diff --git a/baselines/nlmapgov_base.yaml b/baselines/nlmapgov_base.yaml new file mode 100644 index 00000000..aa6bfcf8 --- /dev/null +++ b/baselines/nlmapgov_base.yaml @@ -0,0 +1,24 @@ +title: "iOS/iPadOS 26.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)" +description: | + This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base) security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Jordy Witteman|Root3 + |Aron van den Herik|Root3 + |=== +parent_values: "nlmapgov_base" +profile: + - section: "ios" + rules: + - os_background_security_improvement_install_enable + - os_force_date_and_time_enable + - os_software_update_download_enforce + - os_software_update_install_enforce + - os_supervised_mdm_require + - section: "passwordpolicy" + rules: + - pwpolicy_force_pin_enable diff --git a/baselines/nlmapgov_plus.yaml b/baselines/nlmapgov_plus.yaml new file mode 100644 index 00000000..340e329a --- /dev/null +++ b/baselines/nlmapgov_plus.yaml @@ -0,0 +1,57 @@ +title: "iOS/iPadOS 26.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)" +description: | + This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus) security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Jordy Witteman|Root3 + |Aron van den Herik|Root3 + |=== +parent_values: "nlmapgov_plus" +profile: + - section: "icloud" + rules: + - icloud_keychain_disable + - icloud_managed_apps_store_data_disabled + - section: "ios" + rules: + - os_airdrop_unmanaged_destination_enable + - os_allow_documents_managed_sources_unmanaged_destinations_disable + - os_apple_watch_wrist_detection_enable + - os_authentication_password_autofill_enable + - os_background_security_improvement_install_enable + - os_background_security_improvement_removal_disable + - os_diagnostics_reports_disable + - os_disallow_enterprise_app_trust + - os_external_intelligence_integration_sign_in_disable + - os_force_date_and_time_enable + - os_force_encrypted_backups_enable + - os_install_configuration_profile_disable + - os_install_vpn_configuration_disable + - os_iphone_mirroring_disable + - os_limit_ad_tracking_enable + - os_mail_maildrop_disable + - os_mail_move_messages_disable + - os_marketplace_prevent + - os_on_device_dictation_enforce + - os_on_device_translation_enforce + - os_personalized_advertising_disable + - os_require_managed_pasteboard_enforce + - os_safari_cookies_set + - os_safari_force_fraud_warning_enable + - os_software_update_download_enforce + - os_software_update_install_enforce + - os_ssl_for_exchange_activesync_enable + - os_supervised_mdm_require + - os_unpaired_boot_disable + - os_untrusted_tls_disable + - os_usb_accessories_when_locked_disable + - os_web_distribution_app_installation_disable + - section: "passwordpolicy" + rules: + - pwpolicy_force_pin_enable + - pwpolicy_minimum_length_enforce + - pwpolicy_simple_sequence_disable diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 15f4e43d..b8588889 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -104,7 +104,15 @@ authors: names: - Henry Stamerjohann|Declarative IT GmbH - Allen Golbig|Jamf - - Bob Gendler|National Institute of Standards and Technology + - Bob Gendler|National Institute of Standards and Technology + nlmapgov_base: + names: + - Jordy Witteman|Root3 + - Aron van den Herik|Root3 + nlmapgov_plus: + names: + - Jordy Witteman|Root3 + - Aron van den Herik|Root3 titles: all_rules: All Rules 800-53r5_high: NIST SP 800-53 Rev 5 High Impact @@ -118,6 +126,9 @@ titles: ios_stig: Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1 indigo_base: BSI indigo iOS 26.x Base Configuration indigo_high: BSI indigo iOS 26.x High Configuration + nlmapgov_base: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base) + nlmapgov_plus: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus) ddm: - supported_types: [] + supported_types: + - com.apple.configuration.softwareupdate.settings services: [] \ No newline at end of file diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 9bd800e4..4952a2cb 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -32,6 +32,8 @@ references: - 4.1 - 4.8 - 15.