Help

Compliance Editor - CIS Level 1 benchmark with one false positive

Go to solution
WEN2024
New Contributor

Posted on ‎08-14-2024 08:23 AM

Good afternoon,

We are currently testing the Compliance Editor and have deployed the CIS Level 1 benchmark to three test devices via Jamf Pro. The benchmark appears to be fully implemented on these devices. However, the 'Sonoma CIS Benchmark Level 1 Audit' in Jamf is showing that the devices are non-compliant because Siri Listen was not disabled (system_settings_siri_listen_disable). I checked the devices, and Siri Listen was already disabled (screenshot below) before the CIS benchmark was applied. Does anyone know how can I resolve this false positive?

 

Screenshot 2024-08-14 at 16.22.09.png


Thank you.

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
boberito
Valued Contributor

Posted on ‎08-14-2024 12:28 PM

Have you pushed the profile to disable it? The check is checking to see if the profile is in place. Right now (most likely) there actually is no value set for the preference it's checking

View solution in original post

Reply

Go to solution
jmahlman
Valued Contributor

Posted on ‎08-14-2024 12:38 PM

Beat me to it, @boberito

I repled to this in slack but the one thing to remember about the MSCP checks is that it is not checking if Listen for is enabled…it’s checking if you have the control to explicitly disable it. A similar conversation was had on the project board: https://github.com/usnistgov/macos_security/discussions/410

View solution in original post

Reply
3 REPLIES 3

Go to solution
boberito
Valued Contributor

Posted on ‎08-14-2024 12:28 PM

Have you pushed the profile to disable it? The check is checking to see if the profile is in place. Right now (most likely) there actually is no value set for the preference it's checking

Reply

Go to solution
jmahlman
Valued Contributor

Posted on ‎08-14-2024 12:38 PM

Beat me to it, @boberito

I repled to this in slack but the one thing to remember about the MSCP checks is that it is not checking if Listen for is enabled…it’s checking if you have the control to explicitly disable it. A similar conversation was had on the project board: https://github.com/usnistgov/macos_security/discussions/410

Reply

Go to solution
WEN2024
New Contributor

Posted on ‎08-15-2024 01:57 AM

Thank you. The 'explicitly disabled' explanation clarifies things. I initially thought the remediation script would enforce the control, but it did not. Is there a profile I can upload instead which disables system_settings_siri_listen?

0 Kudos
Reply