usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-04 01:12:00 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Big Sur Changes

Browse Source
This commit is contained in:
Allen Golbig
2020-10-08 14:43:55 -04:00
parent 9166dd9681
commit 112e9bf210
10 changed files with 132 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
baselines/800-171.yaml
View File

@@ -60,6 +60,7 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
@@ -109,7 +110,7 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
@@ -142,6 +143,7 @@ profile:
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_airdrop_share_extension_disable
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -157,6 +159,7 @@ profile:
- sysprefs_wifi_disable
- section: "Supplemental"
rules:
- supplemental_encrypted_dns
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy

5
baselines/800-53_high.yaml
View File

@@ -66,6 +66,7 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
@@ -116,7 +117,7 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
@@ -148,6 +149,7 @@ profile:
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_airdrop_share_extension_disable
- section: "Inherent"
rules:
- os_enforce_access_restrictions
@@ -185,6 +187,7 @@ profile:
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_encrypted_dns
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy

5
baselines/800-53_low.yaml
View File

@@ -51,6 +51,7 @@ profile:
- os_nfsd_disable
- os_httpd_disable
- os_sip_enable
- os_authenticated_root_enable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_unlock_active_user_session_disable
@@ -96,7 +97,7 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_firewall_enable
@@ -113,6 +114,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_airdrop_share_extension_disable
- section: "Inherent"
rules:
- os_logical_access
@@ -131,6 +133,7 @@ profile:
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_encrypted_dns
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy

5
baselines/800-53_moderate.yaml
View File

@@ -62,6 +62,7 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
@@ -112,7 +113,7 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
@@ -144,6 +145,7 @@ profile:
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_airdrop_share_extension_disable
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -176,6 +178,7 @@ profile:
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_encrypted_dns
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy

5
baselines/all_rules.yaml
View File

@@ -70,6 +70,7 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
@@ -122,7 +123,7 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
@@ -155,6 +156,7 @@ profile:
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_airdrop_share_extension_disable
- section: "Inherent"
rules:
- os_enforce_access_restrictions
@@ -224,6 +226,7 @@ profile:
- os_anti_virus_installed
- section: "Supplemental"
rules:
- supplemental_encrypted_dns
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy

5
baselines/cnssi-1253.yaml
View File

@@ -62,6 +62,7 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
@@ -112,7 +113,7 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
@@ -144,6 +145,7 @@ profile:
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_airdrop_share_extension_disable
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -177,6 +179,7 @@ profile:
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_encrypted_dns
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy

38
rules/os/os_authenticated_root_enable.yaml Normal file
View File

@@ -0,0 +1,38 @@
id: os_authenticated_root_enable
title: "Enable Authenticated Root"
discussion:
Authenticated Root _MUST_ be enabled.
check: |
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/csrutil authenticated-root enable
----
NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
cce:
- CCE-33333-3
cci:
-
800-53r4:
-
srg:
-
disa_stig:
-
800-171r2:
-
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

20
rules/supplemental/supplemental_encrypted_dns.yaml Normal file
View File

@@ -0,0 +1,20 @@
id: supplemental_encrypted_dns
title: "Encrypted DNS Supplemental"
discussion: |
check: |
fix: |
references:
cci:
- N/A
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
macOS:
- "11.0"
tags:
- supplemental
mobileconfig: false
mobileconfig_info:

44
rules/sysprefs/sysprefs_airdrop_share_extension_disable.yaml Normal file
View File

@@ -0,0 +1,44 @@
id: sysprefs_airdrop_share_extension_disable
title: "Disable AirDrop Share Extension"
discussion: |
AirDrop share extension _MUST_ be disabled.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/awk '/DeniedExtensions/,/com.apple.NSExtension/' | /usr/bin/grep -c 'com.apple.share.AirDrop.send'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-11111-1
cci:
- CCI-000381
800-53r4:
- CM-7
- AC-3
- AC-18
- AC-20
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- AOSX-15-002009
800-171r2:
- 3.1.1
- 3.1.2
- 3.1.16
- 3.1.20
- 3.4.6
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.NSExtension:
DeniedExtensions:
- com.apple.share.AirDrop.send

12
rules/sysprefs/sysprefs_ad_tracking_disable.yaml → rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
View File

@@ -1,18 +1,18 @@
id: sysprefs_ad_tracking_disable
title: "Disable Ad Tracking"
id: sysprefs_personalized_advertising_disable
title: "Disable Personalized Advertising"
discussion: |
Ad tracking and targeted ads _MUST_ be disabled.
The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users interests and deliver targeted advertisements.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'forceLimitAdTracking = 1;'
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowApplePersonalizedAdvertising = 1;'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84822-6
- CCE-22222-2
cci:
- N/A
800-53r4:
@@ -26,7 +26,7 @@ references:
- 3.1.20
- 3.4.6
macOS:
- "10.15"
- "11.0"
tags:
- 800-171
- cnssi-1253
@@ -37,4 +37,4 @@ tags:
mobileconfig: true
mobileconfig_info:
com.apple.AdLib:
forceLimitAdTracking: true
allowApplePersonalizedAdvertising: false