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -48,6 +50,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml index e9f0db1a..6e0dfa82 100644 --- a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml +++ b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml @@ -31,6 +31,8 @@ references: - 3.2.1.7 (level 1 - Institutionally-Owned Devices) controls v8: - 2.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -49,6 +51,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_airdrop_unmanaged_destination_enable.yaml b/rules/os/os_airdrop_unmanaged_destination_enable.yaml index f5625cb8..0fdb37d3 100644 --- a/rules/os/os_airdrop_unmanaged_destination_enable.yaml +++ b/rules/os/os_airdrop_unmanaged_destination_enable.yaml @@ -31,6 +31,8 @@ references: - 3.2.1.23 (level 1 - Institutionally-Owned Devices) controls v8: - 3.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -49,6 +51,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml b/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml index f212a61d..489563bd 100644 --- a/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml +++ b/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml @@ -30,6 +30,8 @@ references: - 3.2.1.21 (level 1 - Institutionally-Owned Devices) controls v8: - 3.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -48,6 +50,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_apple_watch_wrist_detection_enable.yaml b/rules/os/os_apple_watch_wrist_detection_enable.yaml index 5010b609..791c419f 100644 --- a/rules/os/os_apple_watch_wrist_detection_enable.yaml +++ b/rules/os/os_apple_watch_wrist_detection_enable.yaml @@ -24,6 +24,8 @@ references: - 3.2.1.27 (level 1 - Institutionally-Owned Devices) controls v8: - 3.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -40,6 +42,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_authentication_password_autofill_enable.yaml b/rules/os/os_authentication_password_autofill_enable.yaml index 593193b0..1fa27de7 100644 --- a/rules/os/os_authentication_password_autofill_enable.yaml +++ b/rules/os/os_authentication_password_autofill_enable.yaml @@ -24,6 +24,8 @@ references: - 3.2.1.26 (level 1 - Institutionally-Owned Devices) controls v8: - 3.3 + bio: + - 8.27 iOS: - "26.0" tags: @@ -38,6 +40,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high +- nlmapgov_plus supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_background_security_improvement_install_enable.yaml b/rules/os/os_background_security_improvement_install_enable.yaml new file mode 100644 index 00000000..bcb18a6f --- /dev/null +++ b/rules/os/os_background_security_improvement_install_enable.yaml @@ -0,0 +1,24 @@ +id: os_background_security_improvement_install_enable +title: Enforce Background Security Improvements are Automatically Installed using DDM. +discussion: | + Background Security Improments _MUST_ be configured to enforce automatic installation and that the user cannot modify the setting within Settings. +check: " " +fix: | + This is implemented by Declarative Device Management (DDM). +references: + bio: + - 8.08 +iOS: + - "26.0" +tags: + - ios + - nlmapgov_base + - nlmapgov_plus +supervised: true +mobileconfig: false +mobileconfig_info: +ddm_info: + declarationtype: com.apple.configuration.softwareupdate.settings + ddm_key: RapidSecurityResponse + ddm_value: + Enable: true diff --git a/rules/os/os_background_security_improvement_removal_disable.yaml b/rules/os/os_background_security_improvement_removal_disable.yaml new file mode 100644 index 00000000..ec02be05 --- /dev/null +++ b/rules/os/os_background_security_improvement_removal_disable.yaml @@ -0,0 +1,23 @@ +id: os_background_security_improvement_removal_disable +title: Disable rollback of Background Security Improvements using DDM. +discussion: | + The ability for the