CIS Benchmarks: Add macOS 15 and update macOS 13 & 14

[noahtalerman]

Goal

User story
As an endpoint engineer,
I want Fleet to support the latest macOS CIS Benchmarks
so that I can be sure I'm using the latest version of the benchmarks to meet compliance needs.

Objective

None. Fleet is committed to maintaining CIS Benchmarks for Windows and Mac workstations.

Original requests

• CIS Benchmarks for macOS 15 (Sequoia) #23006

Context

• Product designer: @noahtalerman

Changes

Product

• CIS policies changes: Add policies for macOS 15 to cover v1.0.0. Update the macOS 13 CIS policies to cover v3.0.0. Update macOS 14 to cover v2.0.0.
• Feature guide changes: Add mention of macOS 15 to the the CIS Benchmarks guide here.
  • @noahtalerman: PR is here: CIS Benchmarks guide: macOS 15 is supported #24527
• Other reference documentation changes:
  • Update the macOS 13 and macOS 14 READMEs to call out that Fleet's policies are written using v3.0.0 and v2.0.0 respectively.
  • Add a macOS 15 README
• UI changes: No changes
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: No changes
• Fleet's agent (fleetd) changes: No changes
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: No changes
• Once shipped, requester has been notified

Engineering

• Database schema migrations: not needed
• Load testing: not needed
• Compare and diff the new document/s and change our CIS policies accordingly. (Add/Modify/Delete)

Links to CIS documents:
macOS 15.0 v1.0.0 Sequoia
macOS 14.0 v2.0.0 Sonoma
macOS 13.0 v3.0.0 Ventura

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[sharon-fdm]

Estimated with @defensivedepth to be done by the end of November.

[noahtalerman]

The following controls were not added, further research on how to check them with osquery is required:

• 2.6.3.1 - 2.6.3.5 and 2.7.2: I am not sure how we can accomplish this.
• "5.11 - Ensure Logging Is Enabled For Sudo" I believe this one can be accomplished through the file_lines table

Hey @defensivedepth, I'm looking at your comment from your PR here (also above).

This means we should add these to the "Limitations" section in the macOS 15 README right?

cc @sharon-fdm

[sharon-fdm]

@noahtalerman, yes. It's mentioned here.

@defensivedepth is still working on them to be added next sprint.

[noahtalerman]

@noahtalerman, yes. It's mentioned here.

@sharon-fdm I think the list you linked to is missing 2.6.3.5 and 2.7.2:

(the above screenshot from Josh's PR description here)

We should add those to the "Missing items" list too, right?

[sharon-fdm]

@noahtalerman, yes, thanks! I'll check.

[noahtalerman]

@sharon-fdm I think the list you linked to is missing 2.6.3.5 and 2.7.2:

(the above screenshot from Josh's PR description here)

We should add those to the "Missing items" list too, right?

@sharon-fdm I opened a PR to add the missing items here: #24645

I also opened a user story so that we can track the work Josh is doing to add support for those missing items: #24647

Sharon, I assigned that story to you and moved it to "Ready to spec"

FYI @defensivedepth

[noahtalerman]

Hey @sharon-fdm just giving you another ping! can you please review my PR when you get the chance? #24645

[fleet-release]

Updated benchmarks shine,
Mac compliance needs aligned,
Fleet's support refined.