Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Apple macOS 12.0 Monterey Benchmark v1.0.0 / @mauromalara

[mauromalara]

Related Issue
wazuh/wazuh#12883

Description

macOS 12.0 Monterey SCA policies have been updated wazuh/wazuh#12883. On this account, It is necessary to ensure that these policies fit with the CIS Apple macOS 12.0 Monterey Benchmark v1.0.0. Also, manual testing for the used SCA rules is required, ensuring the proposed rules work as expected.

• OS: macOS 12.0 Monterey
• SCA policy file: cis_apple_macOS_12.0.yml

Tests

For each check in the SCA policy checks:

• The title, description, rationale, remediation, and compliance must correspond to the ones in the check of the corresponding CIS benchmark file found in https://downloads.cisecurity.org/#/.
• The check command found in the CIS benchmark file should work as expected and must match the rule specified in the check of the yml file.

The installers must also be tested:

• Check the scan is executed automatically when installing.
• Check the scan result.

Checks

Checks design

Check ID	Check Category	Description	ID/Title/Description/Rationale	Remediation	Compliance	Rules	Artifact
id	Category	Description	⚫	⚫	⚫	⚫	Artifact

All test results must have one of the following statuses:

🟢	All checks passed.
🔴	There is at least one failed result.
🟡	There is at least one expected failure or skipped test and no failures.
⚫	Not done yet

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Checks lists

• Checks summary
  • 1 Install Updates, Patches and Additional Security Software
  • 2 System Preferences
  • 3 Logging and Auditing
  • 4 Network Configurations
  • 5 System Access, Authentication and Authorization
  • 6 User Accounts and Environment

Conclusions

WIP

[mauromalara]

Task: Global checks 🟢

Package S3 path	Package reference
warehouse-pullrequests > 4.3 > macos	0.commit52994d4

Installer use `cis_apple_macOS_12.0.yml` policy 🟢

# ls /Library/Ossec/ruleset/sca/
cis_apple_macOS_12.0.yml

# pkill modulesd; /Library/Ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\['
2022/06/29 23:53:01 sca[4305] wm_sca.c:141 at wm_sca_main(): INFO: Module started.
2022/06/29 23:53:01 sca[4305] wm_sca.c:180 at wm_sca_main(): INFO: Loaded policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml'

Check IDs are consistent 🟢

 

• I create the following script in Python to check it:

import yaml
import numpy

def check_consecutive(check_ids):
    n = len(check_ids) - 1
    return (sum(numpy.diff(sorted(check_ids)) == 1) >= n)

with open('./cis_apple_macOS_12.0.yml', 'r') as policy_yaml:
    check_ids = [check['id'] for check in yaml.safe_load(policy_yaml)['checks']]
    print(check_consecutive(check_ids))

[mauromalara]

