refactor[rule] removed stiff supplemental

removed stig supplemental

rules/supplemental/supplemental_stig.yaml

@@ -1,78 +0,0 @@
-
-id: supplemental_stig
-title: "DISA STIG Supplemental"
-discussion: |
-  This supplemental contains DISA STIG controls that may not produce intended results when applied. Where discrepancies exist between the DISA STIG and macOS Security Compliance Project guidelines, the appropriate recommendations are outlined below.
-  
-  [cols="20%h, 80%a"]
-  |===
-  |STIG ID
-  |Notes
-
-  |APPL-13-000011| DISA STIG requires SSHD must be disabled due to the implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 validated cryptographic module.
-
-  Apple has provided methods to configure SSHD for FIPS compliance, the man page `apple_ssh_and_fips` and https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[macOS security certifications] both provide information on configuring SSHD for FIPS compliance. +
-  |APPL-13-000054| DISA STIG requires the following setting within SSHD for FIPS compliance `ciphers aes256-ctr,aes192-ctr,aes128-ctr`. 
-
-  In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `ciphers \aes128-gcm@openssh.com`. +
-  |APPL-13-000055| DISA STIG requires the following setting within SSHD for FIPS compliance `macs hmac-sha2-512,hmac-sha2-256`. 
-
-  In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `macs hmac-sha2-nistp256` +
-  |APPL-13-000056| DISA STIG requires the following setting within SSHD for FIPS compliance `kexalgorithms diffie-hellman-group-exchange-sha256`. 
-
-  In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `kexalgorithms ecdh-sha2-nistp256`. +
-  |APPL-13-000014| DISA STIG's expected results are `Network Time:On`.
-
-  The output from the command `systemsetup -getusingnetworktime` is `Network Time: On`. +
-  |APPL-13-002063| DISA STIG recommends setting the configuration profile key DisableGuestAccount to true.  
-
-  In order to disable the Guest account, you must set DisableGuestAccount to true and EnableGuestAccount to false, https://github.com/apple/device-management/blob/5a8fb0deb23799aa77ff15f284c9b31208d39ad1/mdm/profiles/com.apple.MCX(Accounts).yaml#L16C1-L32[com.Apple.MCX documentation] +
-  |APPL-13-002069| DISA STIG states the macOS system must authenticate peripherals before establishing a connection. 
-
-  The check and fix for this are not related to peripherals. In order to potentially meet the requirement of the SRG, administrators may want to investigate into usage of USB Restricted mode on macOS. +
-  |APPL-13-002070| DISA STIG recommends the check `/bin/launchctl list \| /usr/bin/grep -cE "(com.apple.XprotectFramework.PluginService\|com.apple.Xprotect.daemon.scan)"` and  `/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist \| /usr/bin/grep "ConfigDataInstall"`
-
-  The regex provided to search for com.apple.XprotectFramework.PluginService and com.apple.Xprotect.daemon.scan is incorrect, the search should be `com.apple.XprotectFramework.PluginService$\|com.apple.XProtect.daemon.scan$`. The result will then be 2.
-
-  The recommended method in the DISA STIG to enforce that the key `ConfigDataInstall` is set properly is to do it with a configuration profile, the DISA provided check will fail. 
-
-  These rules are handled within the project `os_anti_virus_installed` and `os_config_data_install_enforce`. +
-  |APPL-13-000051
-  APPL-13-000052| This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.+
-  |APPL-13-002031
-  APPL-13-002051
-  APPL-13-002032
-  APPL-13-002053
-  APPL-13-002062| DISA STIG requires `com.apple.preferences.AppleIDPrefPane`, `com.apple.preferences.internetaccounts`, `com.apple.preference.speech`,`com.apple.preferences.Bluetooth`, `com.apple.preferences.password`, `com.apple.preferences.wallet` to be set within the key `DisabledPreferencePanes`.
-
-  Apple has deprecated the `com.apple.systempreferences` preference domain, however in macOS Sonoma it is recommended to use the key `DisabledSystemSettings` with the values `com.apple.systempreferences.AppleIDSettings`, `com.apple.Internet-Accounts-Settings.extension`, `com.apple.Siri-Settings.extension`, `com.apple.BluetoothSettings`, `com.apple.Touch-ID-Settings.extension`, `com.apple.WalletSettingsExtension`. +
-  |APPL-13-000004| DISA STIG requires the screen saver after 15 minutes of inactivity.
-
-  The keys required are `loginWindowIdleTime` and `IdleTime` in the `com.apple.screensaver` prefernece domain. +
-  |APPL-13-002020| DISA STIG requires that siri and dictation must be disabled. The DISA STIG requires the keys `Assistant Allowed` and `Ironwood Allowed`.
-
-  The key `Assistant Allowed` does not exist in the preference domain `com.apple.ironwood.support`. +
-  |APPL-13-002052| DISA STIG requires hiding the Wallet and Apple Pay System Setting Pane.
-
-  In macOS Sonoma, hiding preference panes is not possible. +
-  |===
-check: |
-fix: |
-references:
-  cci:
-    - N/A
-  800-53r5:
-    - N/A
-  800-53r4:
-    - N/A
-  srg:
-    - N/A
-  disa_stig:
-    - N/A
-macOS:
-  - "14.0"
-tags:
-  - stig
-  - supplemental
-mobileconfig: false
-mobileconfig_info: