From c54a781428ef29c0a71038a3cabaed2ed941d17b Mon Sep 17 00:00:00 2001 From: Juan Ferriz Date: Tue, 2 Apr 2019 12:31:10 +0200 Subject: [PATCH] Add MacOS 10.12 CIS policy yml file (#331) --- sca/macos/cis_apple_macOS_10.12.yml | 380 ++++++++++++++++++++++++++++ 1 file changed, 380 insertions(+) create mode 100644 sca/macos/cis_apple_macOS_10.12.yml diff --git a/sca/macos/cis_apple_macOS_10.12.yml b/sca/macos/cis_apple_macOS_10.12.yml new file mode 100644 index 000000000..4704d6122 --- /dev/null +++ b/sca/macos/cis_apple_macOS_10.12.yml @@ -0,0 +1,380 @@ +# Security Configuration assessment +# CIS Checks for MacOS 10.12 +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Apple macOS 10.12 Benchmark v1.1.0 - 09-06-2018 + +policy: + id: "cis_apple_macos_10_12" + file: "cis_apple_macOS_10.12.yml" + name: "CIS Apple macOS 10.12 Benchmark" + description: "This document, CIS Apple macOS 10.12 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.12. This guide was tested against Apple macOS 10.12. To obtain the latest version of this guide, please visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check MacOS version" + description: "Requirements for running the SCA scan against MacOS 10.12 (Sierra)." + condition: "any required" + rules: + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\.12;' + - 'c:sw_vers -> r:^ProductVersion:\s*10\.12;' + - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:.*10\.12;' + +checks: +# 1.1 Verify all Apple provided software is current (Scored) + - id: 10500 + title: "Verify all Apple provided software is current (Scored)" + description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." + rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." + remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i " + compliance: + - cis: "1.1" + condition: any + rules: + - 'c:softwareupdate -l -> !r:^\s*Now new software available;' +# 1.2 Enable Auto Update (Scored) + - id: 10501 + title: "Enable Auto Update (Scored)" + description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." + rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" + compliance: + - cis: "1.2" + references: + - http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ + - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> !r:^\s*1;' +# 1.3 Enable app update installs (Scored) + - id: 10502 + title: "Enable app update installs (Scored)" + description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." + compliance: + - cis: "1.3" + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> !r:^\s*1;' +# 1.4 Enable system data files and security update installs (Scored) + - id: 10503 + title: "Enable system data files and security update installs (Scored)" + description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" + compliance: + - cis: "1.4" + references: + - http://www.thesafemac.com/tag/xprotect/ + - https://support.apple.com/en-us/HT202491 + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:^\s*ConfigDataInstall\s*= && !r\s*1;;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:^\s*CriticalUpdateInstall\s*= && !r\s*1;;' +# 1.5 Enable macOS update installs (Scored) + - id: 10504 + title: "Enable macOS update installs (Scored)" + description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" + compliance: + - cis: "1.5" + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> !r:^\s*1;' +# 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) + - id: 10505 + title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" + description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable" + rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." + remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." + compliance: + - cis: "2.1.2" + condition: any + rules: + - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> !r:^\s*[Dd]iscoverable:\s*Off;' +# 2.2.1 Enable "Set time and date automatically" (Scored) + - id: 10506 + title: "Enable \"Set time and date automatically\" (Scored)" + description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space." + rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." + remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup –setusingnetworktime on" + compliance: + - cis: "2.2.1" + condition: any + rules: + - 'c:systemsetup -getusingnetworktime -> !r:^\s*Network Time:\s*On;' +# 2.4.1 Disable Remote Apple Events (Scored) + - id: 10507 + title: "Disable Remote Apple Events (Scored)" + description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." + rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." + remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" + compliance: + - cis: "2.4.1" + condition: any + rules: + - 'c:systemsetup -getremoteappleevents -> !r:^Remote Apple Events:\s*Off;' +# 2.4.4 Disable Printer Sharing (Scored) + - id: 10508 + title: "Disable Printer Sharing (Scored)" + description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." + rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" + compliance: + - cis: "2.4.4" + condition: any + rules: + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*Yes;' +# 2.4.5 Disable Remote Login (Scored) + - id: 10509 + title: "Disable Remote Login (Scored)" + description: "Remote Login allows an interactive terminal connection to a computer." + rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." + remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" + compliance: + - cis: "2.4.5" + condition: any + rules: + - 'c:systemsetup -getremotelogin -> !r:^Remote Login:\s*Off;' +# 2.4.8 Disable File Sharing (Scored) + - id: 10510 + title: "Disable File Sharing (Scored)" + description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" + rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist  Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + compliance: + - cis: "2.4.8" + condition: any + rules: + - 'c:launchctl list -> r:AppleFileServer;' + - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:[Aa][Rr][Rr][Aa][Yy];' +# 2.5.1 Disable "Wake for network access" (Scored) + - id: 10511 + title: "Disable \"Wake for network access\" (Scored)" + description: "his feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." + rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." + remediation: "Run the following command in Terminal: sudo pmset -a womp 0" + compliance: + - cis: "2.5.1" + condition: any + rules: + - 'c:pmset -g -> !r:^\s*womp\s+0;' +# 2.6.1.1 Enable FileVault (Scored) + - id: 10512 + title: "Enable FileVault (Scored)" + description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." + rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" + compliance: + - cis: "2.6.1.1" + condition: any + rules: + - 'c:fdesetup status -> !r:^FileVault is\s*On\.;' +# 2.6.2 Enable Gatekeeper (Scored) + - id: 10513 + title: "Enable Gatekeeper (Scored)" + description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." + rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." + remediation: "Run the following command in Terminal: sudo spctl --master-enable" + compliance: + - cis: "2.6.2" + condition: any + rules: + - 'c:spctl --status -> !r:^assessments enabled;' +# 2.6.3 Enable Firewall (Scored) + - id: 10514 + title: "Enable Firewall (Scored)" + description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." + rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is:  1 = on for specific services  2 = on for essential services" + compliance: + - cis: "2.6.3" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*1;' + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*2;' +# 2.6.4 Enable Firewall Stealth Mode (Scored) + - id: 10515 + title: "Enable Firewall Stealth Mode (Scored)" + description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." + rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." + remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" + compliance: + - cis: "2.6.4" + references: + - https://support.apple.com/en-us/HT201642 + condition: any + rules: + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' +# 2.11 Java 6 is not the default Java runtime (Scored) + - id: 10516 + title: "Java 6 is not the default Java runtime (Scored)" + description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" + rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." + remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." + compliance: + - cis: "2.11" + condition: any + rules: + - 'c:java -version -> r:version.*1.6.0;' + - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' +# 3.1 Enable security auditing (Scored) + - id: 10517 + title: "Enable security auditing (Scored)" + description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." + rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." + remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" + compliance: + - cis: "3.1" + condition: any + rules: + - 'c:launchctl list -> !r:com\.apple\.auditd;' +# 3.2 Configure Security Auditing Flags (Scored) + - id: 10518 + title: "Configure Security Auditing Flags (Scored)" + description: "Auditing is the capture and maintenance of information about security-related events." + rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." + remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." + compliance: + - cis: "3.2" + condition: any + rules: + - 'f:/etc/security/audit_control -> r:^flags && !r:lo;' + - 'f:/etc/security/audit_control -> r:^flags && !r:ad;' + - 'f:/etc/security/audit_control -> r:^flags && !r:fd;' + - 'f:/etc/security/audit_control -> r:^flags && !r:fm;' + - 'f:/etc/security/audit_control -> r:^flags && !r:-all;' +# 4.1 Disable Bonjour advertising service (Scored) + - id: 10519 + title: "Disable Bonjour advertising service (Scored)" + description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." + rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" + compliance: + - cis: "4.1" + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> !r:^\s*1;' +# 4.4 Ensure http server is not running (Scored) + - id: 10520 + title: "Ensure http server is not running (Scored)" + description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." + rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" + compliance: + - cis: "4.4" + condition: any + rules: + - 'p:httpd;' +# 4.5 Ensure FTP server is not running (Scored) + - id: 10521 + title: "Ensure FTP server is not running (Scored)" + description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" + rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" + compliance: + - cis: "4.5" + condition: any + rules: + - 'c:launchctl list -> r:ftp;' +# 4.6 Ensure nfs server is not running (Scored) + - id: 10522 + title: "Ensure nfs server is not running (Scored)" + description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." + rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" + compliance: + - cis: "4.6" + condition: any + rules: + - 'p:nfsd;' + - 'c:cat /etc/exports -> !r:No such file or directory;' +# 5.8 Do not enable the "root" account (Scored) + - id: 10523 + title: "Do not enable the \"root\" account (Scored)" + description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." + rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." + remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." + compliance: + - cis: "5.8" + condition: any + rules: + - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' +# 5.9 Disable automatic login (Scored) + - id: 10524 + title: "Disable automatic login (Scored)" + description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." + rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." + remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" + compliance: + - cis: "5.9" + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' +# 5.20 System Integrity Protection status (Scored) + - id: 10525 + title: "System Integrity Protection status (Scored)" + description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." + rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." + remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." + compliance: + - cis: "5.20" + condition: any + rules: + - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' +# 6.1.3 Disable guest account login (Scored) + - id: 10526 + title: "Disable guest account login (Scored)" + description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." + rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." + remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" + compliance: + - cis: "6.1.3" + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0;' +# 6.1.5 Remove Guest home folder (Scored) + - id: 10527 + title: "Remove Guest home folder (Scored)" + description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." + rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." + remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" + compliance: + - cis: "6.1.5" + condition: any + rules: + - 'd:/Users/Guest;' +# 6.2 Turn on filename extensions (Scored) + - id: 10528 + title: "Turn on filename extensions (Scored)" + description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." + rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." + remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" + compliance: + - cis: "6.2" + condition: any + rules: + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> !r:^\s*1;' +# 6.3 Disable the automatic run of safe files in Safari (Scored) + - id: 10529 + title: "Disable the automatic run of safe files in Safari (Scored)" + description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." + rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." + remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" + compliance: + - cis: "6.3" + condition: any + rules: + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> !r:^0;' +