fleetdm · defensivedepth · Dec 11, 2024 · sharon-fdm · Dec 12, 2024
diff --git a/ee/cis/macos-15/cis-policy-queries.yml b/ee/cis/macos-15/cis-policy-queries.yml
@@ -3464,3 +3464,28 @@ spec:
   purpose: Informational
   tags: compliance, CIS, CIS_Level1
   contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure Home Folders Are Secure
+  platforms: macOS
+  platform: darwin
+  description: |
+    By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.
+  resolution: |
+    Terminal method:
+    For each user, run the following command to secure all home folders:
+    /usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
+  query: |
+    SELECT 1 FROM find_cmd 
+    WHERE directory = '/System/Volumes/Data/Users' 
+      AND type = 'd' 
+      AND mindepth = '1' 
+      AND maxdepth = '1' 
+      AND not_perm = '700' 
+      AND path NOT LIKE '%/Shared' 
+      AND path NOT LIKE '%/Guest';
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1
+  contributors: defensivedepth
@@ -36,6 +36,12 @@ func Columns() []table.ColumnDefinition {
 		table.TextColumn("type"),
 		// perm allows setting find's '-perm' argument.
 		table.TextColumn("perm"),
+		// not_perm allows setting find's '-not -perm' argument.
+		table.TextColumn("not_perm"),
+		// mindepth allows setting find's '-mindepth' argument.
+		table.TextColumn("mindepth"),
+		// maxdepth allows setting find's '-maxdepth' argument.
+		table.TextColumn("maxdepth"),
 		// path are the found directories.
 		table.TextColumn("path"),
 	}
@@ -84,13 +90,32 @@ func Generate(ctx context.Context, queryContext table.QueryContext) ([]map[strin
 		}
 	}
 
+	notPerm := getArgumentOpEqual("not_perm")
+	if notPerm != "" {
+		if !permRegexp.Match([]byte(notPerm)) {
+			return nil, fmt.Errorf("not_perm must be of the form: %s", permRegexp)
+		}
+	}
+
+	minDepth := getArgumentOpEqual("mindepth")
+	maxDepth := getArgumentOpEqual("maxdepth")
+
 	args := []string{directory}
 	if findType != "" {
 		args = append(args, "-type", findType)
 	}
 	if perm != "" {
 		args = append(args, "-perm", perm)
 	}
+	if notPerm != "" {
+		args = append(args, "-not", "-perm", notPerm)
+	}
+	if minDepth != "" {
+		args = append(args, "-mindepth", minDepth)
+	}
+	if maxDepth != "" {
+		args = append(args, "-maxdepth", maxDepth)
+	}
 
 	cmd := exec.Command("/usr/bin/find", args...)
 	stdoutPipe, err := cmd.StdoutPipe()
@@ -138,7 +163,10 @@ func Generate(ctx context.Context, queryContext table.QueryContext) ([]map[strin
 		rows = append(rows, map[string]string{
 			"directory": directory,
 			"perm":      perm,
+			"not_perm":  notPerm,
 			"type":      findType,
+			"mindepth":  minDepth,
+			"maxdepth":  maxDepth,
 			"path":      outDir,
 		})
 	}

@@ -185,4 +185,96 @@ func TestGenerate(t *testing.T) {
 	require.NoError(t, err)
 	require.Len(t, rows, 1)
 	require.Equal(t, rows[0]["path"], filepath.Join(testDir, "zoo"))
+
+	// Test with not_perm argument
+	rows, err = Generate(context.Background(), table.QueryContext{
+		Constraints: map[string]table.ConstraintList{
+			"directory": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: testDir,
+					},
+				},
+			},
+			"not_perm": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: "-2",
+					},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 1)
+	require.Equal(t, rows[0]["path"], testDir)
+
+	// Test with invalid not_perm argument
+	_, err = Generate(context.Background(), table.QueryContext{
+		Constraints: map[string]table.ConstraintList{
+			"directory": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: testDir,
+					},
+				},
+			},
+			"not_perm": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: "invalid",
+					},
+				},
+			},
+		},
+	})
+	require.Error(t, err)
+
+	// Test with mindepth and maxdepth
+	err = os.MkdirAll(filepath.Join(testDir, "a/b/c"), os.ModePerm)
+	require.NoError(t, err)
+
+	rows, err = Generate(context.Background(), table.QueryContext{
+		Constraints: map[string]table.ConstraintList{
+			"directory": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: testDir,
+					},
+				},
+			},
+			"mindepth": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: "2",
+					},
+				},
+			},
+			"maxdepth": {
+				Affinity: table.ColumnTypeText,
+				Constraints: []table.Constraint{
+					{
+						Operator:   table.OperatorEquals,
+						Expression: "3",
+					},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 2)
+	require.Equal(t, rows[0]["path"], filepath.Join(testDir, "a/b"))
+	require.Equal(t, rows[1]["path"], filepath.Join(testDir, "a/b/c"))
 }
@@ -18,6 +18,21 @@ columns:
     required: false
     description: |-
       Sets the value of the `-perm` flag.
+  - name: not_perm
+    type: text
+    required: false
+    description: |-
+      Sets the value of the `-not -perm` flag to find files that do NOT have the specified permissions.
+  - name: mindepth
+    type: text
+    required: false
+    description: |-
+      Sets the value of the `-mindepth` flag to specify the minimum directory depth.
+  - name: maxdepth
+    type: text
+    required: false
+    description: |-
+      Sets the value of the `-maxdepth` flag to specify the maximum directory depth.
   - name: path
     type: text
     required: false