CIS missing some profiles?

[RVRX]

Is there a reason https://github.com/usnistgov/macos_security/blob/sonoma/rules/icloud/icloud_keychain_disable.yaml is not in the CIS lvl 2 benchmark in this repo? It comes out as part of Chapter 9.1 "CIS Manual Recommendations" section when generating a guidance documentation, but not in any of the tooling (No profiles are created for it?).

I see it in the CIS Sonoma v1.0.0 benchmark/baseline in section 2.1.1.1, along with how to make a configuration profile for it:

It is marked as 'manual', but this defined as just things that need to be manually checked, not manually implemented (?):

Manual
Represents recommendations for which assessment of a technical control cannot be
fully automated and requires all or some manual steps to validate that the configured
state is set as expected.

Any help on why this is so, or if I ran a command wrong would be appreciated.

$ ./scripts/generate_guidance.py baselines/cis_lvl2.yaml --profiles --script --xls
$ grep -r 'allowCloudKeychainSync' .
./rules/icloud/icloud_keychain_disable.yaml:  .objectForKey('allowCloudKeychainSync').js
./rules/icloud/icloud_keychain_disable.yaml:    allowCloudKeychainSync: false

^ I'd expect that grep to return more than just the .yaml definition if a profile with this key was created

[robertgendler]

CIS views it as a manual that should be audited, not one that needs to be automated. So that's why.
This is a required setting to meet AC-20 in the NIST 800-53, as iCloud is not authorized for federal usage.

CIS manual != mscp manual. These are not the same.

[RVRX]

Thank you. I am new to CIS baselines and this repo, so pardon my ignorance, but I'm still looking for a little more clarification as I am still confused (maybe that is CIS fault, not yours);

Interesting, I guess I can see now that you are just following the CIS path of 'it doesn't need to be automated', but if they (and other benchmarks) include the way to automate it, why do they suggest such? Is there any downside to automating these 'Manual' tasks? If they are expected to be implemented anyways, I am not sure why I wouldn't just want to fully automate that process...

It seems to put some extra burden on the user to have to customize a baseline and poke around to identify and include these manual recommendations. As such, would you be open to potentially having a feature in the future that allows you to opt-in to generating these a cis baseline that includes these tasks, or does something similar already exist?

[brodjieski]

Establishing and implementing security baselines require admins to review and evaluate any control they are applying to their system, even if they are just meant to follow CIS. While the project attempts to make this process a bit easier for admins, there still needs to be review and understanding of the settings being deployed in an environment. While this burden does fall to the system admin implementing the baseline, once the final baseline is established, it's not something done on a regular basis.

This specific setting is an interesting one, in that, CIS only provides guidance to audit the value of the setting to make sure it meets the organization's requirements. They don't specify which value to have, so you can't automate the compliance against this benchmark, as there are multiple values possible. This is why it remains "manual".

You may be interested in some of the presentations and trainings related to the MSCP, which can help you create and modify existing baselines to meet your needs. https://github.com/usnistgov/macos_security/wiki/Resources

We have built tools that help you tailor the baselines to include/exclude rules you choose. There is also a tool built by Jamf that puts a nice GUI on the process. You can start with CIS Level 2, then add other rules (like this icloud keychain rule) that you see fit to create your unique baseline which can then generate the profiles/scripts/etc that match what you decided to include.

[RVRX]

Alright, that clears up their use of the word manual, Thanks!

Lastly is there tooling here that will allow me to customize a baseline to add these rules it they are not there? I know I can use --tailor to remove rules in a baseline, but I am not sure how to add rules to a baseline in an automated process, or would I manually have to edit the baseline yaml?

I considered just tailoring the all_rules baseline, but that seems to fail to build on the sonoma branch.

[brodjieski]

Typically, you should be able to use the all_rules baseline, but if it's failing for you, i'll have to look into why that is (we may have missed something in recent commits). I see that generate_guidance.py against the all_rules is failing... but that's ok, you want to start from your own, not the all_rules.yaml provided. I'll see about fixing that.

You can run generate_baseline.py -k all_rules -t to create a new tailored baseline from all of the rules.

If it's just this one rule you want to add, it might be easiest to just add the - icloud_keychain_disable line to your baseline.yaml file (which can just be a copy of the cis_lvl2.yaml file).

The Jamf Compliance Editor makes this a bit easier, as you can start with the CIS LVL 2 benchmark, and easily check/uncheck additional rules.

[RVRX]

Thanks to you both.
Good suggestion on the Jamf Compliance editor, looks like a nice tool

[RVRX]

you should be able to use the all_rules baseline

created issue
#383