user to roll back Background Security Improvements _MUST_ be disabled. +check: " " +fix: | + This is implemented by Declarative Device Management (DDM). +references: + bio: + - 8.08 +iOS: + - "26.0" +tags: + - ios + - nlmapgov_plus +supervised: true +mobileconfig: false +mobileconfig_info: +ddm_info: + declarationtype: com.apple.configuration.softwareupdate.settings + ddm_key: RapidSecurityResponse + ddm_value: + EnableRollback: false diff --git a/rules/os/os_diagnostics_reports_disable.yaml b/rules/os/os_diagnostics_reports_disable.yaml index 126eb9bd..af21f2de 100644 --- a/rules/os/os_diagnostics_reports_disable.yaml +++ b/rules/os/os_diagnostics_reports_disable.yaml @@ -28,6 +28,8 @@ references: - 3.2.1.25 (level 1 - Institutionally-Owned Devices) controls v8: - 4.8 + bio: + - 8.12 iOS: - '26.0' tags: @@ -46,6 +48,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_disallow_enterprise_app_trust.yaml b/rules/os/os_disallow_enterprise_app_trust.yaml index 9b326af3..11816be8 100644 --- a/rules/os/os_disallow_enterprise_app_trust.yaml +++ b/rules/os/os_disallow_enterprise_app_trust.yaml @@ -22,6 +22,8 @@ references: - N/A controls v8: - N/A + bio: + - 8.27 iOS: - '26.0' tags: @@ -35,6 +37,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_external_intelligence_integration_sign_in_disable.yaml b/rules/os/os_external_intelligence_integration_sign_in_disable.yaml index b6ec4fd8..3163ed30 100644 --- a/rules/os/os_external_intelligence_integration_sign_in_disable.yaml +++ b/rules/os/os_external_intelligence_integration_sign_in_disable.yaml @@ -30,6 +30,9 @@ references: - 15.3 indigo: - ANNEX K + bio: + - 8.12 + - 8.12.01 iOS: - '26.0' tags: @@ -45,6 +48,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_force_date_and_time_enable.yaml b/rules/os/os_force_date_and_time_enable.yaml index 2ab51dd9..53a661a7 100644 --- a/rules/os/os_force_date_and_time_enable.yaml +++ b/rules/os/os_force_date_and_time_enable.yaml @@ -25,6 +25,8 @@ references: - 3.2.1.17 (level 1 - Institutionally-Owned Devices) controls v8: - 8.4 + bio: + - 8.17 iOS: - "26.0" tags: @@ -42,6 +44,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high +- nlmapgov_base +- nlmapgov_plus supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_force_encrypted_backups_enable.yaml b/rules/os/os_force_encrypted_backups_enable.yaml index cba3a0b3..4092e56d 100644 --- a/rules/os/os_force_encrypted_backups_enable.yaml +++ b/rules/os/os_force_encrypted_backups_enable.yaml @@ -30,6 +30,8 @@ references: - 3.2.1.10 (level 1 - Institutionally-Owned Devices) controls v8: - 11.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -48,6 +50,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_install_configuration_profile_disable.yaml b/rules/os/os_install_configuration_profile_disable.yaml index 29154be7..6ab550ce 100644 --- a/rules/os/os_install_configuration_profile_disable.yaml +++ b/rules/os/os_install_configuration_profile_disable.yaml @@ -27,6 +27,8 @@ references: - 3.2.1.15 (level 1 - Institutionally-Owned Devices) controls v8: - 4.1 + bio: + - 8.27 iOS: - '26.0' tags: @@ -40,6 +42,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_install_vpn_configuration_disable.yaml b/rules/os/os_install_vpn_configuration_disable.yaml index c099c523..23febaeb 100644 --- a/rules/os/os_install_vpn_configuration_disable.yaml +++ b/rules/os/os_install_vpn_configuration_disable.yaml @@ -29,6 +29,8 @@ references: - 3.2.1.16 (level 1 - Institutionally-Owned Devices) controls v8: - 12.7 + bio: + - 8.12 iOS: - '26.0' tags: @@ -45,6 +47,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: low supervised: true mobileconfig: true diff --git a/rules/os/os_iphone_mirroring_disable.yaml b/rules/os/os_iphone_mirroring_disable.yaml index 22b7e03d..bf0128d7 100644 --- a/rules/os/os_iphone_mirroring_disable.yaml +++ b/rules/os/os_iphone_mirroring_disable.yaml @@ -21,6 +21,8 @@ references: - ANNEX K disa_stig: - AIOS-26-015800 + bio: + - 8.12 