BigFix Compliance: Updated CIS Checklist for Mac OS X 10.14, published 2021-10-04

Suprithkn · October 4, 2021, 9:08pm

Product:
BigFix Compliance

Title:
Updated CIS Checklist for Mac OS X 10.14 to support more recent version of benchmark

Security Benchmark:
CIS Apple macOS 10.14 Benchmark , v1.4.0

Published Sites:
CIS Checklist for Mac OS X 10.14, site version 5
(The site version is provided for air-gap customers.)

Details:
Release notes:

Removed:
- CIS-2.6.4
- CIS-2.6.5
- CIS-5.6
- CIS-2.5.8
- CIS-5.9
CIS-2.12 was removed and split into two new checks, CIS-2.8 and CIS-2.9.
Old CIS-2.8 was removed.
Old CIS-2.9 was renamed to CIS-2.10, now checks each user and also added remediation.
Old CIS-5.5 was removed, CIS-5.4 was renamed to CIS-5.5, now also checks /etc/sudoers.d/*, checks timestamp_type, and added remediation.
Added:
- CIS-2.4.11
- CIS-2.5.5
- CIS-2.5.6
- CIS-5.15
- CIS-2.5.3 is new, the old CIS-2.5.3 was renamed to CIS-2.5.2.2.
- CIS-5.19 is new, old CIS-5.19 was renamed to CIS-5.18
- CIS-2.4.10
- CIS-6.3
Renamed:
- CIS-2.5.4 renamed to CIS-2.5.2.3
- CIS-2.5.2 renamed to CIS-2.5.2.1
- CIS-2.1.3 renamed to CIS-2.1.2 now gives full path to the plist file and also added remediation.
- CIS-3.5 renamed to CIS-3.3, now also checks that all_max is not set.
- CIS-3.4 renamed to CIS-3.5, allowed groups are now root and wheel, also allowed permissions are now 440 for /etc/security/audit_control.
- CIS-3.3 renamed to CIS-3.4
Modified:
- CIS-5.1.4 (different from 10.15 also)
- CIS-2.1.1 added remediation.
- CIS-2.3.2 added remediation.
- CIS-2.4.2 added remediation.
- CIS-2.4.3 added remediation.
- CIS-2.4.4 now uses cupsctl to check for shared printers, also added remediation.
- CIS-2.4.6 added remediation.
- CIS-2.4.6 now checks each user for BT sharing, also added remediation.
- CIS-2.4.8 slight change in how it checks whether printers are disabled.
- CIS-2.4.9 added remediation.
- CIS-2.7.2 now uses tmutil and diskutil commands to determine encryption.
- CIS-4.4 now uses launchctl to check for apache.
- CIS-4.5 now uses launchctl to check for nfsd.
- CIS-5.10 also checks hibernatemode.
- CIS-5.11 added remediation.
- CIS-5.14 now checks both of /Library/Security/PolicyBanner.txt and /Library/Security/PolicyBanner.rtf.
- CIS-5.2.1 added remediation.
- CIS-5.2.2 added remediation.
- CIS-5.2.7 now checks policyAttributeDaysUntilExpiration, and added remediation.
- CIS-5.2.8 added remediation.
- CIS-6.2 added remediation.
Also there are various minor changes to documentation.

Actions to take:

To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 9.2 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html

More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:

BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists

We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team