Enable macOS Compliance Modules FIM, CIS benchmarks, rootkit detection.

[GOLASOOO]

Description

Enable and validate macOS compliance monitoring capabilities in the Wazuh deployment, specifically focusing on File Integrity Monitoring (FIM), CIS benchmark assessment, and rootkit detection. This task ensures improved visibility, detection, and compliance alignment with ISO 27001 and ENS (Medium) requirements by enforcing host-based security controls on macOS endpoints.

The implementation will leverage native Wazuh modules (syscheck, sca, and rootcheck) to monitor critical system files, evaluate compliance against CIS benchmarks for macOS, and detect potential rootkits or anomalous system behavior. This contributes directly to controls related to system integrity, continuous monitoring, and hardening validation

Scope

• Enable and configure:

  • File Integrity Monitoring (FIM) via syscheck
  • CIS benchmark compliance via sca policies for macOS
  • Rootkit detection via rootcheck

• Apply configurations to all managed macOS agents

• Tune monitoring paths, frequency, and exclusions for macOS environments

• Validate event generation and ingestion in Wazuh dashboard

• Document configuration and operational considerations

Acceptance Criteria

• syscheck (FIM) module is enabled on all macOS agents
• Critical system paths (e.g., /System, /usr, /bin, /etc) are monitored with appropriate recursion and frequency
• Noise reduction implemented via exclusions (e.g., cache, logs, temp files)
• Real-time monitoring is enabled where supported on macOS
• File change events are successfully reported to Wazuh manager
• sca module is enabled with CIS macOS benchmark policy applied
• CIS compliance scan runs successfully on macOS agents
• Compliance results are visible and queryable in Wazuh dashboard
• Failed controls are clearly identified with actionable output
• rootcheck module is enabled and scheduled appropriately
• Rootkit scan results are generated and ingested into Wazuh
• No critical performance degradation observed on endpoints
• Required macOS permissions (e.g., Full Disk Access) are validated
• Configuration is centrally managed and reproducible (e.g., via agent config or group)
• Logging and alerting thresholds are aligned with operational needs
• Validation performed on at least one test macOS endpoint before rollout
• Documentation created for:
  • Configuration details
  • Known limitations
  • Tuning guidelines
• Alignment verified with ISO 27001 (Annex A controls) and ENS Medium requirements

Additional Notes

• macOS requires explicit Full Disk Access for Wazuh agent to properly monitor certain directories; this should be enforced via MDM (e.g., Mosyle).
• CIS benchmark policies may need adaptation depending on macOS version (e.g., Ventura, Sonoma).
• Consider staging rollout to avoid alert flooding.
• Default Wazuh policies may be overly verbose; tuning will be necessary for production readiness.
• Monitor agent CPU and I/O usage after enabling FIM with real-time scanning.
• Future improvement: integrate alerting with Slack/Email for compliance drift visibility.