usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-17 22:32:09 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'sonoma'

Browse Source
This commit is contained in:
Bob Gendler
2023-09-21 15:36:47 -04:00
parent c4feb9e05c 9599b42974
commit 1fe9ea2eac
355 changed files with 2844 additions and 2948 deletions
Download Patch File Download Diff File Expand all files Collapse all files

183
CHANGELOG.adoc
View File

@@ -2,193 +2,56 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
== [Ventura, Revision 2.0] - 2023-06-26
== [Sonoma, Revision 1.0] - 2023-09-21
* Rules
** Added Rules
*** os_home_folders_default
*** supplemental_stig
*** icloud_freeform_disable
*** os_account_modification_disable
*** os_on_device_dictation_enforce
*** os_setup_assistant_filevault_enforce
*** os_sshd_channel_timeout_configure
*** os_sshd_unused_connection_timeout_configure
** Modified Rules
*** audit_acls_files_configure
*** audit_acls_folders_configure
*** audit_auditd_enabled
*** audit_control_mode_configure
*** audit_files_group_configure
*** audit_files_mode_configure
*** audit_files_owner_configure
*** audit_folder_group_configure
*** audit_folder_group_configure
*** audit_folders_mode_configure
*** auth_ssh_password_authentication_disable
*** icloud_appleid_preference_pane_disable
*** icloud_appleid_system_settings_disable
*** os_anti_virus_installed
*** os_home_folders_secure
*** os_policy_banner_loginwindow_enforce
*** os_policy_banner_ssh_configure
*** os_policy_banner_ssh_enforce
*** os_screensaver_timeout_loginwindow_enforce
*** os_sshd_client_alive_count_max_configure
*** os_sshd_client_alive_interval_configure
*** os_sshd_fips_140_ciphers
*** os_sshd_fips_140_macs
*** os_sshd_fips_compliant
*** os_sshd_key_exchange_algorithm_configure
*** os_sshd_login_grace_time_configure
*** os_sshd_permit_root_login_configure
*** pwpolicy_account_lockout_timeout_enforce
*** pwpolicy_minimum_length_enforce
*** pwpolicy_special_character_enforce
*** system_settings_assistant_disable
*** system_settings_location_services_menu_enforce
*** system_settings_siri_disable
** Deleted Rules
*** icloud_appleid_preference_pane_disable.yaml
*** os_efi_integrity_validated
*** os_sshd_key_exchange_algorithm_configure
*** os_sshd_fips_140_ciphers
*** os_sshd_fips_140_macs
*** system_settings_bluetooth_prefpane_disable
*** system_settings_firewall_enable
*** system_settings_firewall_stealth_mode_enable
*** system_settings_guest_account_disable
*** system_settings_internet_accounts_preference_pane_disable
*** system_settings_siri_prefpane_disable
*** system_settings_touch_id_pane_disable
*** system_settings_usb_restricted_mode
*** system_settings_wallet_applepay_prefpane_disable
*** system_settings_wallet_applepay_prefpane_hide
* Baselines
** Added Baselines
*** cmmc_lvl1
*** cmmc_lvl2
*** cnssi-1253_high
*** cnssi-1253_moderate
*** cnssi-1253_low
*** DISA-STIG
** Modified Baselines
*** all_rules
*** Removed Baselines
** cnssi-1253
* Scripts
** generate_guidance
*** Added base64 support for documentation logo
*** Added support for CMMC references
*** Added ssh key generation to compliance script
*** Added cfc argument to compliance script
*** Bug Fixes
** generate_baseline
*** Bug Fixes
** generate_scap
*** Bug Fixes
* Includes
** mscp-data
*** Added CMMC data
*** Updated CNSSI-1253 data
** supported_payloads
*** Added com.apple.sharingd
*** Removed com.apple.locationmenu
== [Ventura, Revision 1.1] - 2022-12-08
* Rules
** Added Rules
*** icloud_game_center_disable
*** os_safari_advertising_privacy_protection_enable
*** os_safari_prevent_cross-site_tracking_enable
*** os_safari_show_full_website_address_enable
*** os_safari_warn_fraudulent_website_enable
** Modified Rules
*** os_dvdram_disable
*** os_hibernate_mode_enable
*** os_rapid_security_response_removal_disable
*** os_tftpd_disable
*** system_settings_automatic_logout_enforce
*** system_settings_internet_accounts_disable
*** system_settings_ssh_enable
*** system_settings_system_wide_preferences_configure
*** system_settings_time_server_configure
*** system_settings_time_server_enforce
*** supplemental_cis_manual
** Bug fixes
* Baselines
** Updated all baselines
* Scripts
** generate_guidance
*** Added custom references to compliance check script
*** Added debug option
*** Bug Fixes
** generate_baseline
*** Added author function
*** Bug Fixes
** generate_mapping
*** Bug Fixes
== [Ventura, Revision 1] - 2022-10-20
* Rules
** Added ODV support
** Added Rules
*** icloud_appleid_system_settings_disable
*** os_config_profile_ui_install_disable
*** os_firewall_ui_disable
*** os_power_nap_enable
*** os_rapid_security_response_allow
*** os_rapid_security_response_removal_disable
*** os_software_update_deferral
*** system_settings_USB_restricted_mode
*** system_settings_internet_accounts_disable
** Modified Rules
*** os_power_nap_disable
*** os_ssh_fips_compliant
*** os_ssh_server_alive_count_max_configure
*** os_ssh_server_alive_interval_configure
*** os_sshd_client_alive_count_max_configure
*** os_sshd_client_alive_interval_configure
*** os_sshd_fips_140_ciphers
*** os_sshd_fips_140_macs
*** os_sshd_fips_compliant
*** os_sshd_key_exchange_algorithm_configure
*** os_sshd_login_grace_time_configure
*** os_sshd_permit_root_login_configure
*** os_sudo_timeout_configure
*** os_sudoers_timestamp_type_configure
*** pwpolicy_account_inactivity_enforce.yaml
*** pwpolicy_account_lockout_enforce.yaml
*** pwpolicy_account_lockout_timeout_enforce.yaml
*** pwpolicy_alpha_numeric_enforce.yaml
*** pwpolicy_history_enforce.yaml
*** pwpolicy_lower_case_character_enforce.yaml
*** pwpolicy_max_lifetime_enforce.yaml
*** pwpolicy_minimum_length_enforce.yaml
*** pwpolicy_minimum_lifetime_enforce.yaml
*** pwpolicy_simple_sequence_disable.yaml
*** pwpolicy_special_character_enforce.yaml
*** pwpolicy_upper_case_character_enforce.yaml
*** system_settings_system_wide_preferences_configure
*** System Preferences -> System Settings
** Deleted Rules
*** os_sudoers_tty_configure
** Bug Fixes
* Baselines
** Modified existing baselines
** Added parent_values
* Scripts
** generate_guidance
*** Added ODV support
*** Added Ruby gem generation
*** Added support for fix/check in compliance script
*** Added unified log support to compliance script
*** Added iOS support
*** Added support for pwpolicy regex
*** Modified ssh_key_check
*** Bug Fixes
** generate_baseline
*** Added ODV support
*** Added tailoring support
*** Added iOS support
*** Bug Fixes
** generate_mappings
*** Added iOS support
*** Bug Fixes
** generate_scap
*** Added support for ODV
*** Added support for new checks
*** Generate scap, xccdf, or oval
*** Bug Fixes
*** Added iOS support
*** Added support for pwpolicy regex
*** Bug Fixes

