Reduce CIS benchmark documentation page contents (#17108)

rachaelshaw · noahtalerman · web-flow · commit 44c3ba83e5c7 · 2024-03-21T15:03:14.000-05:00
+ Move specific CIS benchmark details into READMEs
+ Reduce content in Using Fleet &gt; CIS Benchmarks

---------

Co-authored-by: Noah Talerman &lt;47070608+noahtalerman@users.noreply.github.com&gt;
diff --git a/docs/Using Fleet/CIS-Benchmarks.md b/docs/Using Fleet/CIS-Benchmarks.md
@@ -1,19 +1,21 @@
 # CIS Benchmarks
 
-> Available in Fleet Premium
+_Available in Fleet Premium_.
 
 ## Overview
+
 CIS Benchmarks represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently.
 For more information about CIS Benchmarks check out [Center for Internet Security](https://www.cisecurity.org/cis-benchmarks)'s website.
 
 Fleet has implemented native support for CIS Benchmarks for the following platforms:
-- macOS 13.0 Ventura (96 checks)
-- Windows 10 Enterprise (496 checks)
-- Windows 11 Enterprise (521 checks)
+- macOS 13.0 Ventura
+- macOS 14.0 Sonoma
+- Windows 10 Enterprise
+- Windows 11 Enterprise
 
 [Where possible](#limitations), each CIS Benchmark is implemented with a [policy query](./REST-API.md#policies) in Fleet. 
 
-These benchmarks are intended to gauge your organization's security posture, rather than the current state of a given host. A host may fail a CIS Benchmark policy despite having the correct settings enabled if there is not a specific policy in place to enforce that setting. For example, this is the query for  **CIS - Ensure FileVault Is Enabled (MDM Required)**:
+These benchmarks are intended to gauge your organization's security posture, rather than the current state of a given host. A host may fail a CIS Benchmark policy despite having the correct settings enabled if there is no configuration profile or Group Policy Object (GPO) in place to enforce the setting. For example, this is the query for  **CIS - Ensure FileVault Is Enabled (MDM Required)**:
 
 ```sql
 SELECT 1 WHERE 
@@ -88,14 +90,13 @@ fleetctl apply --policies-team "Workstations" -f cis-policy-queries.yml
 ```
 
 ## Limitations
-Fleet's current set of benchmarks only implements benchmark *auditing* steps that can be *automated*.
 
-In practice, Fleet is able to cover a large majority of benchmarks:
-* macOS 13 Ventura - 96 of 104
-* Windows 10 Enterprise - All CIS items (496)
-* Windows 11 Enterprise - All CIS items (521) 
+Certain benchmarks require human action to audit, and cannot be automated by a policy in Fleet. For a list of specific benchmarks which are not covered, please visit the README for each benchmark:
 
-For a list of specific checks which are not covered by Fleet, please visit the section devoted to each benchmark.
+- [macOS 13.0 Ventura](https://github.com/fleetdm/fleet/blob/main/ee/cis/macos-13/README.md)
+- [macOS 14.0 Sonoma](https://github.com/fleetdm/fleet/blob/main/ee/cis/macos-14/README.md)
+- [Windows 10 Enterprise](https://github.com/fleetdm/fleet/blob/main/ee/cis/win-10/README.md)
+- [Windows 11 Enterprise](https://github.com/fleetdm/fleet/blob/main/ee/cis/win-11/README.md)
 
 ### Audit vs. remediation
 Each benchmark has two elements:
@@ -106,18 +107,6 @@ Since Fleetd is currently read-only without the ability to execute actions on th
 
 To implement automated remediation, you can install a separate agent such as Munki, Chef, Puppet, etc. which has write functionality.
 
-### Manual vs. automated
-
-For both the audit and remediation elements of a CIS Benchmark, there are two types:
-1. Automated - the element can be audited or remediated without human intervention
-2. Manual - the element requires human intervention to be audited or remediated
-
-Fleet only implements automated audit checks. Manual checks require administrators to implement other processes to conduct the check.
-
-* macOS 13 Ventura - 96 of 104 are automated
-* Windows 10 Enterprise - All CIS items (496) are automated
-* Windows 11 Enterprise - All CIS items (521) are automated 
-
 
 ## Levels 1 and 2
 CIS designates various benchmarks as Level 1 or Level 2 to describe the level of thoroughness and burden that each benchmark represents.
@@ -137,50 +126,6 @@ This profile extends the "Level 1" profile. Items in this profile exhibit one or
 - are intended for environments or use cases where security is paramount or acts as defense in depth measure
 - may negatively inhibit the utility or performance of the technology.
 
