-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Apple macOS 12.0 Monterey Benchmark v1.0.0 / @mauromalara #3043
Comments
Task: Global checks 🟢
Installer use `cis_apple_macOS_12.0.yml` policy 🟢# ls /Library/Ossec/ruleset/sca/
cis_apple_macOS_12.0.yml # pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\['
2022/06/29 23:53:01 sca[4305] wm_sca.c:141 at wm_sca_main(): INFO: Module started.
2022/06/29 23:53:01 sca[4305] wm_sca.c:180 at wm_sca_main(): INFO: Loaded policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml' Check IDs are consistent 🟢
import yaml
import numpy
def check_consecutive(check_ids):
n = len(check_ids) - 1
return (sum(numpy.diff(sorted(check_ids)) == 1) >= n)
with open('./cis_apple_macOS_12.0.yml', 'r') as policy_yaml:
check_ids = [check['id'] for check in yaml.safe_load(policy_yaml)['checks']]
print(check_consecutive(check_ids)) |
Task: Checks summary 🔴Summary table
CSV with the scan results |
1 Install Updates, Patches and Additional Security Software1.1 Ensure All Apple-provided Software Is Current. 🟢
Execution 🟢
Check event (expected result:
|
2 System Preferences2.1 Bluetooth2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired 🔴
Execution 🟢sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState
2022-07-01 19:30:29.862 defaults[27405:718269]
The domain/default pair of (/Library/Preferences/com.apple.Bluetooth, ControllerPowerState) does not exist
sh-3.2# sudo /usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | grep -m1 'Connected: Yes' Check event (expected result:
|
3 Logging and Auditing3.1 Ensure Security Auditing Is Enabled 🟢
Execution 🟢sh-3.2# sudo launchctl list | grep -i auditd
132 0 com.apple.auditd Check event (expected result:
|
4 Network Configurations4.1 Ensure Bonjour Advertising Services Is Disabled 🔴
Execution 🟢sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements
2022-07-02 00:08:29.241 defaults[30547:784310]
The domain/default pair of (/Library/Preferences/com.apple.mDNSResponder.plist, NoMulticastAdvertisements) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "NoMulticastAdvertisements" Check event (expected result:
|
5 System Access, Authentication and Authorization5.1 File System Permissions and Access Controls5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled 🔴
Execution 🟢sh-3.2# sudo /usr/bin/csrutil status
System Integrity Protection status: enabled. Check event (expected result:
|
6 User Accounts and Environment6.1 Accounts Preferences Action Items6.1.1 Ensure Login Window Displays as Name and Password Is Enabled 🟢
Execution 🟢sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'SHOWFULLNAME' Check event (expected result:
|
1.1 Ensure All Apple-provided Software Is Current: Dashboard screenshot 🟡Initially, the result was The first result was:
|
Update: 13/07/2022Checks review (Conclusion: All changes were applied correctly. 🟢)All changes were reviewed with @72nomada. 1.1 Ensure All Apple-provided Software Is Current (Automated)
1.4 Ensure Installation of App Update Is Enabled (Automated)
2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated)
2.2.2 Ensure time set is within appropriate limits (Automated)
2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)
2.3.2 Ensure Screen Saver Corners Are Secure (Automated)
2.4.6 Ensure DVD or CD Sharing Is Disabled (Automated)
2.4.8 Ensure File Sharing Is Disabled (Automated)
2.4.9 Ensure Remote Management Is Disabled (Automated)
2.4.10 Ensure Remote Management Is Disabled (Automated)
2.4.12 Ensure Media Sharing Is Disabled (Automated)
2.5.2.3 Ensure Firewall Stealth Mode Is Enabled (Automated)
3.6 Ensure Firewall Logging Is Enabled and Configured (Automated)
4.1 Ensure Bonjour Advertising Services Is Disabled (Automated)
4.5 Ensure NFS Server Is Disabled (Automated)
5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated)
5.1.5 Ensure Sealed System Volume (SSV) Is Enabled (Automated)
5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated)
5.1.7 Ensure No World Writable Files Exist in the System Folder (Automated)
5.6 Ensure the "root" Account Is Disabled (Automated)
5.10 Require an administrator password to access system-wide preferences (Automated)
5.11 Ensure an administrator account cannot login to another user's active and locked session (Automated)
5.13 Ensure a Login Window Banner Exists (Automated)
5.15 Ensure Fast User Switching Is Disabled (Manual)
6.2 Ensure Show All Filename Extensions Setting is Enabled (Automated)
6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated)
|
Description
macOS 12.0 Monterey SCA policies have been updated wazuh/wazuh#12883. On this account, It is necessary to ensure that these policies fit with the CIS Apple macOS 12.0 Monterey Benchmark v1.0.0. Also, manual testing for the used SCA rules is required, ensuring the proposed rules work as expected.
Tests
For each check in the SCA policy checks:
yml
file.The installers must also be tested:
Checks
Checks design
All test results must have one of the following statuses:
Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.
An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.
Checks lists
Conclusions
WIP
The text was updated successfully, but these errors were encountered: