-
Notifications
You must be signed in to change notification settings - Fork 210
/
Copy pathcis_apple_macOS_10.13.yml
406 lines (373 loc) · 29.4 KB
/
cis_apple_macOS_10.13.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
# Security Configuration Assessment
# CIS Checks for macOS 10.13
# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# Based on:
# Center for Internet Security Apple macOS 10.13 Benchmark v1.0.0 - 08-31-2018
policy:
id: "cis_apple_macos_10_13"
file: "cis_apple_macOS_10.13.yml"
name: "CIS Apple macOS 10.13 Benchmark"
description: "This document, CIS Apple macOS 10.13 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.13. This guide was tested against Apple macOS 10.13."
references:
- https://www.cisecurity.org/cis-benchmarks/
requirements:
title: "Check macOS version"
description: "Requirements for running the SCA scan against macOS 10.13 (High Sierra)."
condition: any
rules:
- 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p13'
- 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p13'
- 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*10\p13'
checks:
# 1.1 Verify all Apple provided software is current (Scored)
- id: 9500
title: "Verify all Apple provided software is current"
description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
compliance:
- cis: ["1.1"]
condition: all
rules:
- 'c:softwareupdate -l -> r:No new software available'
# 1.2 Enable Auto Update (Scored)
- id: 9501
title: "Enable Auto Update"
description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur."
rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1"
compliance:
- cis: ["1.2"]
references:
- https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
- https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1'
# 1.3 Enable app update installs (Scored)
- id: 9502
title: "Enable app update installs"
description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that."
compliance:
- cis: ["1.3"]
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1'
# 1.4 Enable system data files and security update installs (Scored)
- id: 9503
title: "Enable system data files and security update installs"
description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
compliance:
- cis: ["1.4"]
references:
- https://www.thesafemac.com/tag/xprotect/
- https://support.apple.com/en-us/HT202491
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1'
- 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1'
# 1.5 Enable macOS update installs (Scored)
- id: 9504
title: "Enable macOS update installs"
description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE"
compliance:
- cis: ["1.5"]
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1'
# 2.2.1 Enable "Set time and date automatically" (Scored)
- id: 9505
title: "Enable \"Set time and date automatically\""
description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries."
rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver> sudo systemsetup -setusingnetworktime on"
compliance:
- cis: ["2.2.1"]
condition: all
rules:
- 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
# 2.4.1 Disable Remote Apple Events (Scored)
- id: 9506
title: "Disable Remote Apple Events"
description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
compliance:
- cis: ["2.4.1"]
condition: all
rules:
- 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
# 2.4.4 Disable Printer Sharing (Scored)
- id: 9507
title: "Disable Printer Sharing"
description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing"
compliance:
- cis: ["2.4.4"]
condition: none
rules:
- 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes'
# 2.4.5 Disable Remote Login (Scored)
- id: 9508
title: "Disable Remote Login"
description: "Remote Login allows an interactive terminal connection to a computer."
rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers."
remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
compliance:
- cis: ["2.4.5"]
condition: all
rules:
- 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
# 2.4.8 Disable File Sharing (Scored)
- id: 9509
title: "Disable File Sharing"
description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
compliance:
- cis: ["2.4.8"]
condition: none
rules:
- 'c:launchctl list -> r:AppleFileServer'
- 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\<array|\<Array|\<ARRAY'
# 2.5.1 Disable "Wake for network access" (Scored)
- id: 9510
title: "Disable \"Wake for network access\""
description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals."
rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
remediation: "Run the following command in Terminal: sudo pmset -a womp 0"
compliance:
- cis: ["2.5.1"]
condition: none
rules:
- 'c:pmset -g -> r:womp && !r:\s0$'
# 2.6.1.1 Enable FileVault (Scored)
- id: 9511
title: "Enable FileVault"
description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it."
rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
compliance:
- cis: ["2.6.1.1"]
condition: all
rules:
- 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$'
# 2.6.2 Enable Gatekeeper (Scored)
- id: 9512
title: "Enable Gatekeeper"
description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
remediation: "Run the following command in Terminal: sudo spctl --master-enable"
compliance:
- cis: ["2.6.2"]
condition: all
rules:
- 'c:spctl --status -> r:^assessments\s*\t*enabled$'
# 2.6.3 Enable Firewall (Scored)
- id: 9513
title: "Enable Firewall"
description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall."
rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int <value> Where <value> is: - 1 = on for specific services - 2 = on for essential services "
compliance:
- cis: ["2.6.3"]
references:
- https://support.apple.com/en-us/HT201642
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$'
# 2.6.4 Enable Firewall Stealth Mode (Scored)
- id: 9514
title: "Enable Firewall Stealth Mode"
description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
compliance:
- cis: ["2.6.4"]
references:
- https://support.apple.com/en-us/HT201642
condition: all
rules:
- 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled'
# 2.10 Enable Secure Keyboard Entry in terminal.app (Scored)
- id: 9515
title: "Enable Secure Keyboard Entry in terminal.app"
description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry"
compliance:
- cis: ["2.10"]
condition: all
rules:
- 'c:defaults read -app Terminal SecureKeyboardEntry -> 1'
# 2.11 Java 6 is not the default Java runtime (Scored)
- id: 9516
title: "Java 6 is not the default Java runtime"
description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System"
rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path."
remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable."
compliance:
- cis: ["2.11"]
condition: none
rules:
- 'c:/usr/libexec/java_home -> r:1.6.0'
# 2.13 Ensure EFI version is valid and being regularly checked (Scored)
- id: 9517
title: "Ensure EFI version is valid and being regularly checked"
description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days."
rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
compliance:
- cis: ["2.13"]
condition: all
rules:
- 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes'
- 'c:launchctl list -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$'
# 3.1 Enable security auditing (Scored)
- id: 9518
title: "Enable security auditing"
description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
compliance:
- cis: ["3.1"]
condition: all
rules:
- 'c:launchctl list -> r:com.apple.auditd'
# 3.2 Configure Security Auditing Flags (Scored)
- id: 9519
title: "Configure Security Auditing Flags"
description: "Auditing is the capture and maintenance of information about security-related events."
rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised."
remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file."
compliance:
- cis: ["3.2"]
condition: all
rules:
- 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all'
# 4.1 Disable Bonjour advertising service (Scored)
- id: 9520
title: "Disable Bonjour advertising service"
description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers."
remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements"
compliance:
- cis: ["4.1"]
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1'
# 4.4 Ensure http server is not running (Scored)
- id: 9521
title: "Ensure http server is not running"
description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services."
rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true"
compliance:
- cis: ["4.4"]
condition: none
rules:
- 'p:httpd'
- 'p:/usr/sbin/httpd'
# 4.5 Ensure nfs server is not running (Scored)
- id: 9522
title: "Ensure nfs server is not running"
description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer."
remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export"
compliance:
- cis: ["4.5"]
condition: none
rules:
- 'p:nfsd'
- 'p:/sbin/nfsd'
- 'f:/etc/exports'
# 5.11 Do not enable the "root" account (Scored)
- id: 9523
title: "Do not enable the \"root\" account"
description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions."
rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User."
compliance:
- cis: ["5.11"]
condition: all
rules:
- 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority'
# 5.12 Disable automatic login (Scored)
- id: 9524
title: "Disable automatic login"
description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
compliance:
- cis: ["5.12"]
condition: none
rules:
- 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser'
# 5.23 System Integrity Protection status (Scored)
- id: 9525
title: "System Integrity Protection status"
description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot."
compliance:
- cis: ["5.23"]
condition: all
rules:
- 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled'
# 6.1.3 Disable guest account login (Scored)
- id: 9526
title: "Disable guest account login"
description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO"
compliance:
- cis: ["6.1.3"]
condition: all
rules:
- 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0'
# 6.1.5 Remove Guest home folder (Scored)
- id: 9527
title: "Remove Guest home folder"
description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output"
compliance:
- cis: ["6.1.5"]
condition: none
rules:
- 'd:/Users/Guest'
# 6.2 Turn on filename extensions (Scored)
- id: 9528
title: "Turn on filename extensions"
description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
compliance:
- cis: ["6.2"]
condition: all
rules:
- 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1'
# 6.3 Disable the automatic run of safe files in Safari (Scored)
- id: 9529
title: "Disable the automatic run of safe files in Safari"
description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no"
compliance:
- cis: ["6.3"]
condition: all
rules:
- 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0'