-## macOS 13.0 Ventura benchmark
-
-Fleet's policies have been written against v1.0 of the benchmark. Please refer to the "CIS Apple macOS 13.0 Ventura Benchmark v1.0.0 - 11-14-2022" PDF from the CIS website for full details.
-
-### Checks that require customer decision
-
-CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.
-
-Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query.
-The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`.
-
-- 2.1.1.1 Audit iCloud Keychain
-- 2.1.1.2 Audit iCloud Drive
-- 2.5.1 Audit Siri
-- 2.8.1 Audit Universal Control
-
-Furthermore, CIS has decided to not require the following password complexity settings:
-- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
-- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
-- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
-- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured
-
-However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policy.
-
-### macOS 13.0 Ventura manual checks
-
-The following CIS benchmark checks cannot be automated and must be addressed manually:
-- 2.1.2 Audit App Store Password Settings
-- 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
-- 2.6.6 Audit Lockdown Mode
-- 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings
-- 2.13.1 Audit Passwords System Preference Setting
-- 2.14.1 Audit Notification & Focus Settings
-- 3.7 Audit Software Inventory
-- 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled
-
-## Windows 10 & 11 Enterprise benchmarks
-
-Fleet's policies have been written against v2.0.0 of the benchmarks. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
-
-### Checks that require a Group Policy template
-
-Several items require Group Policy templates in place in order to audit them.
-These items are tagged with the label `CIS_group_policy_template_required` in the YAML file, and details about the required Group Policy templates can be found in each item's `resolution`.
 
 ## Performance testing
 In August 2023, we completed scale testing on 10k Windows hosts and 70k macOS hosts. Ultimately, we validated both server and host performance at that scale.
diff --git a/ee/cis/macos-13/README.md b/ee/cis/macos-13/README.md
@@ -0,0 +1,37 @@
+# macOS 13.0 Ventura benchmark
+
+Fleet's policies have been written against v1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+
+For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
+
+### Limitations
+
+The following CIS benchmarks cannot be checked with a policy in Fleet:
+1. 2.1.2 Audit App Store Password Settings
+2. 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
+3. 2.6.6 Audit Lockdown Mode
+4. 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings
+5. 2.13.1 Audit Passwords System Preference Setting
+6. 2.14.1 Audit Notification & Focus Settings
+7. 3.7 Audit Software Inventory
+8. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled
+
+### Checks that require decision
+
+CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.
+
+Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query.
+The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`.
+
+- 2.1.1.1 Audit iCloud Keychain
+- 2.1.1.2 Audit iCloud Drive
+- 2.5.1 Audit Siri
+- 2.8.1 Audit Universal Control
+
+Furthermore, CIS has decided to not require the following password complexity settings:
+- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
+- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
+- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
+- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured
+
+However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies.
diff --git a/ee/cis/macos-14/README.md b/ee/cis/macos-14/README.md
@@ -0,0 +1,37 @@
+# macOS 14.0 Sonoma benchmark
+
+Fleet's policies have been written against v1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+
+For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
+
+### Limitations
+
+The following CIS benchmarks cannot be checked with a policy in Fleet:
+1. 2.1.2 Audit App Store Password Settings
+2. 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information
+3. 2.6.6 Audit Lockdown Mode
+4. 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings
+5. 2.13.1 Audit Passwords System Preference Setting
+6. 2.14.1 Audit Notification & Focus Settings
+7. 3.7 Audit Software Inventory
+8. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled
+
+### Checks that require decision
+
+CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation.
+
+Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query.
+The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`.
+
+- 2.1.1.1 Audit iCloud Keychain
+- 2.1.1.2 Audit iCloud Drive
+- 2.5.1 Audit Siri
+- 2.8.1 Audit Universal Control
+
+Furthermore, CIS has decided to not require the following password complexity settings:
+- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured
+- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured
+- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured
+- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured
+
+However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies.
diff --git a/ee/cis/win-10/README.md b/ee/cis/win-10/README.md
@@ -0,0 +1,15 @@
+# Windows 10 Enterprise benchmarks
+
+Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+
+For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
+
+### Limitations
+
+> None. All items in this version of the benchmark are able to be automated.
+
+
+### Checks that require a Group Policy template
+
+Several items require Group Policy templates in place in order to audit them.
+These items are tagged with the label `CIS_group_policy_template_required` in the YAML file, and details about the required Group Policy templates can be found in each item's `resolution`.
diff --git a/ee/cis/win-11/README.md b/ee/cis/win-11/README.md
@@ -0,0 +1,15 @@
+# Windows 11 Enterprise benchmarks
+
+Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version.
+
+For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation.
+
+### Limitations
+
+> None. All items in this version of the benchmark are able to be automated.
+
+
+### Checks that require a Group Policy template
+
+Several items require Group Policy templates in place in order to audit them.
+These items are tagged with the label `CIS_group_policy_template_required` in the YAML file, and details about the required Group Policy templates can be found in each item's `resolution`.