16
CONTRIBUTING.adoc
View File

@@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the
These operating rules describe and govern NISTs management of this repository and contributors responsibilities. NIST reserves the right to modify this policy at any time.
=== Criteria for Contributions and Feedback
This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
* states or implies NIST endorsement of any entities, services, or products;
* is inaccurate;
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
* is clearly "off topic";
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
* states or implies NIST endorsement of any entities, services, or products;
* is inaccurate;
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
* is clearly "off topic";
* makes unsupported accusations;
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
* contains .exe or .jar file types.
_These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._
@@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito
* responding to NIST representatives in a timely manner;
* keeping contributions and contributor GitHub username up to date
*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].
*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].

22
LICENSE.md
View File

@@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo
5. _Downstream recipients._
**A.** _Offer from the Licensor_ Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
**B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. _No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
## b. Other rights.
@@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following
**i.** identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
**ii.** a copyright notice;
**iii.** a notice that refers to this Public License;
**iv.** a notice that refers to the disclaimer of warranties;
**v.** a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
**B.** indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
**C.** indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
**2.** You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
**3.** If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
@@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your
**a.** This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
**b.** Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
**1.** automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
**2.** upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
**c.** For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.

8
README.adoc
View File

@@ -1,7 +1,7 @@
image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
:idseparator: -
ifndef::env-github[:icons: font]
ifdef::env-github[]
:status:
@@ -18,7 +18,7 @@ endif::[]
ifdef::status[]
image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"]
image:https://badgen.net/badge/icon/13.0?icon=apple&label[link="https://www.apple.com/macos"]
image:https://badgen.net/badge/icon/14.0?icon=apple&label[link="https://www.apple.com/macos"]
endif::[]
IMPORTANT: We recommend working off of one of the OS branches, rather than the `main` branch.
@@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21
Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the {uri-repo}/wiki[wiki].
@@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
== Changelog
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
== NIST Disclaimer

9
VERSION.yaml
View File

@@ -1,4 +1,5 @@
os: "13.0"
version: "Ventura Guidance, Revision 2.0"
cpe: o:apple:macos:13.0
date: "2023-06-26"
os: "14.0"
platform: macOS
version: "Sonoma Guidance, Revision 1.0"
cpe: o:apple:macos:14.0
date: "2023-09-21"

13
baselines/800-171.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - NIST 800-171 Rev 2"
title: "macOS 14.0: Security Configuration - NIST 800-171 Rev 2"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the NIST 800-171 Rev 2 security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the NIST 800-171 Rev 2 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -47,6 +47,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -57,11 +58,11 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_authenticated_root_enable
- os_bonjour_disable
- os_calendar_app_disable
- os_config_profile_ui_install_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
@@ -76,6 +77,7 @@ profile:
- os_ir_support_disable
- os_mdm_require
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
@@ -93,9 +95,11 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_unused_connection_timeout_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
@@ -107,14 +111,13 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_apple_watch_unlock_disable

13
baselines/800-53r5_high.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -52,6 +52,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -62,13 +63,13 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_authenticated_root_enable
- os_bonjour_disable
- os_calendar_app_disable
- os_certificate_authority_trust
- os_config_data_install_enforce
- os_config_profile_ui_install_disable
@@ -88,6 +89,7 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
@@ -106,10 +108,12 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
@@ -124,15 +128,14 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable

13
baselines/800-53r5_low.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -50,6 +50,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -60,11 +61,11 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_authenticated_root_enable
- os_bonjour_disable
- os_calendar_app_disable
- os_config_data_install_enforce
- os_config_profile_ui_install_disable
- os_filevault_autologin_disable
@@ -77,6 +78,7 @@ profile:
- os_ir_support_disable
- os_mdm_require
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
@@ -103,14 +105,13 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
@@ -177,4 +178,4 @@ profile:
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_smartcard

13
baselines/800-53r5_moderate.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -51,6 +51,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -61,13 +62,13 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_authenticated_root_enable
- os_bonjour_disable
- os_calendar_app_disable
- os_certificate_authority_trust
- os_config_data_install_enforce
- os_config_profile_ui_install_disable
@@ -86,6 +87,7 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
@@ -104,9 +106,11 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_unused_connection_timeout_configure
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
@@ -121,15 +125,14 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable

165
baselines/DISA-STIG.yaml
View File

@@ -1,165 +0,0 @@
title: "macOS 13.0: Security Configuration - Apple macOS 13 (Ventura) DISA STIG - Ver 1, Rel 1"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the Apple macOS 13 (Ventura) STIG - Ver 1, Rel 1 security baseline.
authors: |
*macOS Security Compliance Project*
|===
|Dan Brodjieski|National Aeronautics and Space Administration
|Allen Golbig|Jamf
|Bob Gendler|National Institute of Standards and Technology
|===
parent_values: "stig"
profile:
- section: "auditing"
rules:
- audit_acls_files_configure
- audit_acls_folders_configure
- audit_auditd_enabled
- audit_configure_capacity_notify
- audit_failure_halt
- audit_files_group_configure
- audit_files_mode_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_fd_configure
- audit_flags_fm_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_folders_mode_configure
- audit_settings_failure_notify
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- section: "icloud"
rules:
- icloud_addressbook_disable
- icloud_appleid_preference_pane_disable
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_photos_disable
- icloud_reminders_disable
- section: "macos"
rules:
- os_airdrop_disable
- os_anti_virus_installed
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_blank_bluray_disable
- os_blank_cd_disable
- os_blank_dvd_disable
- os_bluray_read_only_enforce
- os_bonjour_disable
- os_burn_support_disable
- os_camera_disable
- os_cd_read_only_enforce
- os_certificate_authority_trust
- os_config_data_install_enforce
- os_directory_services_configured
- os_disk_image_disable
- os_dvdram_disable
- os_erase_content_and_settings_disable
- os_filevault_authorized_users
- os_filevault_autologin_disable
- os_firmware_password_require
- os_gatekeeper_enable
- os_handoff_disable
- os_home_folders_default
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_password_proximity_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_screensaver_loginwindow_enforce
- os_screensaver_timeout_loginwindow_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sudo_timeout_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
- os_uucp_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- section: "systemsettings"
rules:
- system_settings_apple_watch_unlock_disable
- system_settings_assistant_disable
- system_settings_automatic_login_disable
- system_settings_bluetooth_disable
- system_settings_bluetooth_prefpane_disable
- system_settings_diagnostics_reports_disable
- system_settings_filevault_enforce
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
- system_settings_gatekeeper_identified_developers_allowed
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_preference_pane_disable
- system_settings_internet_sharing_disable
- system_settings_location_services_disable
- system_settings_loginwindow_prompt_username_password_enforce
- system_settings_password_hints_disable
- system_settings_rae_disable
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_siri_prefpane_disable
- system_settings_smbd_disable
- system_settings_ssh_disable
- system_settings_system_wide_preferences_configure
- system_settings_time_server_configure
- system_settings_time_server_enforce
- system_settings_token_removal_enforce
- system_settings_touch_id_pane_disable
- system_settings_wallet_applepay_prefpane_disable
- system_settings_wallet_applepay_prefpane_hide
- section: "Supplemental"
rules:
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_stig