Task: Checks summary 🔴

Summary table

Check ID	Description	ID/Title/Description/Rationale	Remediation	Compliance	Rules	Artifact
1	Install Updates, Patches and Additional Security Software
1.1	Ensure All Apple-provided Software Is Current (Automated)	🟢	🟢	🟢	🟢	🟡 - Dashboard screenshot
1.2	Ensure Auto Update Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
1.3	Ensure Download New Updates When Available is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
1.4	Ensure Installation of App Update Is Enabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
1.5	Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
1.6	Ensure Install of macOS Updates Is Enabled	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2	System Preferences
2.1	Bluetooth
2.1.1	Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
2.1.2	Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.2	Date & Time
2.2.1	Ensure "Set time and date automatically" Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.2.2	Ensure time set is within appropriate limits (Automated)	🟢	🟢	🟢	🔴	🟢 Dashboard screenshot
2.3	Desktop & Screen Saver
2.3.1	Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)	🟢	🔴	🟢	🔴	🟢 Dashboard screenshot
2.3.2	Ensure Screen Saver Corners Are Secure (Automated)	🟢	🟢	🟢	🟡	🟢 Dashboard screenshot
2.4	Sharing
2.4.1	Ensure Remote Apple Events Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.2	Ensure Internet Sharing Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.3	Ensure Screen Sharing Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.4	Ensure Printer Sharing Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.5	Ensure Remote Login Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.6	Ensure DVD or CD Sharing Is Disabled (Automated)	🔴	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.7	Ensure Bluetooth Sharing Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.8	Ensure File Sharing Is Disabled (Automated)	🟢	🟢	🟢	🔴	🟢 Dashboard screenshot
2.4.9	Ensure Remote Management Is Disabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
2.4.10	Ensure Content Caching Is Disabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
2.4.11	Ensure AirDrop Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.4.12	Ensure Media Sharing Is Disabled (Automated)	🔴	🔴	🟢	🟢	🟢 Dashboard screenshot
2.5	Security & Privacy
2.5.1	Encryption
2.5.1.1	Ensure FileVault Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.5.2	Firewall
2.5.2.1	Ensure Gatekeeper is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.5.2.2	Ensure Firewall Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.5.2.3	Ensure Firewall Stealth Mode Is Enabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
2.5.3	Ensure Location Services Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.5.5	Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.7	Time Machine
2.7.1	Ensure Backup Up Automatically is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.8	Ensure Wake for Network Access Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.9	Ensure Power Nap Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.10	Ensure Secure Keyboard Entry terminal.app is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
2.11	Ensure EFI Version Is Valid and Checked Regularly (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
3	Logging and Auditing
3.1	Ensure Security Auditing Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
3.3	Ensure install.log Is Retained for 365 or More Days and No Maximum Size (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
3.5	Ensure Access to Audit Records Is Controlled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
3.6	Ensure Firewall Logging Is Enabled and Configured (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
4	Network Configurations
4.1	Ensure Bonjour Advertising Services Is Disabled (Automated)	🔴	🟢	🟢	🟢	🟢 Dashboard screenshot
4.4	Ensure HTTP Server Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
4.5	Ensure NFS Server Is Disabled (Automated)	🟢	🟢	🟢	🔴	🟢 Dashboard screenshot
5	System Access, Authentication and Authorization
5.1	File System Permissions and Access Controls
5.1.2	Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
5.1.3	Ensure Apple Mobile File Integrity Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.1.4	Ensure Library Validation Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.1.5	Ensure Sealed System Volume (SSV) Is Enabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
5.1.6	Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated)	🔴	🟢	🟢	🟢	🟢 Dashboard screenshot
5.1.7	Ensure No World Writable Files Exist in the System Folder (Automated)	🔴	🟢	🟢	🟢	🟢 Dashboard screenshot
5.1.8	Ensure No World Writable Files Exist in the Library Folder (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.3	Ensure the Sudo Timeout Period Is Set to Zero (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.4	Ensure a Separate Timestamp Is Enabled for Each User/tty Combo (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.6	Ensure the "root" Account Is Disabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
5.7	Ensure Automatic Login Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.10	Require an administrator password to access system-wide preferences (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
5.11	Ensure an administrator account cannot login to another user's active and locked session (Automated)	🟢	🟢	🔴	🟢	🟢 Dashboard screenshot
5.12	Ensure a Custom Message for the Login Screen Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
5.13	Ensure a Login Window Banner Exists (Automated)	🟢	🟢	🔴	🟢	🟢 Dashboard screenshot
5.15	Ensure Fast User Switching Is Disabled (Manual)	🔴	🟢	🟢	🟢	🟢 Dashboard screenshot
6	User Accounts and Environment
6.1	Accounts Preferences Action Items
6.1.1	Ensure Login Window Displays as Name and Password Is Enabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
6.1.2	Ensure Show Password Hints Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
6.1.3	Ensure Guest Account Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
6.1.4	Ensure Guest Access to Shared Folders Is Disabled (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
6.1.5	Ensure the Guest Home Folder Does Not Exist (Automated)	🟢	🟢	🟢	🟢	🟢 Dashboard screenshot
6.2	Ensure Show All Filename Extensions Setting is Enabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot
6.3	Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated)	🟢	🔴	🟢	🟢	🟢 Dashboard screenshot

SCA Scan results

CSV with the scan results

cis_apple_macos_12.x.csv

[mauromalara]

1 Install Updates, Patches and Additional Security Software

1.1 Ensure All Apple-provided Software Is Current. 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# softwareupdate -l
Software Update Tool

Finding available software
Software Update found the following new or updated software:
* Label: Command Line Tools for Xcode-13.2
        Title: Command Line Tools for Xcode, Version: 13.2, Size: 577329K, Recommended: YES,
* Label: Command Line Tools for Xcode-13.3
        Title: Command Line Tools for Xcode, Version: 13.3, Size: 718145K, Recommended: YES,
* Label: Command Line Tools for Xcode-13.4
        Title: Command Line Tools for Xcode, Version: 13.4, Size: 705462K, Recommended: YES,
* Label: macOS Monterey 12.4-21F79
        Title: macOS Monterey 12.4, Version: 12.4, Size: 4431197K, Recommended: YES, Action: restart,

Check event (expected result: FAIL) 🟢

{"type":"check","id":333955627,"policy":"CIS Apple macOS 12.0 Monterey Benchmark","policy_id":"cis_apple_macos_12.x","check":{"id":29000,"title":"Ensure All Apple-provided Software Is Current.","description":"Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.","rationale":"It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.","remediation":"1. In Terminal, run the following command to verify what packages need to be installed: sudo softwareupdate -l. 2.1. In Terminal, run the following command to install all the packages that need to be updated: sudo software -i -a -R. 2.2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename'","compliance":{"cis":"1.1","cis_level":"1"},"rules":["c:softwareupdate -l -> r:No new software available"],"condition":"all","command":"softwareupdate -l","result":"failed"}}

1.2 Ensure Auto Update Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled
0

Check event (expected result: FAILED) 🟢

2022/07/01 18:35:43 sca[26892] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29001; Result: 'failed'

1.3 Ensure Download New Updates When Available is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload
0

sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticDownload

Check event (expected result: FAILED) 🟢

2022/07/01 18:49:05 sca[26990] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29002; Result: 'failed'

1.4 Ensure Installation of App Update Is Enabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation: 🔴 (here typing mistake: '-' separated from 'bool')
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdate
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticallyInstallAppUpdates

Check event (expected result: FAILED) 🟢

2022/07/01 19:16:01 sca[27200] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29003; Result: 'failed'

1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall
0
sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall
0

Check event (expected result: FAILED) 🟢

2022/07/01 19:24:29 sca[27313] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29004; Result: 'failed'

1.6 Ensure Install of macOS Updates Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutomaticallyInstallMacOSUpdates

Check event (expected result: FAILED) 🟢

2022/07/01 19:27:09 sca[27357] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29005; Result: 'failed'

[mauromalara]

2 System Preferences

2.1 Bluetooth

2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation: 🔴 (here the command is different from the one proposed in the benchmark)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState
2022-07-01 19:30:29.862 defaults[27405:718269]
The domain/default pair of (/Library/Preferences/com.apple.Bluetooth, ControllerPowerState) does not exist
sh-3.2# sudo /usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | grep -m1 'Connected: Yes'

Check event (expected result: FAILED) 🟢

2022/07/01 19:33:44 sca[27454] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29006; Result: 'failed'

2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant defaults -currentHost read com.apple.controlcenter.plist Bluetooth
2022-07-01 19:35:57.668 defaults[27494:719851]
The domain/default pair of (com.apple.controlcenter.plist, Bluetooth) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'Bluetooth = 18'

Check event (expected result: FAILED) 🟢

2022/07/01 19:37:26 sca[27515] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29007; Result: 'failed'

2.2 Date & Time

2.2.1 Ensure "Set time and date automatically" Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/sbin/systemsetup -getusingnetworktime
Network Time: On
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep forceAutomaticDateAndTime

Check event (expected result: PASSED) 🟢

2022/07/01 19:40:28 sca[27557] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29008; Result: 'passed'

2.2.2 Ensure time set is within appropriate limits 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo systemsetup -getnetworktimeserver
Network Time Server: time.euro.apple.com
sh-3.2# sudo sntp time.euro.apple.com | grep +/-
+0.083240 +/- 0.040415 time.euro.apple.com 17.253.108.253

reason: Apparently the check fails because it used a fixed time server (c:sh -c "sntp time.apple.com < here)

Check event (expected result: PASSED) 🔴

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29009; Result: 'failed'

2.3 Desktop & Screen Saver

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here the remediation is incomplete and there is a typing mistake: '.. of the screen saver to...', it should be: '.. of the screen saver is set to...')
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

Note: The script 2.3.1.sh has the same content as the one proposed in CIS benchmark.

sh-3.2# bash 2.3.1.sh
Checking User: '/Users/vagrant': 2022-07-01 20:15:50.813 defaults[28765:731214]
The domain/default pair of (/Users/vagrant/Library/Preferences/ByHost/com.apple.screensaver.54F743D0-8842-8F48-A6E5-EC6BFA292CEA.plist, idleTime) does not exist
sh-3.2# sudo /usr/bin/defaults -currentHost read com.apple.screensaver idleTime
2022-07-01 20:32:59.214 defaults[28887:735145]
The domain/default pair of (com.apple.screensaver, idleTime) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep idleTime

reason: The expected output of the rule should not be 'does not exist' (here), this causes (apparently) the rule to passes and, as the condition is 'any', also the check to passes successfully. The CIS benchmark says: "Note: If the output of the script includes The domain/default pair of (com.apple.screensaver, idleTime) does not exist for any user, then the setting has not been changed from the default. Follow the remediation instructions to set the idle time to match your organization's policy."

Check event (expected result: FAILED) 🔴

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29010; Result: 'passed'

2.3.2 Ensure Screen Saver Corners Are Secure 🟡

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-tl-corner
2022-07-01 20:34:54.480 defaults[28910:735568]
The domain/default pair of (com.apple.dock, wvous-tl-corner) does not exist
sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-bl-corner
2022-07-01 20:35:59.848 defaults[28917:735811]
The domain/default pair of (com.apple.dock, wvous-bl-corner) does not exist
sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-tr-corner
2022-07-01 20:36:08.139 defaults[28922:735896]
The domain/default pair of (com.apple.dock, wvous-tr-corner) does not exist
sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.dock wvous-br-corner
14

sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-bl-corner
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-br-corner
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tl-corner
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tr-corner

Check event (expected result: PASSED) 🟡

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29011; Result: 'passed'

WARNING Reason: some rules are absent:

$ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-bl-corner
$ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-br-corner
$ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tl-corner
$ sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep wvous-tr-corner

2.4 Sharing

2.4.1 Ensure Remote Apple Events Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/sbin/systemsetup -getremoteappleevents
Remote Apple Events: Off

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29012; Result: 'passed'

2.4.2 Ensure Internet Sharing Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | grep -i Enabled
2022-07-01 20:47:27.243 defaults[29013:738401]
Domain /Library/Preferences/SystemConfiguration/com.apple.nat does not exist

sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep forceInternetSharingOff

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29013; Result: 'passed'

2.4.3 Ensure Screen Sharing Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.screensharing" => true'
0

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29014; Result: 'failed'

2.4.4 Ensure Printer Sharing Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo cupsctl | grep _share_printers | cut -d'=' -f2
0

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29015; Result: 'passed'

2.4.5 Ensure Remote Login Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo systemsetup -getremotelogin
Remote Login: On

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29016; Result: 'failed'

2.4.6 Ensure DVD or CD Sharing Is Disabled 🔴

• title 🟢
• description 🟢
• rationale 🔴 (here rationale is not the same as the benchmark)
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.ODSAgent" => true'
0

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29017; Result: 'failed'

2.4.7 Ensure Bluetooth Sharing Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled
2022-07-01 21:22:10.910 defaults[29263:746136]
The domain/default pair of (com.apple.Bluetooth, PrefKeyServicesEnabled) does not exist

sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "PrefKeyServicesEnabled"

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29018; Result: 'failed'

2.4.8 Ensure File Sharing Is Disabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.smbd" => true'
0

Check event (expected result: FAILED) 🔴

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29019; Result: 'passed'

reason: The check was supposed to fail, but the result was "passed". When you enable File Sharing the result is 0 (I mean 0 = enabled, 1 = disabled):

sh-3.2# sudo launchctl enable system/com.apple.smbd
sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.smbd" => true'
0

