Final Merge branch 'v1.0_edits' into catalina

2026-03-05 17:41:58 +00:00 · 2020-10-06 15:34:37 -04:00
parent 5521a163fa d3da0b8d85
commit 1a0d0a8571
14 changed files with 29 additions and 28 deletions
--- a/CHANGELOG.adoc
+++ b/CHANGELOG.adoc
@@ -2,7 +2,7 @@

 This document provides a high-level view of the changes to the macOS Security Compliance Project.

-== [Catalina, Revision 1] - 2020-10-05
+== [Catalina, Revision 1] - 2020-10-06

 * Rules
 ** Added new rules
--- a/VERSION.yaml
+++ b/VERSION.yaml
@@ -1,2 +1,2 @@
 version: "Catalina, Revision 1"
-date: "2020-10-05"
+date: "2020-10-06"
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -220,8 +220,8 @@ profile:
      - os_identify_non-org_users
  - section: "srg"
    rules:
-      - srg_filevault_user_account
-      - srg_anti_virus_installed      
+      - os_filevault_user_account
+      - os_anti_virus_installed      
  - section: "Supplemental"
    rules:
      - supplemental_firewall_pf
--- a/rules/srg/srg_anti_virus_installed.yaml
+++ b/rules/srg/srg_anti_virus_installed.yaml
@@ -1,7 +1,8 @@
-id: srg_anti_virus_installed
-title: "The macOS system must use an approved antivirus program."
+id: os_anti_virus_installed
+title: "Must Use an Approved Antivirus Program"
 discussion: |
-  An approved antivirus product must be installed and configured to run. 
+  An approved antivirus product _MUST_ be installed and configured to run. 
+
  Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
 check: |
  Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution. 
--- a/rules/srg/srg_filevault_user_account.yaml
+++ b/rules/srg/srg_filevault_user_account.yaml
@@ -1,6 +1,8 @@
-id: srg_filevault_user_account
-title: The macOS system must be configured with a dedicated user account to decrypt the hard disk upon startup.
+id: os_filevault_user_account
+title: "Dedicated User Account to Decrypt the Hard Disk"
 discussion: |
+  The macOS system _MUST_ be configured with a dedicated user account to decrypt the hard disk upon startup.
+
  When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
 check: |
  Ensure that only one FileVault user is defined:
--- a/rules/os/os_ssh_fips_140_ciphers.yaml
+++ b/rules/os/os_ssh_fips_140_ciphers.yaml
@@ -1,13 +1,11 @@
 id: os_ssh_fips_140_ciphers
-title: "Limit SSH to FIPS 140 Approved Ciphers"
+title: "Limit SSH to FIPS 140 Validated Ciphers"
 discussion: |
-  SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 approved.
+  SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated.

-  FIPS 140-2 is the current standard for approving and validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.
+  FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.

-  Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. 
-
-  Operating systems utilizing encryption _MUST_ use FIPS compliant mechanisms for authenticating to cryptographic modules. 
+  Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. 

  NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
 check: |
--- a/rules/os/os_ssh_fips_140_macs.yaml
+++ b/rules/os/os_ssh_fips_140_macs.yaml
@@ -1,13 +1,11 @@
 id: os_ssh_fips_140_macs
-title: "Limit SSH to FIPS 140 Approved Message Authentication Code Algorithms"
+title: "Limit SSH to FIPS 140 Validated Message Authentication Code Algorithms"
 discussion: |
-  SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 approved..
+  SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated.

-  FIPS 140-2 is the current standard for approving and validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.
+  FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.
  
-  Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. 
-
-  Operating systems utilizing encryption _MUST_ use FIPS compliant mechanisms for authenticating to cryptographic modules. 
+  Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. 

  NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
 check: |
--- a/rules/supplemental/supplemental_filevault.yaml
+++ b/rules/supplemental/supplemental_filevault.yaml
@@ -44,7 +44,7 @@ discussion: |

  If using the Defer key it will prompt for the user name and password at logout.

-  The UserEntersMissingInfo keywill only work if installed through manual installation, and it will prompt for the username and password immediately. 
+  The UserEntersMissingInfo key will only work if installed through manual installation, and it will prompt for the username and password immediately. 

  When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple’s Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[].

--- a/rules/supplemental/supplemental_smartcard.yaml
+++ b/rules/supplemental/supplemental_smartcard.yaml
@@ -101,7 +101,7 @@ discussion: |
  To get the SHA-256 hash in the correct format, run the following command within terminal:
  [source,bash]
  ----
-  openssl x509 -noout -fingerprint -sha256 -inform pem -in <issuer cert> | awk -F '=' '{print $2}' |  sed 's/://g'
+  /usr/bin/openssl x509 -noout -fingerprint -sha256 -inform pem -in <issuer cert> | /usr/bin/awk -F '=' '{print $2}' |  /usr/bin/sed 's/://g'
  ----

  To configure Trusted Authorities, the SmartcardLogin.plist should be minimally configured as below:
--- a/scripts/generate_guidance.py
+++ b/scripts/generate_guidance.py
@@ -982,7 +982,7 @@ def main():
        if args.logo:
            logo = args.logo
        else:
-            logo = "../../templates/images/macOSSCP_Banner_3100x500.png"
+            logo = "../../templates/images/mscp_banner.png"

        build_path = os.path.join(parent_dir, 'build', f'{baseline_name}')
        if not (os.path.isdir(build_path)):
--- a/scripts/yaml-to-oval.py
+++ b/scripts/yaml-to-oval.py
@@ -77,13 +77,15 @@ def main():
    for sections in profile_yaml['profile']:
        for profile_rule in sections['rules']:
            for rule_file in glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
-        
+                
                if "srg" in rule_file or "supplemental" in rule_file:
                    continue
                with open(rule_file) as r:
                    rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
                if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']:
                    continue
+                if len(rule_yaml['tags']) < 2 and "STIG" in rule_yaml['tags']:
+                    continue
                if "manual" in rule_yaml['tags']:
                    print(rule_yaml['id'] + " - Manual Check")
                    continue
--- a/templates/adoc_additional_docs.adoc
+++ b/templates/adoc_additional_docs.adoc
@@ -42,15 +42,15 @@ ASSOCIATED DOCUMENTS
 |===
 |Document Number
 |Document Title
-|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R2_STIG.zip/[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_
+|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple OS X 10.15 (Catalina) STIG_
 |===

 [%header, cols=2*a]
 .Committee on National Security Systems (CNSS)
 |===
 |Document Number
-|Document Title
-|link:https://www.cnss.gov/CNSS/openDoc.cfm?V04rT9KTjGMS9mpbc+M36g==[STIG Ver 1, Rel 2]|_Apple OS X 10.15 (Catalina) STIG_
+|Document Title 
+|link:https://www.cnss.gov/CNSS/issuances/Instructions.cfm[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_
 |===

 === Non-Government Documents
--- a/templates/images/macOSSCP_Banner_3100x500.png
+++ b/templates/images/macOSSCP_Banner_3100x500.png
--- a/templates/images/macOSSCP_Logo_x1024.PNG
+++ b/templates/images/macOSSCP_Logo_x1024.PNG