Product:
BigFix Compliance
Title:
Updated CIS Checklist for Mac OS X 10.15 to support more recent version of benchmark
Security Benchmark:
CIS Apple OSX 10.15 Benchmark, Version 1.4.0
Published Sites:
CIS Checklist for Mac OS X 10.15, site version 4
(The site version is provided for air-gap customers.)
Details:
Release notes:
-
Removed checks:
-
CIS-2.6.4
-
CIS-2.6.5
-
CIS-5.6
-
CIS-2.12 split into two new checks, CIS-2.8 and CIS-2.9.
-
Old CIS-2.8 was removed.
-
Old CIS-2.9 was renamed to CIS-2.10, now checks each user and also added remediation.
-
Old CIS-5.5 was removed, CIS-4.5 was renamed to CIS-5.5, now also checks /etc/sudoers.d/*, checks timestamp_type, and added remediation.
-
-
Added checks:
-
CIS-2.4.11
-
CIS-2.4.12
-
CIS-2.5.5
-
CIS-2.5.6
-
CIS-5.15
-
CIS-2.5.3 is new, the old CIS-2.5.3 was renamed to CIS-2.5.2.2.
-
CIS-5.19 is new, old CIS-5.19 was renamed to CIS-5.18
-
CIS-5.5 was removed and CIS-4.5 was renamed to CIS-5.5
-
CIS-2.5.4 renamed to CIS-2.5.2.3
-
CIS-2.5.2 renamed to CIS-2.5.2.1
-
CIS-2.1.3 renamed to CIS-2.1.2 now gives full path to the plist file and also added remediation.
-
CIS-3.5 renamed to CIS-3.3, now also checks that all_max is not set.
-
CIS-3.4 renamed to CIS-3.5, allowed groups are now root and wheel, also allowed permissions are now 440 for /etc/security/audit_control.
-
CIS-3.3 renamed to CIS-3.4
-
-
Modified checks:
-
CIS-5.1.4 now looks in /System/Volumes/Data/Library.
-
CIS-2.1.1 added remediation.
-
CIS-2.3.2 added remediation.
-
CIS-2.4.2 added remediation.
-
CIS-2.4.3 added remediation.
-
CIS-2.4.4 now uses cupsctl to check for shared printers, also added remediation.
-
CIS-2.4.6 added remediation.
-
CIS-2.4.9 added remediation.
-
CIS-2.7.2 now uses tmutil and diskutil commands to determine encryption.
-
CIS-5.10 also checks hibernatemode.
-
CIS-5.11 added remediation.
-
CIS-5.14 now checks both of /Library/Security/PolicyBanner.txt and /Library/Security/PolicyBanner.rtf.
-
CIS-5.2.1 added remediation.
-
CIS-5.2.2 added remediation.
-
CIS-5.2.7 now checks policyAttributeDaysUntilExpiration, and added remediation.
-
CIS-5.2.8 added remediation.
-
CIS-6.2 added remediation.
-
-
Also there are various minor changes to documentation.
-
Modified the site relevance to target only native (BigFix Agent) based computers to avoid execution on an endpoint without an agent.
Actions to take:
-
To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 9.2 and later.
-
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://help.hcltechsw.com/bigfix/9.5/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
-
BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance -
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team