2.4.9 Ensure Remote Management Is Disabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here there is an extra space before '/kickstart')
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo ps -ef | grep -e ARDAgent
  501 16092     1   0 11:00PM ??         0:00.23 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
    0 29359 24454   0  9:36PM ttys000    0:00.01 grep -e ARDAgent

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29020; Result: 'failed'

2.4.10 Ensure Content Caching Is Disabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here there is a typing mistake: '...command in to...' should be: '...command in Terminal...')
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.AssetCache.plist Activated
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep allowContentCaching

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29021; Result: 'failed'

2.4.11 Ensure AirDrop Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant /usr/bin/defaults read com.apple.Network
Browser DisableAirDrop
2022-07-01 21:52:42.032 defaults[29472:752801]
The domain/default pair of (com.apple.NetworkBrowser, DisableAirDrop) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep DisableAirDrop

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29022; Result: 'failed'

2.4.12 Ensure Media Sharing Is Disabled 🔴

• title 🔴 (here the title is incorrect)
• description 🟢
• rationale 🟢
• remediation 🔴 (here there is an extra '- ' before 'enabled' in the command)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant defaults read com.apple.amp.mediasharing
d home-sharing-enabled
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep homeSharingUIStatus
sh-3.2#  sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep legacySharingUIStatus
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep mediaSharingUIStatus

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29023; Result: 'passed'

2.5 Security & Privacy

2.5.1 Encryption

2.5.1.1 Ensure FileVault Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo fdesetup status
FileVault is Off.

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29024; Result: 'failed'

2.5.2 Firewall

2.5.2.1 Ensure Gatekeeper is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/sbin/spctl --status
assessments enabled
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AllowIdentifiedDevelopers
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableAssessment

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29025; Result: 'passed'

2.5.2.2 Ensure Firewall Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableFirewall

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29026; Result: 'failed'

2.5.2.3 Ensure Firewall Stealth Mode Is Enabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here there is an extra ':' before sudo)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/sbin/system_profiler SPFirewallDataType | /usr/bin/grep "Stealth Mode: Yes" | /usr/bin/awk -F ": " '{print $2}' | /usr/bin/xargs
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableStealthMode

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29027; Result: 'failed'

2.5.3 Ensure Location Services Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl list | grep -c com.apple.locationd
1

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29028; Result: 'passed'

2.5.5 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep allo
wDiagnosticSubmission

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29029; Result: 'passed'

2.7 Time Machine

2.7.1 Ensure Backup Up Automatically is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup
2022-07-01 22:35:41.949 defaults[29879:763436]
The domain/default pair of (/Library/Preferences/com.apple.TimeMachine.plist, AutoBackup) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "AutoBackup"

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29030; Result: 'failed'

2.8 Ensure Wake for Network Access Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo pmset -g | grep -e womp

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29031; Result: 'failed'

2.9 Ensure Power Nap Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo pmset -g everything | grep -c 'powernap 1'
0

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29032; Result: 'passed'

2.10 Ensure Secure Keyboard Entry terminal.app is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant /usr/bin/defaults read -app Terminal Sec
ureKeyboardEntry
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep SecureKeyboardEntry

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29033; Result: 'failed'

2.11 Ensure EFI Version Is Valid and Checked Regularly 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
ReadBinaryFromKernel: No matching services found. Either this system is not supported by eficheck, or you need to re-load the kext
IntegrityCheck: couldn't get EFI contents from kext
sh-3.2# sudo system_profiler SPiBridgeDataType | grep "T2"
sh-3.2# sudo launchctl list | grep com.apple.driver.eficheck
-       0       com.apple.driver.eficheck

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29034; Result: 'passed'

[mauromalara]

3 Logging and Auditing

3.1 Ensure Security Auditing Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl list | grep -i auditd
132     0       com.apple.auditd

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29035; Result: 'passed'

3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo grep -i ttl /etc/asl/com.apple.install
sh-3.2# sudo grep -i all_max= /etc/asl/com.apple.install
* file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]: $Message' rotate=seq compress file_max=50M all_max=150M size_only

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29036; Result: 'failed'

