CIS Update: Q4 2024 (#24224)

All edited YAML files were ran through a YAML syntax check before before
committed.

**macOS-13**

- UPDATED: "3.5 - Ensure Access to Audit Records Is Controlled"
Description and Resolution. Query did not change.

- ADDED: "5.10 - Ensure XProtect Is Running and Updated" Checking for
updated is actually handled via a different query.

**macOS-14**

- UPDATED: "3.5 - Ensure Access to Audit Records Is Controlled"
Description and Resolution. Query did not change.

- ADDED: "5.10 - Ensure XProtect Is Running and Updated" Checking for
updated is actually handled via a different query.

 
**macOS-15**

Initial version duplicated from macOS-14 queries, then the following
changes were applied:

- REMOVED:  "3.6 - Ensure Firewall Logging Is Enabled and Configured"

The following controls were not added, further research on how to check
them with osquery is required:
- 2.6.3.1 - 2.6.3.5 and 2.7.2: I am not sure how we can accomplish this.
- "5.11 - Ensure Logging Is Enabled For Sudo" I believe this one can be
accomplished through the file_lines table

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Co-authored-by: Sharon Katz <sharon@fleetdm.com>

changes/23611-Update-CIS

@@ -0,0 +1 @@
+ * Updated macos 13, 14 per latest CIS documents. Added macos 15 support.

ee/cis/macos-13/README.md

@@ -1,6 +1,6 @@
 # macOS 13.0 Ventura benchmark
 
-Fleet's policies have been written against v2.1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+Fleet's policies have been written against v3.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
 
 For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
 

ee/cis/macos-13/cis-policy-queries.yml

@@ -1,5 +1,5 @@
 ---
-# The latest version of CIS Benchmarks for macOS as of August 2024 was used which was benchmark 2.1.0 for macOS 13
+# The latest version of CIS Benchmarks for macOS as of November 2024 was used which was benchmark 3.0.0 for macOS 13
 apiVersion: v1
 kind: policy
 spec:
@@ -131,6 +131,32 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure XProtect Is Running and Updated
+  platforms: macOS
+  platform: darwin
+  description: |
+    XProtect is Apple's native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. There are many AV and Endpoint Threat Detection and Response (ETDR) tools available for Mac OS. The native Apple provisioned tool looks for specific known malware and is completely integrated into the OS. No matter what other tools are being used, XProtect should have the latest signatures available.
+  resolution: |
+        Ask your system administrator to deploy a script that will configure:
+        /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist
+        /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist
+  query: |
+      SELECT 1
+      WHERE (
+          SELECT COUNT(*)
+          FROM launchd
+          WHERE path IN (
+              '/Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist',
+              '/Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist'
+          )
+      ) = 2;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1
+  contributors: defensivedepth
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)
   platforms: macOS
@@ -2345,14 +2371,16 @@ spec:
   platforms: macOS
   platform: darwin
   description: |
-    The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
+    The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth, the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
+    
+    The default folder for storing logs is /var/audit, but it can be changed. This recommendation will ensure that any target directory has appropriate access control in place even if the target directory is not the default of /var/audit.
   resolution: |
     Automated method:
     Ask your system administrator to deploy the following script which will Ensure Access to Audit Records Is Controlled:
       /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
-      /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
-      /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
-      /usr/bin/sudo /bin/chmod -R o-rw /var/audit/
+      /usr/bin/sudo /bin/chmod -R og-rw /etc/security/audit_control
+      /usr/bin/sudo /usr/sbin/chown -R root:wheel $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
+      /usr/bin/sudo /bin/chmod -R og-rw $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
   query: |
     SELECT 1 WHERE 
       -- For all files in /var/audit:

ee/cis/macos-14/README.md

@@ -1,6 +1,6 @@
 # macOS 14 Sonoma benchmark
 
-Fleet's policies have been written against v1.1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
 
 For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
 

ee/cis/macos-14/cis-policy-queries.yml

@@ -1,5 +1,5 @@
 ---
-# The latest version of CIS Benchmarks for macOS as of August 2024 for macOS 14.
+# The latest version of CIS Benchmarks for macOS as of November 2024 for macOS 14.
 apiVersion: v1
 kind: policy
 spec:
@@ -131,6 +131,32 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure XProtect Is Running and Updated
+  platforms: macOS
+  platform: darwin
+  description: |
+    XProtect is Apple's native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. There are many AV and Endpoint Threat Detection and Response (ETDR) tools available for Mac OS. The native Apple provisioned tool looks for specific known malware and is completely integrated into the OS. No matter what other tools are being used, XProtect should have the latest signatures available.
+  resolution: |
+        Ask your system administrator to deploy a script that will configure:
+        /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist
+        /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist
+  query: |
+      SELECT 1
+      WHERE (
+          SELECT COUNT(*)
+          FROM launchd
+          WHERE path IN (
+              '/Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist',
+              '/Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist'
+          )
+      ) = 2;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1
+  contributors: defensivedepth
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)
   platforms: macOS
@@ -2360,14 +2386,16 @@ spec:
   platforms: macOS
   platform: darwin
   description: |
-    The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
+    The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth, the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
+
+    The default folder for storing logs is /var/audit, but it can be changed. This recommendation will ensure that any target directory has appropriate access control in place even if the target directory is not the default of /var/audit.
   resolution: |
     Automated method:
     Ask your system administrator to deploy the following script which will Ensure Access to Audit Records Is Controlled:
       /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
-      /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
-      /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
-      /usr/bin/sudo /bin/chmod -R o-rw /var/audit/
+      /usr/bin/sudo /bin/chmod -R og-rw /etc/security/audit_control
+      /usr/bin/sudo /usr/sbin/chown -R root:wheel $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
+      /usr/bin/sudo /bin/chmod -R og-rw $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
   query: |
     SELECT 1 WHERE 
       -- For all files in /var/audit:

ee/cis/macos-15/README.md

@@ -0,0 +1,43 @@
+# macOS 15 Sequoia benchmark
+
+Fleet's policies have been written against v1.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+
+For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
+
+### Limitations
+
+The following CIS benchmarks cannot be checked with a policy in Fleet:
+1. 2.1.2 Audit App Store Password Settings
+2. 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
+3. 2.6.6 Audit Lockdown Mode
+4. 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings
+5. 2.13.1 Audit Passwords System Preference Setting
+6. 2.14.1 Audit Notification & Focus Settings
+7. 3.7 Audit Software Inventory
+8. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled
+
+Missing items:
+1. 2.6.3.1 Ensure Share Mac Analytics Is Disabled
+2. 2.6.3.3 Ensure Improve Assistive Voice Features Is Disabled
+3. 2.6.3.4 Ensure 'Share with app developers' Is Disabled
+4. 5.11 Ensure Logging Is Enabled for Sudo
+
+### Checks that require decision
+
+CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.
+
+Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query.
+The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`.
+
+- 2.1.1.1 Audit iCloud Keychain
+- 2.1.1.2 Audit iCloud Drive
+- 2.5.1 Audit Siri
+- 2.8.1 Audit Universal Control
+
+Furthermore, CIS has decided to not require the following password complexity settings:
+- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
+- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
+- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
+- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured
+
+However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies.