From 112e9bf2106c829e4d95f0ab59f692d33955802c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 8 Oct 2020 14:43:55 -0400 Subject: [PATCH] Big Sur Changes --- baselines/800-171.yaml | 5 ++- baselines/800-53_high.yaml | 5 ++- baselines/800-53_low.yaml | 5 ++- baselines/800-53_moderate.yaml | 5 ++- baselines/all_rules.yaml | 5 ++- baselines/cnssi-1253.yaml | 5 ++- rules/os/os_authenticated_root_enable.yaml | 38 ++++++++++++++++ .../supplemental_encrypted_dns.yaml | 20 +++++++++ ...prefs_airdrop_share_extension_disable.yaml | 44 +++++++++++++++++++ ...efs_personalized_advertising_disable.yaml} | 12 ++--- 10 files changed, 132 insertions(+), 12 deletions(-) create mode 100644 rules/os/os_authenticated_root_enable.yaml create mode 100644 rules/supplemental/supplemental_encrypted_dns.yaml create mode 100644 rules/sysprefs/sysprefs_airdrop_share_extension_disable.yaml rename rules/sysprefs/{sysprefs_ad_tracking_disable.yaml => sysprefs_personalized_advertising_disable.yaml} (73%) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index a186e3fc..a17a2cfd 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -60,6 +60,7 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - os_policy_banner_ssh_configure @@ -109,7 +110,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable @@ -142,6 +143,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_enforce_auto_logout + - sysprefs_airdrop_share_extension_disable - section: "Inherent" rules: - os_prevent_priv_functions @@ -157,6 +159,7 @@ profile: - sysprefs_wifi_disable - section: "Supplemental" rules: + - supplemental_encrypted_dns - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 7ad0d376..84b888e7 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -66,6 +66,7 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - os_policy_banner_ssh_configure @@ -116,7 +117,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable @@ -148,6 +149,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_enforce_auto_logout + - sysprefs_airdrop_share_extension_disable - section: "Inherent" rules: - os_enforce_access_restrictions @@ -185,6 +187,7 @@ profile: - os_identify_non-org_users - section: "Supplemental" rules: + - supplemental_encrypted_dns - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index ce025ac3..36f1f7e9 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -51,6 +51,7 @@ profile: - os_nfsd_disable - os_httpd_disable - os_sip_enable + - os_authenticated_root_enable - os_guest_access_smb_disable - os_policy_banner_ssh_configure - os_unlock_active_user_session_disable @@ -96,7 +97,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_firewall_enable @@ -113,6 +114,7 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_airdrop_share_extension_disable - section: "Inherent" rules: - os_logical_access @@ -131,6 +133,7 @@ profile: - os_identify_non-org_users - section: "Supplemental" rules: + - supplemental_encrypted_dns - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index ff61770d..a58be3e3 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -62,6 +62,7 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - os_policy_banner_ssh_configure @@ -112,7 +113,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable @@ -144,6 +145,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_enforce_auto_logout + - sysprefs_airdrop_share_extension_disable - section: "Inherent" rules: - os_prevent_priv_functions @@ -176,6 +178,7 @@ profile: - os_identify_non-org_users - section: "Supplemental" rules: + - supplemental_encrypted_dns - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 2c756ae3..94ead5c8 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -70,6 +70,7 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - os_policy_banner_ssh_configure @@ -122,7 +123,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable @@ -155,6 +156,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_enforce_auto_logout + - sysprefs_airdrop_share_extension_disable - section: "Inherent" rules: - os_enforce_access_restrictions @@ -224,6 +226,7 @@ profile: - os_anti_virus_installed - section: "Supplemental" rules: + - supplemental_encrypted_dns - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index adf96739..92ce01c0 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -62,6 +62,7 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - os_policy_banner_ssh_configure @@ -112,7 +113,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable @@ -144,6 +145,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_enforce_auto_logout + - sysprefs_airdrop_share_extension_disable - section: "Inherent" rules: - os_prevent_priv_functions @@ -177,6 +179,7 @@ profile: - os_identify_non-org_users - section: "Supplemental" rules: + - supplemental_encrypted_dns - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml new file mode 100644 index 00000000..cc111a4c --- /dev/null +++ b/rules/os/os_authenticated_root_enable.yaml @@ -0,0 +1,38 @@ +id: os_authenticated_root_enable +title: "Enable Authenticated Root" +discussion: + Authenticated Root _MUST_ be enabled. +check: | + /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/csrutil authenticated-root enable + ---- + NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. +references: + cce: + - CCE-33333-3 + cci: + - + 800-53r4: + - + srg: + - + disa_stig: + - + 800-171r2: + - +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - STIG +mobileconfig: false +mobileconfig_info: diff --git a/rules/supplemental/supplemental_encrypted_dns.yaml b/rules/supplemental/supplemental_encrypted_dns.yaml new file mode 100644 index 00000000..b442fed1 --- /dev/null +++ b/rules/supplemental/supplemental_encrypted_dns.yaml @@ -0,0 +1,20 @@ +id: supplemental_encrypted_dns +title: "Encrypted DNS Supplemental" +discussion: | +check: | +fix: | +references: + cci: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A +macOS: + - "11.0" +tags: + - supplemental +mobileconfig: false +mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_airdrop_share_extension_disable.yaml b/rules/sysprefs/sysprefs_airdrop_share_extension_disable.yaml new file mode 100644 index 00000000..df51f2c7 --- /dev/null +++ b/rules/sysprefs/sysprefs_airdrop_share_extension_disable.yaml @@ -0,0 +1,44 @@ +id: sysprefs_airdrop_share_extension_disable +title: "Disable AirDrop Share Extension" +discussion: | + AirDrop share extension _MUST_ be disabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/awk '/DeniedExtensions/,/com.apple.NSExtension/' | /usr/bin/grep -c 'com.apple.share.AirDrop.send' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-11111-1 + cci: + - CCI-000381 + 800-53r4: + - CM-7 + - AC-3 + - AC-18 + - AC-20 + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - AOSX-15-002009 + 800-171r2: + - 3.1.1 + - 3.1.2 + - 3.1.16 + - 3.1.20 + - 3.4.6 +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - STIG +mobileconfig: true +mobileconfig_info: + com.apple.NSExtension: + DeniedExtensions: + - com.apple.share.AirDrop.send diff --git a/rules/sysprefs/sysprefs_ad_tracking_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml similarity index 73% rename from rules/sysprefs/sysprefs_ad_tracking_disable.yaml rename to rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index b2153aa2..2b5d3741 100644 --- a/rules/sysprefs/sysprefs_ad_tracking_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -1,18 +1,18 @@ -id: sysprefs_ad_tracking_disable -title: "Disable Ad Tracking" +id: sysprefs_personalized_advertising_disable +title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users’ interests and deliver targeted advertisements. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'forceLimitAdTracking = 1;' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowApplePersonalizedAdvertising = 1;' result: integer: 1 fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84822-6 + - CCE-22222-2 cci: - N/A 800-53r4: @@ -26,7 +26,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 @@ -37,4 +37,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.AdLib: - forceLimitAdTracking: true + allowApplePersonalizedAdvertising: false