From 03347920e315e66b26237893f235b520562efd3b Mon Sep 17 00:00:00 2001 From: Tony Young Date: Thu, 21 May 2026 21:25:09 +0000 Subject: [PATCH 1/3] Align CIS baseline with CIS macOS 26 Tahoe v1.1.0 (draft) - system_settings_hot_corners_secure: CIS 2.7.1 moved Level 2 -> Level 1; update benchmark ref and add cis_lvl1 tag; add rule to cis_lvl1 baseline - audit_retention_configure: CIS 3.4 lower retention ODV from '60d OR 5G' to '30d' - supplemental_cis_manual: track 5.3.1, 5.3.2, 5.3.3 as manual (CIS marks them Automated but provides no automatable remediation) - system_settings_guest_access_smb_disable: CIS 2.13.2 update check to 'sysadminctl -smbGuestAccess status' matching 'SMB guest access disabled'; fix unchanged - mscp-data: bump cis_lvl1/cis_lvl2 titles from v1.0.0 to v1.1.0 --- baselines/cis_lvl1.yaml | 1 + includes/mscp-data.yaml | 4 ++-- rules/audit/audit_retention_configure.yaml | 4 ++-- rules/supplemental/supplemental_cis_manual.yaml | 5 +++-- .../system_settings_guest_access_smb_disable.yaml | 4 ++-- .../system_settings/system_settings_hot_corners_secure.yaml | 3 ++- 6 files changed, 12 insertions(+), 9 deletions(-) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index aee5e1378..4ee65dbdb 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -87,6 +87,7 @@ profile: - system_settings_firewall_stealth_mode_enable - system_settings_guest_access_smb_disable - system_settings_guest_account_disable + - system_settings_hot_corners_secure - system_settings_improve_assistive_voice_disable - system_settings_improve_search_disable - system_settings_improve_siri_dictation_disable diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 53686bdae..9f098c9b3 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -97,8 +97,8 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 3 - cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index d23829d89..a148adaa1 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -45,8 +45,8 @@ macOS: odv: hint: See man audit_control for possible values. recommended: 7d - cis_lvl1: 60d OR 5G - cis_lvl2: 60d OR 5G + cis_lvl1: 30d + cis_lvl2: 30d stig: 7d nlmapgov_base: 180d nlmapgov_plus: 180d diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index a008640b3..87ea127ce 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -60,8 +60,9 @@ discussion: | 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + - 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + - 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + + 5.3.1 Ensure All Internal User storage APFS Volumes Are Encrypted + + 5.3.2 Ensure All APFS And HFS+ External User Storage Volumes Are Encrypted + + 5.3.3 Ensure No FAT32 And ExFAT Drives Are Connected |=== [cols="15%h, 85%a"] diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 37b722a7f..ca4fc05be 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -5,9 +5,9 @@ discussion: | Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | - /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess + /usr/sbin/sysadminctl -smbGuestAccess status 2>&1 | /usr/bin/grep -c "SMB guest access disabled" result: - boolean: 0 + integer: 1 fix: | [source,bash] ---- diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index c8f55b168..a50824517 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -49,7 +49,7 @@ references: - 03.01.10 cis: benchmark: - - 2.7.1 (level 2) + - 2.7.1 (level 1) controls v8: - 4.3 cmmc: @@ -57,6 +57,7 @@ references: macOS: - '26.0' tags: + - cis_lvl1 - cis_lvl2 - cisv8 - cnssi-1253_low From 425f5a86677cf77c621e6f3eaa587151ddb62a22 Mon Sep 17 00:00:00 2001 From: Tony Young Date: Tue, 26 May 2026 10:50:18 -0400 Subject: [PATCH 2/3] Add APFS/HFS encryption and FAT/ExFAT rules Introduce three new OS rules to enforce disk encryption and block insecure filesystems: os_internal_apfs_volumes_encrypted, os_external_apfs_hfs_volumes_encrypted, and os_fat_exfat_volumes_prohibit. Update CIS baselines (cis_lvl1, cis_lvl2, cisv8) to include the new checks where appropriate. Clean up the supplemental CIS manual entries to remove the now-redundant manual checklist lines. New rules include checks, fixes, CIS mappings, macOS 26.0 target, and medium severity metadata. --- baselines/cis_lvl1.yaml | 2 + baselines/cis_lvl2.yaml | 3 ++ baselines/cisv8.yaml | 3 ++ ...s_external_apfs_hfs_volumes_encrypted.yaml | 46 ++++++++++++++++++ rules/os/os_fat_exfat_volumes_prohibit.yaml | 43 +++++++++++++++++ .../os_internal_apfs_volumes_encrypted.yaml | 47 +++++++++++++++++++ .../supplemental/supplemental_cis_manual.yaml | 5 +- 7 files changed, 145 insertions(+), 4 deletions(-) create mode 100644 rules/os/os_external_apfs_hfs_volumes_encrypted.yaml create mode 100644 rules/os/os_fat_exfat_volumes_prohibit.yaml create mode 100644 rules/os/os_internal_apfs_volumes_encrypted.yaml diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 4ee65dbdb..372e6b9b3 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -34,11 +34,13 @@ profile: - os_anti_virus_installed - os_authenticated_root_enable - os_config_data_install_enforce + - os_external_apfs_hfs_volumes_encrypted - os_gatekeeper_enable - os_guest_folder_removed - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_internal_apfs_volumes_encrypted - os_mail_summary_disable - os_mobile_file_integrity_enable - os_nfsd_disable diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index fd167b2d0..cb7b95fb8 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -45,11 +45,14 @@ profile: - os_authenticated_root_enable - os_bonjour_disable - os_config_data_install_enforce + - os_external_apfs_hfs_volumes_encrypted + - os_fat_exfat_volumes_prohibit - os_gatekeeper_enable - os_guest_folder_removed - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_internal_apfs_volumes_encrypted - os_mail_summary_disable - os_mobile_file_integrity_enable - os_nfsd_disable diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 62b3fa977..146acf5be 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -74,6 +74,8 @@ profile: - os_dictation_disable - os_directory_services_configured - os_ess_installed + - os_external_apfs_hfs_volumes_encrypted + - os_fat_exfat_volumes_prohibit - os_filevault_autologin_disable - os_gatekeeper_enable - os_handoff_disable @@ -81,6 +83,7 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_install_log_retention_configure + - os_internal_apfs_volumes_encrypted - os_iphone_mirroring_disable - os_ir_support_disable - os_library_validation_enabled diff --git a/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml new file mode 100644 index 000000000..bf8737286 --- /dev/null +++ b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml @@ -0,0 +1,46 @@ +id: os_external_apfs_hfs_volumes_encrypted +title: Ensure All APFS and HFS+ External User Storage Volumes Are Encrypted +discussion: | + All APFS and HFS+ external user storage volumes _MUST_ be encrypted. + + While FileVault protects the boot volume, data may be copied to attached external storage and reduce the protection afforded by FileVault. All external user data volumes (APFS or HFS+) _MUST_ be encrypted to protect user data from loss or tampering. CoreStorage has been deprecated and replaced with APFS for volume encryption. +check: | + /usr/sbin/diskutil list external | /usr/bin/grep -E "APFS Volume|Apple_HFS|Logical Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' + /FileVault:/{ if ($2=="No") c++ } + END{print c+0}' +result: + integer: 0 +fix: | + Use Disk Utility to erase a user disk and format as APFS (Encrypted). + + NOTE: It is recommended using APFS over HFS+ where possible. If you do need to use an HFS+/CoreStorage external drive for compatibility reasons, you need to format the drive to MacOS Extended (Journaled) (or MacOS Extended (Case-Sensitive, Journaled) if Case-Sensitive is required). +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.3.2 (level 1) + controls v8: + - 3.6 + - 3.11 + - 13.6 + - 14.8 +macOS: + - '26.0' +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: medium +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_fat_exfat_volumes_prohibit.yaml b/rules/os/os_fat_exfat_volumes_prohibit.yaml new file mode 100644 index 000000000..f53049a57 --- /dev/null +++ b/rules/os/os_fat_exfat_volumes_prohibit.yaml @@ -0,0 +1,43 @@ +id: os_fat_exfat_volumes_prohibit +title: Ensure No FAT32 and ExFAT Drives Are Connected +discussion: | + FAT32 and ExFAT formatted drives _MUST NOT_ be connected to the system. + + FAT32 and ExFAT file systems do not support native volume encryption, so data written to them is not protected at rest. Removable storage is generally formatted as FAT32 or ExFAT for cross-platform use. If the organization has a use for such devices, removable storage _MUST_ only be connected when exporting data and then immediately removed. +check: | + /usr/sbin/diskutil list external | /usr/bin/grep -Ec "DOS_FAT_32|Microsoft Basic Data" +result: + integer: 0 +fix: | + Any FAT32 or ExFAT volumes should not be connected and be removed. + + NOTE: Removable storage is generally formatted in FAT32 or ExFAT that are used by additional devices. If your organization has a use for those devices, removable storage should only be connected when exporting data from them then immediately removed. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.3.3 (level 2) + controls v8: + - 3.6 + - 3.11 + - 13.6 + - 14.8 +macOS: + - '26.0' +tags: + - cis_lvl2 + - cisv8 +severity: medium +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_internal_apfs_volumes_encrypted.yaml b/rules/os/os_internal_apfs_volumes_encrypted.yaml new file mode 100644 index 000000000..1151ede43 --- /dev/null +++ b/rules/os/os_internal_apfs_volumes_encrypted.yaml @@ -0,0 +1,47 @@ +id: os_internal_apfs_volumes_encrypted +title: Ensure All Internal User Storage APFS Volumes Are Encrypted +discussion: | + All internal user storage APFS volumes _MUST_ be encrypted. + + While FileVault protects the boot volume, data may be copied to other attached internal storage and reduce the protection afforded by FileVault. All internal APFS volumes that carry user data and do not have a specific role (Preboot, Recovery, VM) _MUST_ be encrypted to protect user data from loss or tampering. +check: | + /usr/sbin/diskutil list internal | /usr/bin/grep "APFS Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' + /Volume Name:/{name=$0} + /FileVault:/{ if ($2=="No" && name !~ /Preboot|Recovery|VM/) c++ } + END{print c+0}' +result: + integer: 0 +fix: | + Use Disk Utility to erase a user disk and format as APFS (Encrypted). + + NOTE: APFS Encrypted disks will be described as "FileVault" whether they are the boot volume or not. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.3.1 (level 1) + controls v8: + - 3.6 + - 3.11 + - 13.6 + - 14.8 +macOS: + - '26.0' +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: medium +mobileconfig: false +mobileconfig_info: diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 87ea127ce..935a7c774 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -59,10 +59,7 @@ discussion: | |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured + 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured + - 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + - 5.3.1 Ensure All Internal User storage APFS Volumes Are Encrypted + - 5.3.2 Ensure All APFS And HFS+ External User Storage Volumes Are Encrypted + - 5.3.3 Ensure No FAT32 And ExFAT Drives Are Connected + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured |=== [cols="15%h, 85%a"] From 61c5478947c36a08f430d588d328f9869d109d4a Mon Sep 17 00:00:00 2001 From: Tony Young Date: Thu, 4 Jun 2026 13:57:54 -0400 Subject: [PATCH 3/3] Refactor volume encryption checks; remove FAT rule based on Published CIS macOS Tahoe 26 Benchmark 1.1 Make external/internal APFS encryption checks more informative by listing unencrypted volume names and returning a string result ("Yes" when compliant) instead of an integer. Remove the deprecated os_fat_exfat_volumes_prohibit rule and drop it from cis_lvl2 and cisv8 baselines. Exclude /Library/AppStore from the world-writable library folder check to avoid false positives. Update supplemental documentation to note auditing of connected FAT32/ExFAT drives. --- baselines/cis_lvl2.yaml | 1 - baselines/cisv8.yaml | 1 - ...s_external_apfs_hfs_volumes_encrypted.yaml | 18 ++++++-- rules/os/os_fat_exfat_volumes_prohibit.yaml | 43 ------------------- .../os_internal_apfs_volumes_encrypted.yaml | 19 +++++--- ...rld_writable_library_folder_configure.yaml | 2 +- .../supplemental/supplemental_cis_manual.yaml | 3 +- 7 files changed, 31 insertions(+), 56 deletions(-) delete mode 100644 rules/os/os_fat_exfat_volumes_prohibit.yaml diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index cb7b95fb8..1546d518e 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -46,7 +46,6 @@ profile: - os_bonjour_disable - os_config_data_install_enforce - os_external_apfs_hfs_volumes_encrypted - - os_fat_exfat_volumes_prohibit - os_gatekeeper_enable - os_guest_folder_removed - os_home_folders_secure diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 146acf5be..01924f552 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -75,7 +75,6 @@ profile: - os_directory_services_configured - os_ess_installed - os_external_apfs_hfs_volumes_encrypted - - os_fat_exfat_volumes_prohibit - os_filevault_autologin_disable - os_gatekeeper_enable - os_handoff_disable diff --git a/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml index bf8737286..e1ca14943 100644 --- a/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml +++ b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml @@ -5,11 +5,21 @@ discussion: | While FileVault protects the boot volume, data may be copied to attached external