29
baselines/all_rules.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - All Rules"
title: "macOS 14.0: Security Configuration - All Rules"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the All Rules security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the All Rules security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -54,11 +54,11 @@ profile:
- section: "icloud"
rules:
- icloud_addressbook_disable
- icloud_appleid_preference_pane_disable
- icloud_appleid_system_settings_disable
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -69,6 +69,7 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_anti_virus_installed
- os_appleid_prompt_disable
@@ -90,7 +91,6 @@ profile:
- os_directory_services_configured
- os_disk_image_disable
- os_dvdram_disable
- os_efi_integrity_validated
- os_erase_content_and_settings_disable
- os_ess_installed
- os_facetime_app_disable
@@ -103,8 +103,9 @@ profile:
- os_gatekeeper_rearm
- os_guest_folder_removed
- os_handoff_disable
- os_hibernate_mode_apple_silicon_enable
- os_hibernate_mode_destroyfvkeyonstandby_enable
- os_hibernate_mode_enable
- os_hibernate_mode_intel_enable
- os_home_folders_default
- os_home_folders_secure
- os_httpd_disable
@@ -119,6 +120,7 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
- os_password_hint_remove
@@ -136,13 +138,17 @@ profile:
- os_removable_media_disable
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_javascript_enabled
- os_safari_open_safe_downloads_disable
- os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_screensaver_loginwindow_enforce
- os_screensaver_timeout_loginwindow_enforce
- os_secure_boot_verify
- os_setup_assistant_filevault_enforce
- os_show_filename_extensions_enable
- os_sip_enable
- os_siri_prompt_disable
@@ -152,14 +158,13 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- os_sshd_fips_compliant
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
@@ -180,6 +185,7 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
@@ -198,7 +204,6 @@ profile:
- system_settings_automatic_logout_enforce
- system_settings_bluetooth_disable
- system_settings_bluetooth_menu_enable
- system_settings_bluetooth_prefpane_disable
- system_settings_bluetooth_sharing_disable
- system_settings_cd_dvd_sharing_disable
- system_settings_content_caching_disable
@@ -217,7 +222,6 @@ profile:
- system_settings_improve_siri_dictation_disable
- system_settings_install_macos_updates_enforce
- system_settings_internet_accounts_disable
- system_settings_internet_accounts_preference_pane_disable
- system_settings_internet_sharing_disable
- system_settings_location_services_disable
- system_settings_location_services_enable
@@ -235,7 +239,6 @@ profile:
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_siri_prefpane_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
@@ -249,12 +252,9 @@ profile:
- system_settings_time_server_configure
- system_settings_time_server_enforce
- system_settings_token_removal_enforce
- system_settings_touch_id_pane_disable
- system_settings_touchid_unlock_disable
- system_settings_usb_restricted_mode
- system_settings_wake_network_access_disable
- system_settings_wallet_applepay_prefpane_disable
- system_settings_wallet_applepay_prefpane_hide
- system_settings_wifi_disable
- system_settings_wifi_menu_enable
- section: "Inherent"
@@ -342,4 +342,3 @@ profile:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_stig

13
baselines/cis_lvl1.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)"
title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -31,24 +31,29 @@ profile:
- section: "macos"
rules:
- os_airdrop_disable
- os_anti_virus_installed
- os_authenticated_root_enable
- os_config_data_install_enforce
- os_efi_integrity_validated
- os_firewall_log_enable
- os_gatekeeper_enable
- os_guest_folder_removed
- os_home_folders_secure
- os_httpd_disable
- os_install_log_retention_configure
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_power_nap_disable
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_javascript_enabled
- os_safari_open_safe_downloads_disable
- os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_show_filename_extensions_enable
- os_sip_enable
@@ -63,6 +68,7 @@ profile:
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_history_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
@@ -106,7 +112,6 @@ profile:
- section: "Supplemental"
rules:
- supplemental_cis_manual
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy

21
baselines/cis_lvl2.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)"
title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -41,28 +41,34 @@ profile:
- section: "macos"
rules:
- os_airdrop_disable
- os_anti_virus_installed
- os_authenticated_root_enable
- os_bonjour_disable
- os_config_data_install_enforce
- os_efi_integrity_validated
- os_firewall_log_enable
- os_gatekeeper_enable
- os_guest_folder_removed
- os_hibernate_mode_apple_silicon_enable
- os_hibernate_mode_destroyfvkeyonstandby_enable
- os_hibernate_mode_enable
- os_hibernate_mode_intel_enable
- os_home_folders_secure
- os_httpd_disable
- os_install_log_retention_configure
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_policy_banner_loginwindow_enforce
- os_power_nap_disable
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_javascript_enabled
- os_safari_open_safe_downloads_disable
- os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_show_filename_extensions_enable
- os_sip_enable
@@ -78,13 +84,13 @@ profile:
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
@@ -132,8 +138,7 @@ profile:
- section: "Supplemental"
rules:
- supplemental_cis_manual
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_smartcard