iOS: - "26.0" tags: @@ -31,6 +33,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - nlmapgov_plus supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_limit_ad_tracking_enable.yaml b/rules/os/os_limit_ad_tracking_enable.yaml index 6faf54ce..7706c0cf 100644 --- a/rules/os/os_limit_ad_tracking_enable.yaml +++ b/rules/os/os_limit_ad_tracking_enable.yaml @@ -30,6 +30,8 @@ references: - N/A controls v8: - 4.8 + bio: + - 8.12 iOS: - '26.0' tags: @@ -43,6 +45,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_mail_maildrop_disable.yaml b/rules/os/os_mail_maildrop_disable.yaml index b31c1fbf..bd66ebb4 100644 --- a/rules/os/os_mail_maildrop_disable.yaml +++ b/rules/os/os_mail_maildrop_disable.yaml @@ -30,6 +30,8 @@ references: - 3.7.2 (level 2 - Institutionally-Owned Devices) controls v8: - 3.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -46,6 +48,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_mail_move_messages_disable.yaml b/rules/os/os_mail_move_messages_disable.yaml index c64052c1..5da2823c 100644 --- a/rules/os/os_mail_move_messages_disable.yaml +++ b/rules/os/os_mail_move_messages_disable.yaml @@ -30,6 +30,8 @@ references: - 3.7.1 (level 1 - Institutionally-Owned Devices) controls v8: - 3.3 + bio: + - 8.12 iOS: - '26.0' tags: @@ -48,6 +50,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_marketplace_prevent.yaml b/rules/os/os_marketplace_prevent.yaml index c566d008..866711eb 100644 --- a/rules/os/os_marketplace_prevent.yaml +++ b/rules/os/os_marketplace_prevent.yaml @@ -18,6 +18,8 @@ references: - AIOS-26-014900 indigo: - ANNEX K + bio: + - 8.27 iOS: - '26.0' tags: @@ -31,6 +33,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index 562ee823..ac69e8f8 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -29,6 +29,8 @@ references: - N/A controls v8: - N/A + bio: + - 8.12 iOS: - '26.0' tags: @@ -42,6 +44,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_on_device_translation_enforce.yaml b/rules/os/os_on_device_translation_enforce.yaml index e4bbd03b..b463688b 100644 --- a/rules/os/os_on_device_translation_enforce.yaml +++ b/rules/os/os_on_device_translation_enforce.yaml @@ -29,6 +29,8 @@ references: - N/A controls v8: - N/A + bio: + - 8.12 iOS: - '26.0' tags: @@ -42,6 +44,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_personalized_advertising_disable.yaml b/rules/os/os_personalized_advertising_disable.yaml index 6b0e3b6a..2384e0af 100644 --- a/rules/os/os_personalized_advertising_disable.yaml +++ b/rules/os/os_personalized_advertising_disable.yaml @@ -28,6 +28,8 @@ references: - 3.2.1.11 (level 1 - Institutionally-Owned Devices) controls v8: - 4.8 + bio: + - 8.12 iOS: - "26.0" tags: @@ -44,6 +46,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high +- nlmapgov_plus supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_require_managed_pasteboard_enforce.yaml b/rules/os/os_require_managed_pasteboard_enforce.yaml index 77022050..a908d8fa 100644 --- a/rules/os/os_require_managed_pasteboard_enforce.yaml +++ b/rules/os/os_require_managed_pasteboard_enforce.yaml @@ -28,6 +28,8 @@ references: - N/A controls v8: - N/A + bio: + - 8.12 iOS: - '26.0' tags: @@ -38,6 +40,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_safari_cookies_set.yaml b/rules/os/os_safari_cookies_set.yaml index ed123cda..4b0da855 100644 --- a/rules/os/os_safari_cookies_set.yaml +++ b/rules/os/os_safari_cookies_set.yaml @@ -24,6 +24,8 @@ references: - 3.2.2.2 (level 1 - Institutionally-Owned Devices) controls v8: - 9.4 + bio: + - 8.27 iOS: - "26.0" tags: @@ -34,6 +36,7 @@ tags: - cis_lvl2_enterprise - cisv8 - indigo_high + - nlmapgov_plus supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_safari_force_fraud_warning_enable.yaml b/rules/os/os_safari_force_fraud_warning_enable.yaml index 40fa9c9c..ce3b00bf 100644 --- a/rules/os/os_safari_force_fraud_warning_enable.yaml +++ b/rules/os/os_safari_force_fraud_warning_enable.yaml @@ -24,6 +24,8 @@ references: - 