3.5 Ensure Access to Audit Records Is Controlled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo ls -le /etc/security/audit_control
-r--  1 root  wheel  358 Oct 18  2021 /etc/security/audit_control
sh-3.2# sudo ls -le /var/audit/
total 1072
-r--r--  1 root  wheel  240451 Nov 17  2021 20211117094230.crash_recovery
-r--r--  1 root  wheel  112746 Nov 17  2021 20211117104632.crash_recovery
-r--r--  1 root  wheel   10976 Nov 17  2021 20211117150859.crash_recovery
-r--r--  1 root  wheel   10407 Nov 22  2021 20211122112057.crash_recovery
-r--r--  1 root  wheel   11947 Nov 22  2021 20211122155115.crash_recovery
-r--r--  1 root  wheel   18669 Nov 23  2021 20211123081323.crash_recovery
-r--r--  1 root  wheel   12768 Nov 23  2021 20211123085337.crash_recovery
-r--r--  1 root  wheel   11793 Nov 23  2021 20211123092331.crash_recovery
-r--r--  1 root  wheel    8442 Nov 23  2021 20211123093436.crash_recovery
-r--r--  1 root  wheel   13573 Nov 23  2021 20211123093755.crash_recovery
-r--r--  1 root  wheel   10253 Nov 23  2021 20211123094231.crash_recovery
-r--r--  1 root  wheel   17682 Nov 23  2021 20211123115708.crash_recovery
-r--r--  1 root  wheel   42738 Jul  1 23:45 20220629151156.not_terminated
lrwxr-xr-x  1 root  wheel      40 Jun 29 17:11 current -> /var/audit/20220629151156.not_terminated

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29037; Result: 'passed'

3.6 Ensure Firewall Logging Is Enabled and Configured 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here the last command has an invalid parameter, it is the output of the command itself)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/sbin/system_profiler SPFirewallDataType | /usr/bin/grep Logging
      Firewall Logging: Yes
sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.alf.plist loggingoption
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep EnableLogging
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep Logg
ingOption

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29038; Result: 'failed'

[mauromalara]

4 Network Configurations

4.1 Ensure Bonjour Advertising Services Is Disabled 🔴

• title 🔴 (here The title is not the same as the one in the benchmark)
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements
2022-07-02 00:08:29.241 defaults[30547:784310]
The domain/default pair of (/Library/Preferences/com.apple.mDNSResponder.plist, NoMulticastAdvertisements) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "NoMulticastAdvertisements"

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29039; Result: 'failed'

4.4 Ensure HTTP Server Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'
0

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29040; Result: 'failed'

4.5 Ensure NFS Server Is Disabled 🔴

• title 🟢
• description 🔴 (here there is a typing mistake: 'end- user' should be 'end-user')
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo launchctl print-disabled system | grep -c '"com.apple.nfsd" => true'
0
sh-3.2# sudo cat /etc/exports
cat: /etc/exports: No such file or directory

reason: Seems that the condition is not set correctly (maybe it should be all not none -- here)

Check event (expected result: FAILED) 🔴

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29041; Result: 'passed'

[mauromalara]

5 System Access, Authentication and Authorization

5.1 File System Permissions and Access Controls

5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here 'Successfully enabled System Integrity Protection....' is the output of the command; the last step does not appear, which is '5. Reboot the computer' regarding the CIS benchmark)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/csrutil status
System Integrity Protection status: enabled.

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29042; Result: 'passed'

5.1.3 Ensure Apple Mobile File Integrity Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
0

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29043; Result: 'passed'

5.1.4 Ensure Library Validation Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation
2022-07-02 00:23:11.696 defaults[30697:787862]
The domain/default pair of (/Library/Preferences/com.apple.security.libraryvalidation.plist, DisableLibraryValidation) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep DisableLibraryValidation

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29044; Result: 'failed'

5.1.5 Ensure Sealed System Volume (SSV) Is Enabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here 'Successfully enabled System authenticated root. Restart the machine for the changes to take effect.' is the output of the command)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/csrutil authenticated-root status
Authenticated Root status: enabled

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29045; Result: 'passed'

