diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 446879d2..b4156b48 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,7 +2,7 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Catalina, Revision 1] - 2020-10-05 +== [Catalina, Revision 1] - 2020-10-06 * Rules ** Added new rules diff --git a/VERSION.yaml b/VERSION.yaml index f2b73362..a8fb0c0c 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,2 +1,2 @@ version: "Catalina, Revision 1" -date: "2020-10-05" \ No newline at end of file +date: "2020-10-06" \ No newline at end of file diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index fdb09cc4..2c756ae3 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -220,8 +220,8 @@ profile: - os_identify_non-org_users - section: "srg" rules: - - srg_filevault_user_account - - srg_anti_virus_installed + - os_filevault_user_account + - os_anti_virus_installed - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/rules/srg/srg_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml similarity index 83% rename from rules/srg/srg_anti_virus_installed.yaml rename to rules/os/os_anti_virus_installed.yaml index 4dd27d5d..0d206b19 100644 --- a/rules/srg/srg_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -1,7 +1,8 @@ -id: srg_anti_virus_installed -title: "The macOS system must use an approved antivirus program." +id: os_anti_virus_installed +title: "Must Use an Approved Antivirus Program" discussion: | - An approved antivirus product must be installed and configured to run. + An approved antivirus product _MUST_ be installed and configured to run. + Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system. check: | Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution. diff --git a/rules/srg/srg_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml similarity index 91% rename from rules/srg/srg_filevault_user_account.yaml rename to rules/os/os_filevault_user_account.yaml index 6fc00ed2..794ae27e 100644 --- a/rules/srg/srg_filevault_user_account.yaml +++ b/rules/os/os_filevault_user_account.yaml @@ -1,6 +1,8 @@ -id: srg_filevault_user_account -title: The macOS system must be configured with a dedicated user account to decrypt the hard disk upon startup. +id: os_filevault_user_account +title: "Dedicated User Account to Decrypt the Hard Disk" discussion: | + The macOS system _MUST_ be configured with a dedicated user account to decrypt the hard disk upon startup. + When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. check: | Ensure that only one FileVault user is defined: diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 9a7993e8..32b44ac5 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -1,13 +1,11 @@ id: os_ssh_fips_140_ciphers -title: "Limit SSH to FIPS 140 Approved Ciphers" +title: "Limit SSH to FIPS 140 Validated Ciphers" discussion: | - SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 approved. + SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. - FIPS 140-2 is the current standard for approving and validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - - Operating systems utilizing encryption _MUST_ use FIPS compliant mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index b4bb6db1..cf8ea851 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -1,13 +1,11 @@ id: os_ssh_fips_140_macs -title: "Limit SSH to FIPS 140 Approved Message Authentication Code Algorithms" +title: "Limit SSH to FIPS 140 Validated Message Authentication Code Algorithms" discussion: | - SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 approved.. + SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. - FIPS 140-2 is the current standard for approving and validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - - Operating systems utilizing encryption _MUST_ use FIPS compliant mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index dd9c129b..ad1212f4 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -44,7 +44,7 @@ discussion: | If using the Defer key it will prompt for the user name and password at logout. - The UserEntersMissingInfo keywill only work if installed through manual installation, and it will prompt for the username and password immediately. + The UserEntersMissingInfo key will only work if installed through manual installation, and it will prompt for the username and password immediately. When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Appleā€™s Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[]. diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index e027ae56..4f8152d5 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -101,7 +101,7 @@ discussion: | To get the SHA-256 hash in the correct format, run the following command within terminal: [source,bash] ---- - openssl x509 -noout -fingerprint -sha256 -inform pem -in | awk -F '=' '{print $2}' | sed 's/://g' + /usr/bin/openssl x509 -noout -fingerprint -sha256 -inform pem -in | /usr/bin/awk -F '=' '{print $2}' | /usr/bin/sed 's/://g' ---- To configure Trusted Authorities, the SmartcardLogin.plist should be minimally configured as below: diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index b20fb1a9..bb0fa67a 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -982,7 +982,7 @@ def main(): if args.logo: logo = args.logo else: - logo = "../../templates/images/macOSSCP_Banner_3100x500.png" + logo = "../../templates/images/mscp_banner.png" build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') if not (os.path.isdir(build_path)): diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index b34e63a8..e269d6e4 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -77,13 +77,15 @@ def main(): for sections in profile_yaml['profile']: for profile_rule in sections['rules']: for rule_file in glob.glob('../rules/*/{}.yaml'.format(profile_rule)): - + if "srg" in rule_file or "supplemental" in rule_file: continue with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: continue + if len(rule_yaml['tags']) < 2 and "STIG" in rule_yaml['tags']: + continue if "manual" in rule_yaml['tags']: print(rule_yaml['id'] + " - Manual Check") continue diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 356f3636..3e69ed54 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -42,15 +42,15 @@ ASSOCIATED DOCUMENTS |=== |Document Number |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R2_STIG.zip/[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple OS X 10.15 (Catalina) STIG_ |=== [%header, cols=2*a] .Committee on National Security Systems (CNSS) |=== |Document Number -|Document Title -|link:https://www.cnss.gov/CNSS/openDoc.cfm?V04rT9KTjGMS9mpbc+M36g==[STIG Ver 1, Rel 2]|_Apple OS X 10.15 (Catalina) STIG_ +|Document Title +|link:https://www.cnss.gov/CNSS/issuances/Instructions.cfm[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_ |=== === Non-Government Documents diff --git a/templates/images/macOSSCP_Banner_3100x500.png b/templates/images/mscp_banner.png similarity index 100% rename from templates/images/macOSSCP_Banner_3100x500.png rename to templates/images/mscp_banner.png diff --git a/templates/images/macOSSCP_Logo_x1024.PNG b/templates/images/mscp_logo.png similarity index 100% rename from templates/images/macOSSCP_Logo_x1024.PNG rename to templates/images/mscp_logo.png