3.2.2.1 (level 1 - Institutionally-Owned Devices) controls v8: - 9.4 + bio: + - 8.27 iOS: - "26.0" tags: @@ -34,6 +36,7 @@ tags: - cis_lvl2_enterprise - cisv8 - indigo_high + - nlmapgov_plus supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_software_update_download_enforce.yaml b/rules/os/os_software_update_download_enforce.yaml new file mode 100644 index 00000000..1c031217 --- /dev/null +++ b/rules/os/os_software_update_download_enforce.yaml @@ -0,0 +1,24 @@ +id: os_software_update_download_enforce +title: Enforce Software Update Downloads Automatically using DDM. +discussion: | + Software Update _MUST_ be configured to enforce automatic downloads of updates from Apple and that the user cannot modify the setting within Settings. +check: " " +fix: | + This is implemented by Declarative Device Management (DDM). +references: + bio: + - 8.08 +iOS: + - "26.0" +tags: + - ios + - nlmapgov_base + - nlmapgov_plus +supervised: true +mobileconfig: false +mobileconfig_info: +ddm_info: + declarationtype: com.apple.configuration.softwareupdate.settings + ddm_key: AutomaticActions + ddm_value: + Download: AlwaysOn diff --git a/rules/os/os_software_update_install_enforce.yaml b/rules/os/os_software_update_install_enforce.yaml new file mode 100644 index 00000000..c4733a06 --- /dev/null +++ b/rules/os/os_software_update_install_enforce.yaml @@ -0,0 +1,24 @@ +id: os_software_update_install_enforce +title: Enforce iOS/iPadOS Updates are Automatically Installed using DDM. +discussion: | + Software Update _MUST_ be configured to enforce automatic installation of iOS/iPadOS updates and that the user cannot modify the setting within Settings. +check: " " +fix: | + This is implemented by Declarative Device Management (DDM). +references: + bio: + - 8.08 +iOS: + - "26.0" +tags: + - ios + - nlmapgov_base + - nlmapgov_plus +supervised: true +mobileconfig: false +mobileconfig_info: +ddm_info: + declarationtype: com.apple.configuration.softwareupdate.settings + ddm_key: AutomaticActions + ddm_value: + InstallOSUpdates: AlwaysOn diff --git a/rules/os/os_ssl_for_exchange_activesync_enable.yaml b/rules/os/os_ssl_for_exchange_activesync_enable.yaml index 40e8d4db..6c8942c0 100644 --- a/rules/os/os_ssl_for_exchange_activesync_enable.yaml +++ b/rules/os/os_ssl_for_exchange_activesync_enable.yaml @@ -23,6 +23,8 @@ references: - N/A controls v8: - N/A + bio: + - 8.12 iOS: - '26.0' tags: @@ -30,6 +32,7 @@ tags: - indigo_base - indigo_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_supervised_mdm_require.yaml b/rules/os/os_supervised_mdm_require.yaml index f04f0610..f87ade0e 100644 --- a/rules/os/os_supervised_mdm_require.yaml +++ b/rules/os/os_supervised_mdm_require.yaml @@ -24,6 +24,9 @@ references: - N/A controls v8: - N/A + bio: + - 8.09 + - 8.18 iOS: - '26.0' tags: @@ -36,6 +39,8 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_base + - nlmapgov_plus severity: medium mobileconfig: false mobileconfig_info: null diff --git a/rules/os/os_unpaired_boot_disable.yaml b/rules/os/os_unpaired_boot_disable.yaml index 617e46fe..fd22372f 100644 --- a/rules/os/os_unpaired_boot_disable.yaml +++ b/rules/os/os_unpaired_boot_disable.yaml @@ -12,12 +12,15 @@ references: - N/A indigo: - ANNEX K + bio: + - 8.27 iOS: - "26.0" tags: - ios - indigo_base - indigo_high + - nlmapgov_plus supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_untrusted_tls_disable.yaml b/rules/os/os_untrusted_tls_disable.yaml index 90cd229c..bf1b8b93 100644 --- a/rules/os/os_untrusted_tls_disable.yaml +++ b/rules/os/os_untrusted_tls_disable.yaml @@ -24,6 +24,8 @@ references: - 3.2.1.13 (level 2 - Institutionally-Owned Devices) controls v8: - 4.1 + bio: + - 8.27 iOS: - "26.0" tags: @@ -32,6 +34,7 @@ tags: - cis_lvl2_enterprise - cisv8 - indigo_high + - nlmapgov_plus supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_usb_accessories_when_locked_disable.yaml b/rules/os/os_usb_accessories_when_locked_disable.yaml index e8a56de5..67361605 100644 --- a/rules/os/os_usb_accessories_when_locked_disable.yaml +++ b/rules/os/os_usb_accessories_when_locked_disable.yaml @@ -28,6 +28,8 @@ references: - 3.2.1.19 (level 1 - Institutionally-Owned Devices) controls v8: - 1.2 + bio: + - 8.27 iOS: - '26.0' tags: @@ -44,6 +46,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_web_distribution_app_installation_disable.yaml b/rules/os/os_web_distribution_app_installation_disable.yaml index 098d7130..dcccbb87 100644 --- a/rules/os/os_web_distribution_app_installation_disable.yaml +++ b/rules/os/os_web_distribution_app_installation_disable.yaml @@ -18,6 +18,8 @@ references: - 'FMT_SMF_EXT.1.1 #3' disa_stig: - AIOS-26-015000 + bio: + - 8.27 iOS: - '26.0' tags: @@ -31,6 +33,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_force_pin_enable.yaml b/rules/pwpolicy/pwpolicy_force_pin_enable.yaml index 62ae6a53..c19806a8 100644 --- a/rules/pwpolicy/pwpolicy_force_pin_enable.yaml +++ b/rules/pwpolicy/pwpolicy_force_pin_enable.yaml @@ -25,6 +25,8 @@ references: - N/A controls v8: - N/A + bio: + - 8.24 iOS: - '26.0' tags: @@ -35,6 +37,8 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_base + - nlmapgov_plus severity: high mobileconfig: 'true' mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index f9d63db2..7df0c75a 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -27,6 +27,8 @@ references: - 3.4.3 (level 1 - Institutionally-Owned Devices) controls v8: - 5.2 + bio: + - 5.17 iOS: - '26.0' odv: @@ -40,6 +42,7 @@ odv: ios_stig_byoad: 6 indigo_base: 8 indigo_high: 8 + nlmapgov_plus: 6 tags: - ios - 800-53r5_low @@ -56,6 +59,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index e7f917b7..f5e646e1 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -27,6 +27,8 @@ references: - 3.4.1 (level 1 - Institutionally-Owned Devices) controls v8: - 5.2 + bio: + - 5.17 iOS: - '26.0' tags: @@ -45,6 +47,7 @@ tags: - cnssi-1253_low - cnssi-1253_high - ios_stig + - nlmapgov_plus severity: medium supervised: false mobileconfig: true diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index c7107238..892e70a9 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -42,6 +42,7 @@ class MacSecurityRule: cis, cmmc, indigo, + bio, custom_refs, odv, tags, @@ -66,6 +67,7 @@ class MacSecurityRule: self.rule_cis = cis self.rule_cmmc = cmmc self.rule_indigo = indigo + self.rule_bio = bio self.rule_custom_refs = custom_refs self.rule_odv = odv self.rule_result_value = result_value @@ -90,6 +92,7 @@ class MacSecurityRule: rule_cis=self.rule_cis, rule_cmmc=self.rule_cmmc, rule_indigo=self.rule_indigo, + rule_bio=self.rule_bio, rule_srg=self.rule_srg, rule_result=self.rule_result_value, ) @@ -1771,9 +1774,10 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 14, "CIS v8", headers) sheet1.write(0, 15, "CMMC", headers) sheet1.write(0, 16, "indigo", headers) - sheet1.write(0, 17, "CCI", headers) - sheet1.write(0, 18, "Severity", headers) - sheet1.write(0, 19, "Modified Rule", headers) + sheet1.write(0, 17, "BIO", headers) + sheet1.write(0, 18, "CCI", headers) + sheet1.write(0, 19, "Severity", headers) + sheet1.write(0, 20, "Modified Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1883,11 +1887,17 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 16, indigo_refs, topWrap) sheet1.col(16).width = 500 * 15 + bio_refs = (str(rule.rule_bio)).strip("[]'") + bio_refs = bio_refs.replace(", ", "\n").replace("'", "") + + sheet1.write(counter, 17, bio_refs, topWrap) + sheet1.col(17).width = 500 * 15 + cci = (str(rule.rule_cci)).strip("[]'") cci = cci.replace(", ", "\n").replace("'", "") - sheet1.write(counter, 17, cci, topWrap) - sheet1.col(17).width = 400 * 15 + sheet1.write(counter, 18, cci, topWrap) + sheet1.col(18).width = 400 * 15 # determine severity # uses 'parent_values' from baseline.yaml file to determine which/if any severity to use @@ -1901,14 +1911,14 @@ def generate_xls(baseline_name, build_path, baseline_yaml): elif