5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 🔴

• title 🟢
• description 🔴 (here There is a typing mistake: 'world- writable' should be 'world-writable' ... there is an extra space)
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2#  sudo /usr/bin/find /Applications -iname "*.app" -type d -perm -2 -ls

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29046; Result: 'passed'

5.1.7 Ensure No World Writable Files Exist in the System Folder 🔴

• title 🟢
• description 🔴 (here There is an extra space in '/System/Volumes/Data/System Directory')
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/find /System/Volumes/Data/System -type d -
perm -2 -ls

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29047; Result: 'passed'

5.1.8 Ensure No World Writable Files Exist in the Library Folder 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sh -c "find /System/Volumes/Data/Library -type d -perm -2 -ls  2> /dev/null | grep -v 'Caches|Audio'"
 77277        0 drwxrwxrwx    2 _coreaudiod      _coreaudiod            64 Oct 18  2021 /System/Volumes/Data/Library/Preferences/Audio/Data
 81585        0 drwxrwxrwt    6 root             admin                 192 Nov 17  2021 /System/Volumes/Data/Library/Caches

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29048; Result: 'failed'

5.3 Ensure the Sudo Timeout Period Is Set to Zero 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2#  sudo /usr/bin/grep -e "timestamp" /etc/sudoers

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29049; Result: 'failed'

5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/grep -E -s '!tty_tickets' /etc/sudoers /etc/sudoers.d/*
sh-3.2# sudo /usr/bin/grep -E -s 'timestamp_type' /etc/sudoers /etc/sudoers.d/*

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29050; Result: 'passed'

5.6 Ensure the "root" Account Is Disabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here 'username = root user password: ' is part of the output of the command)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/dscl . -read /Users/root AuthenticationAuthority
No such key: AuthenticationAuthority

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29051; Result: 'passed'

5.7 Ensure Automatic Login Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.app
le.loginwindow autoLoginUser
vagrant
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "com.apple.login.mcx.DisableAutoLoginClient"

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29052; Result: 'failed'

5.10 Require an administrator password to access system-wide preferences 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🔴 (here 'YES (0)' is part of the output of the command, but not part of the command itself)
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep false

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29053; Result: 'failed'

5.11 Ensure an administrator account cannot login to another user's active and locked session 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis 🔴 (here the number must be 5.11)
• cis_level 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui'
1

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29054; Result: 'passed'

5.12 Ensure a Custom Message for the Login Screen Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText
2022-07-02 00:47:01.407 defaults[30947:793716]
The domain/default pair of (/Library/Preferences/com.apple.loginwindow.plist, LoginwindowText) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep "LoginwindowText"

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29055; Result: 'failed'

5.13 Ensure a Login Window Banner Exists 🔴

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis 🟢
• cis_level 🔴 (here the level is incorrect)
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /bin/cat /Library/Security/PolicyBanner.*
cat: /Library/Security/PolicyBanner.*: No such file or directory

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29056; Result: 'failed'

5.15 Ensure Fast User Switching Is Disabled 🔴

• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• title 🔴 (here the title is not the same as the one in CIS benchmark)
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled
1
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep MultipleSessionEnabled

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29057; Result: 'failed'

[mauromalara]

6 User Accounts and Environment

6.1 Accounts Preferences Action Items

6.1.1 Ensure Login Window Displays as Name and Password Is Enabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'SHOWFULLNAME'

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29058; Result: 'failed'

6.1.2 Ensure Show Password Hints Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint
3
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'RetriesUntilHint'

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29059; Result: 'failed'

6.1.3 Ensure Guest Account Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled
0
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableGuestAccount'
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableGuestAccount'

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29060; Result: 'passed'

6.1.4 Ensure Guest Access to Shared Folders Is Disabled 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess
2022-07-04 16:45:10.028 defaults[2519:16290]
The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AllowGuestAccess

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29061; Result: 'passed'

6.1.5 Ensure the Guest Home Folder Does Not Exist 🟢

• title 🟢
• description 🟢
• rationale 🟢
• remediation 🟢
• cis_level 🟢
• cis 🟢
• rule: ⬇️

Execution 🟢

sh-3.2# sudo /bin/ls /Users/ | /usr/bin/grep Guest

Check event (expected result: PASSED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29062; Result: 'passed'