storage and reduce the protection afforded by FileVault. All external user data volumes (APFS or HFS+) _MUST_ be encrypted to protect user data from loss or tampering. CoreStorage has been deprecated and replaced with APFS for volume encryption. check: | - /usr/sbin/diskutil list external | /usr/bin/grep -E "APFS Volume|Apple_HFS|Logical Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' - /FileVault:/{ if ($2=="No") c++ } - END{print c+0}' + fail=$(/usr/sbin/diskutil list external | /usr/bin/grep -E "APFS Volume|Apple_HFS|Logical Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' + /Volume Name:/{name=$0; sub(/^[ \t]*Volume Name:[ \t]*/,"",name)} + /FileVault:/{ + if ($2=="No") { + if (list=="") list=name; else list=list ", " name + } + } + END{print list}') + if [ -z "$fail" ]; then + /bin/echo "Yes" + else + /bin/echo "Unencrypted external volumes: $fail" + fi result: - integer: 0 + string: "Yes" fix: | Use Disk Utility to erase a user disk and format as APFS (Encrypted). diff --git a/rules/os/os_fat_exfat_volumes_prohibit.yaml b/rules/os/os_fat_exfat_volumes_prohibit.yaml deleted file mode 100644 index f53049a57..000000000 --- a/rules/os/os_fat_exfat_volumes_prohibit.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: os_fat_exfat_volumes_prohibit -title: Ensure No FAT32 and ExFAT Drives Are Connected -discussion: | - FAT32 and ExFAT formatted drives _MUST NOT_ be connected to the system. - - FAT32 and ExFAT file systems do not support native volume encryption, so data written to them is not protected at rest. Removable storage is generally formatted as FAT32 or ExFAT for cross-platform use. If the organization has a use for such devices, removable storage _MUST_ only be connected when exporting data and then immediately removed. -check: | - /usr/sbin/diskutil list external | /usr/bin/grep -Ec "DOS_FAT_32|Microsoft Basic Data" -result: - integer: 0 -fix: | - Any FAT32 or ExFAT volumes should not be connected and be removed. - - NOTE: Removable storage is generally formatted in FAT32 or ExFAT that are used by additional devices. If your organization has a use for those devices, removable storage should only be connected when exporting data from them then immediately removed. -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - cis: - benchmark: - - 5.3.3 (level 2) - controls v8: - - 3.6 - - 3.11 - - 13.6 - - 14.8 -macOS: - - '26.0' -tags: - - cis_lvl2 - - cisv8 -severity: medium -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_internal_apfs_volumes_encrypted.yaml b/rules/os/os_internal_apfs_volumes_encrypted.yaml index 1151ede43..3f767075d 100644 --- a/rules/os/os_internal_apfs_volumes_encrypted.yaml +++ b/rules/os/os_internal_apfs_volumes_encrypted.yaml @@ -5,12 +5,21 @@ discussion: | While FileVault protects the boot volume, data may be copied to other attached internal storage and reduce the protection afforded by FileVault. All internal APFS volumes that carry user data and do not have a specific role (Preboot, Recovery, VM) _MUST_ be encrypted to protect user data from loss or tampering. check: | - /usr/sbin/diskutil list internal | /usr/bin/grep "APFS Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' - /Volume Name:/{name=$0} - /FileVault:/{ if ($2=="No" && name !~ /Preboot|Recovery|VM/) c++ } - END{print c+0}' + fail=$(/usr/sbin/diskutil list internal | /usr/bin/grep "APFS Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' + /Volume Name:/{name=$0; sub(/^[ \t]*Volume Name:[ \t]*/,"",name)} + /FileVault:/{ + if ($2=="No" && name !~ /^(Preboot|Recovery|VM)$/) { + if (list=="") list=name; else list=list ", " name + } + } + END{print list}') + if [ -z "$fail" ]; then + /bin/echo "Yes" + else + /bin/echo "Unencrypted internal user APFS volumes: $fail" + fi result: - integer: 0 + string: "Yes" fix: | Use Disk Utility to erase a user disk and format as APFS (Encrypted). diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 9e6975a61..dc6a823f3 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -5,7 +5,7 @@ discussion: | NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. check: | - /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/grep -vE "/Library/AppStore" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 935a7c774..e8b1d02cd 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -59,7 +59,8 @@ discussion: | |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured + 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured + - 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + + 5.3.3 Audit Connected FAT32 and ExFAT Drives |=== [cols="15%h, 85%a"]