isinstance(rule.rule_severity, str): severity = f"{rule.rule_severity}" - sheet1.write(counter, 18, severity, topWrap) - sheet1.col(18).width = 400 * 15 + sheet1.write(counter, 19, severity, topWrap) + sheet1.col(19).width = 400 * 15 customized = (str(rule.rule_customized)).strip("[]'") customized = customized.replace(", ", "\n").replace("'", "") - sheet1.write(counter, 19, customized, topWrap) - sheet1.col(19).width = 400 * 15 + sheet1.write(counter, 20, customized, topWrap) + sheet1.col(20).width = 400 * 15 if rule.rule_custom_refs != ["None"]: for title, ref in rule.rule_custom_refs.items(): @@ -1958,6 +1968,7 @@ def create_rules(baseline_yaml): "cis", "cmmc", "indigo", + "bio", "srg", "sfr", "custom", @@ -2011,6 +2022,7 @@ def create_rules(baseline_yaml): rule_yaml["references"]["cis"], rule_yaml["references"]["cmmc"], rule_yaml["references"]["indigo"], + rule_yaml["references"]["bio"], rule_yaml["references"]["custom"], rule_yaml["odv"], rule_yaml["tags"], @@ -2360,6 +2372,11 @@ def main(): else: adoc_171_show = ":show_171!:" + if "NLMAPGOV" in baseline_yaml["title"].upper(): + adoc_BIO_show = ":show_BIO:" + else: + adoc_BIO_show = ":show_BIO!:" + if args.gary: adoc_tag_show = ":show_tags:" adoc_STIG_show = ":show_STIG:" @@ -2367,6 +2384,7 @@ def main(): adoc_cmmc_show = ":show_CMMC:" adoc_indigo_show = ":show_indigo:" adoc_171_show = ":show_171:" + adoc_BIO_show = ":show_BIO:" else: adoc_tag_show = ":show_tags!:" @@ -2395,6 +2413,7 @@ def main(): cis_attribute=adoc_cis_show, cmmc_attribute=adoc_cmmc_show, indigo_attribute=adoc_indigo_show, + bio_attribute=adoc_BIO_show, version=version_yaml["version"], os_version=version_yaml["os"], release_date=version_yaml["date"], @@ -2531,6 +2550,13 @@ def main(): else: indigo = ulify(rule_yaml["references"]["indigo"]) + try: + rule_yaml["references"]["bio"] + except KeyError: + bio = "" + else: + bio = ulify(rule_yaml["references"]["bio"]) + try: rule_yaml["references"]["srg"] except KeyError: @@ -2644,6 +2670,7 @@ def main(): rule_cis=cis, rule_cmmc=cmmc, rule_indigo=indigo, + rule_bio=bio, rule_cce=cce, rule_custom_refs=custom_refs, rule_tags=tags, @@ -2665,6 +2692,7 @@ def main(): rule_cis=cis, rule_cmmc=cmmc, rule_indigo=indigo, + rule_bio=bio, rule_cce=cce, rule_tags=tags, rule_srg=srg, @@ -2688,6 +2716,7 @@ def main(): rule_cis=cis, rule_cmmc=cmmc, rule_indigo=indigo, + rule_bio=bio, rule_cce=cce, rule_tags=tags, rule_srg=srg, @@ -2709,6 +2738,7 @@ def main(): rule_cis=cis, rule_cmmc=cmmc, rule_indigo=indigo, + rule_bio=bio, rule_cce=cce, rule_tags=tags, rule_srg=srg, diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 12533ff5..a419b2a3 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -57,6 +57,15 @@ ASSOCIATED DOCUMENTS |link:https://www.bsi.bund.de/EN/Themen/Oeffentliche-Verwaltung/Zulassung/mobile_Kommunikation/mobileKommunikation_node.html#doc919528bodyText2[indigo]|_indigo iOS 26.0.1 and iPadOS 26.0.1 Version 1.4_ |=== +[%header, cols=2*a] +.Baseline Informatiebeveiliging Overheid (BIO) +|=== +|Document Number or Descriptor +|Document Title +|link:https://www.bio-overheid.nl/category/producten/bio[BIO]|_Baseline Informatiebeveiliging Overheid (BIO)_ +|link:https://github.com/MinBZK/Baseline-Informatiebeveiliging-Overheid[BIO2 GitHub Repository]|_BIO2 GitHub Repository_ +|=== + === Non-Government Documents [%header, cols=2*a] .Apple diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc index b7491687..b9e75278 100644 --- a/templates/adoc_header.adoc +++ b/templates/adoc_header.adoc @@ -22,6 +22,7 @@ $stig_attribute $cis_attribute $cmmc_attribute $indigo_attribute +$bio_attribute :version: $version ($release_date) :os: $os_version :proj-title: $html_header_title diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index 7cbf6bce..da887c21 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -59,6 +59,10 @@ ifdef::show_indigo[] !$rule_indigo endif::[] +ifdef::show_BIO[] +!BIO +!$rule_bio +endif::[] !CCE !$rule_cce