6.2 Ensure Show All Filename Extensions Setting is Enabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• cis_level 🟢
• cis 🟢
• remediation 🔴 (here the command is different from the one in the benchmark)
• rule: ⬇️

Execution 🟢

sh-3.2# sudo -u vagrant /usr/bin/defaults read /Users/vagrant/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions
2022-07-04 16:49:28.073 defaults[2640:17521]
The domain/default pair of (/Users/vagrant/Library/Preferences/.GlobalPreferences.plist, AppleShowAllExtensions) does not exist

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29063; Result: 'failed'

6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled 🔴

• title 🟢
• description 🟢
• rationale 🟢
• cis_level 🟢
• cis 🟢
• remediation 🔴 (here there is an extra space in the command ‘…Library/Preference s…’)
• rule: ⬇️

Execution 🟢

sh-3.2#  sudo -u vagrant /usr/bin/defaults read /Users/vagrant/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads
2022-07-04 16:52:52.440 defaults[2736:18441]
The domain/default pair of (/Users/vagrant/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari, AutoOpenSafeDownloads) does not exist
sh-3.2# sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep AutoOpenSafeDownloads

Check event (expected result: FAILED) 🟢

2022/07/01 19:42:31 sca[27579] wm_sca.c:2805 at wm_sca_hash_integrity(): DEBUG: ID: 29064; Result: 'failed'

[mauromalara]

1.1 Ensure All Apple-provided Software Is Current: Dashboard screenshot 🟡

Screenshot

Initially, the result was Failed (as you can see in this comment), but after connecting the agent with another manager the result was Not Applicable. So, I have attached the SCA output in debug mode: sca_output.txt

The first result was:

{"type":"check","id":333955627,"policy":"CIS Apple macOS 12.0 Monterey Benchmark","policy_id":"cis_apple_macos_12.x","check":{"id":29000,"title":"Ensure All Apple-provided Software Is Current.","description":"Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.","rationale":"It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.","remediation":"1. In Terminal, run the following command to verify what packages need to be installed: sudo softwareupdate -l. 2.1. In Terminal, run the following command to install all the packages that need to be updated: sudo software -i -a -R. 2.2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename'","compliance":{"cis":"1.1","cis_level":"1"},"rules":["c:softwareupdate -l -> r:No new software available"],"condition":"all","command":"softwareupdate -l","result":"failed"}}

[mauromalara]

Update: 13/07/2022

Checks review (Conclusion: All changes were applied correctly. 🟢)

All changes were reviewed with @72nomada.

1.1 Ensure All Apple-provided Software Is Current (Automated)

• Fixed
• Won't be fixed
• Misinformed

1.4 Ensure Installation of App Update Is Enabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.2.2 Ensure time set is within appropriate limits (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.3.2 Ensure Screen Saver Corners Are Secure (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.4.6 Ensure DVD or CD Sharing Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.4.8 Ensure File Sharing Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.4.9 Ensure Remote Management Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.4.10 Ensure Remote Management Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.4.12 Ensure Media Sharing Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

2.5.2.3 Ensure Firewall Stealth Mode Is Enabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

3.6 Ensure Firewall Logging Is Enabled and Configured (Automated)

• Fixed
• Won't be fixed
• Misinformed

4.1 Ensure Bonjour Advertising Services Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

4.5 Ensure NFS Server Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.1.5 Ensure Sealed System Volume (SSV) Is Enabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.1.7 Ensure No World Writable Files Exist in the System Folder (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.6 Ensure the "root" Account Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.10 Require an administrator password to access system-wide preferences (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.11 Ensure an administrator account cannot login to another user's active and locked session (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.13 Ensure a Login Window Banner Exists (Automated)

• Fixed
• Won't be fixed
• Misinformed

5.15 Ensure Fast User Switching Is Disabled (Manual)

• Fixed
• Won't be fixed
• Misinformed

6.2 Ensure Show All Filename Extensions Setting is Enabled (Automated)

• Fixed
• Won't be fixed
• Misinformed

6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated)

• Fixed
• Won't be fixed
• Misinformed