/sudoers'
AND line LIKE '%#%Defaults%!log_allowed%'
)
)
LIMIT 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1
contributors: defensivedepth
Loading