22
baselines/cisv8.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - CIS Controls Version 8"
title: "macOS 14.0: Security Configuration - CIS Controls Version 8"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the CIS Controls Version 8 security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the CIS Controls Version 8 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -53,6 +53,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -62,22 +63,23 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_anti_virus_installed
- os_appleid_prompt_disable
- os_authenticated_root_enable
- os_bonjour_disable
- os_calendar_app_disable
- os_config_data_install_enforce
- os_directory_services_configured
- os_efi_integrity_validated
- os_ess_installed
- os_filevault_autologin_disable
- os_firewall_log_enable
- os_gatekeeper_enable
- os_gatekeeper_rearm
- os_handoff_disable
- os_hibernate_mode_apple_silicon_enable
- os_hibernate_mode_destroyfvkeyonstandby_enable
- os_hibernate_mode_enable
- os_hibernate_mode_intel_enable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
@@ -87,6 +89,7 @@ profile:
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_autofill_disable
- os_password_hint_remove
- os_password_proximity_disable
@@ -95,9 +98,12 @@ profile:
- os_privacy_setup_prompt_disable
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_javascript_enabled
- os_safari_open_safe_downloads_disable
- os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_show_filename_extensions_enable
- os_sip_enable
@@ -121,14 +127,13 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
@@ -197,8 +202,7 @@ profile:
- os_access_control_mobile_devices
- section: "Supplemental"
rules:
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_smartcard

10
baselines/cmmc_lvl1.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - US CMMC 2.0 Level 1"
title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 1"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the US CMMC 2.0 Level 1 security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 1 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -26,6 +26,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -36,6 +37,7 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_authenticated_root_enable
@@ -50,6 +52,7 @@ profile:
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_rapid_security_response_allow
- os_rapid_security_response_removal_disable
- os_recovery_lock_enable
@@ -88,6 +91,9 @@ profile:
rules:
- os_logical_access
- os_malicious_code_prevention
- section: "Permanent"
rules:
- os_auth_peripherals
- section: "Supplemental"
rules:
- supplemental_controls

18
baselines/cmmc_lvl2.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - US CMMC 2.0 Level 2"
title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 2"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the US CMMC 2.0 Level 2 security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 2 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -57,6 +57,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -67,6 +68,7 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_authenticated_root_enable
@@ -97,6 +99,7 @@ profile:
- os_ir_support_disable
- os_mdm_require
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_autofill_disable
- os_password_hint_remove
- os_password_proximity_disable
@@ -111,6 +114,7 @@ profile:
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_screen_time_prompt_enable
@@ -118,11 +122,12 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_unused_connection_timeout_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
@@ -135,14 +140,13 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
@@ -163,6 +167,8 @@ profile:
- system_settings_gatekeeper_override_disallow
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
@@ -199,6 +205,7 @@ profile:
- os_prevent_priv_functions
- os_prevent_unauthorized_disclosure
- os_prohibit_remote_activation_collab_devices
- os_secure_enclave
- os_separate_functionality
- os_store_encrypted_passwords
- os_unique_identification
@@ -206,6 +213,7 @@ profile:
- section: "Permanent"
rules:
- audit_records_processing
- os_auth_peripherals
- system_settings_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:

17
baselines/cnssi-1253_high.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)"
title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -15,7 +15,6 @@ parent_values: "recommended"
profile:
- section: "auditing"
rules:
- audit_acls_files_configure
- audit_acls_folders_configure
- audit_auditd_enabled
- audit_configure_capacity_notify
@@ -57,6 +56,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -67,6 +67,7 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
@@ -78,6 +79,7 @@ profile:
- os_bluray_read_only_enforce
- os_bonjour_disable
- os_burn_support_disable
- os_calendar_app_disable
- os_cd_read_only_enforce
- os_certificate_authority_trust
- os_config_data_install_enforce
@@ -105,6 +107,7 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
- os_password_hint_remove
@@ -129,12 +132,13 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
- os_tftpd_disable
@@ -149,15 +153,14 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
@@ -270,4 +273,4 @@ profile:
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_smartcard

14
baselines/cnssi-1253_low.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)"
title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -57,6 +57,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -67,6 +68,7 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
@@ -78,6 +80,7 @@ profile:
- os_bluray_read_only_enforce
- os_bonjour_disable
- os_burn_support_disable
- os_calendar_app_disable
- os_cd_read_only_enforce
- os_certificate_authority_trust
- os_config_data_install_enforce
@@ -104,6 +107,7 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
- os_password_hint_remove
@@ -127,12 +131,13 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
- os_tftpd_disable
@@ -146,14 +151,13 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable

15
baselines/cnssi-1253_moderate.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)"
title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)"
description: |
This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline.
This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -57,6 +57,7 @@ profile:
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
@@ -67,6 +68,7 @@ profile:
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
@@ -78,6 +80,7 @@ profile:
- os_bluray_read_only_enforce
- os_bonjour_disable
- os_burn_support_disable
- os_calendar_app_disable
- os_cd_read_only_enforce
- os_certificate_authority_trust
- os_config_data_install_enforce
@@ -104,6 +107,7 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
- os_password_hint_remove
@@ -120,6 +124,7 @@ profile:
- os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_screensaver_timeout_loginwindow_enforce
- os_secure_boot_verify
- os_sip_enable
- os_siri_prompt_disable
@@ -128,12 +133,13 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
- os_tftpd_disable
@@ -148,15 +154,14 @@ profile:
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable

8
includes/enablePF-mscp.sh
View File

@@ -4,9 +4,9 @@
enable_macos_application_firewall () {
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
}
@@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () {
launchctl enable system/macsec.pfctl
launchctl bootstrap system $macsec_pfctl_plist
pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)
pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)
}
@@ -147,7 +147,7 @@ block log proto tcp to any port 540
ENDCONFIG
}
####
####
enable_macos_application_firewall
create_macsec_pf_anchors

18
includes/mscp-data.yaml
View File

@@ -1,6 +1,6 @@
---
authors:
all_rules:
all_rules:
names:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
@@ -10,7 +10,7 @@ authors:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
800-53r5_moderate:
800-53r5_moderate:
names:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
@@ -20,12 +20,12 @@ authors:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
800-171:
800-171:
names:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
cis_lvl1:
cis_lvl1:
preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
names:
- Edward Byrd|Center for Internet Security
@@ -72,22 +72,22 @@ authors:
- Ekkehard Koch|
- Bob Gendler|National Institute of Standards and Technology
stig:
names:
names:
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
- Bob Gendler|National Institute of Standards and Technology
- Bob Gendler|National Institute of Standards and Technology
titles:
all_rules: All Rules
800-53r5_high: NIST SP 800-53 Rev 5 High Impact
800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
800-171: NIST 800-171 Rev 2
cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)
cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)
cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)
cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)
cmmc_lvl1: US CMMC 2.0 Level 1
cmmc_lvl2: US CMMC 2.0 Level 2
cisv8: CIS Controls Version 8
cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low)
cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
stig: Apple macOS 13 (Ventura) STIG - Ver 1, Rel 1
stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1

2
includes/supported_payloads.yaml
View File

@@ -1,4 +1,4 @@
payloads_types:
payloads_types:
- com.apple.ADCertificate.managed
- com.apple.AIM.account
- com.apple.AssetCache.managed

8
rules/audit/audit_acls_files_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91701-3
- CCE-92701-2
cci:
- CCI-000162
- CCI-001314
@@ -27,7 +27,7 @@ references:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-13-000030
- N/A
800-171r2:
- 3.3.8
cis:
@@ -38,7 +38,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r4_low
@@ -52,9 +52,7 @@ tags:
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/audit/audit_acls_folders_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91702-1
- CCE-92702-0
cci:
- CCI-000162
800-53r5:
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-13-000031
- N/A
800-171r2:
- 3.3.8
cis:
@@ -36,7 +36,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -52,7 +52,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

4
rules/audit/audit_alert_processing_fail.yaml
View File

@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-91703-9
- CCE-92703-8
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- permanent
mobileconfig: false

26
rules/audit/audit_auditd_enabled.yaml
View File

@@ -9,10 +9,11 @@ discussion: |
The information system initiates session audits at system start-up.
NOTE: Security auditing is enabled by default on macOS.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
check: |
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
@@ -22,21 +23,17 @@ result:
fix: |
[source,bash]
----
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
if [[ ! $LAUNCHD_RUNNING == 1 ]]; then
/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
fi
if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then
/bin/cp /etc/security/audit_control.example /etc/security/audit_control
else
/usr/bin/touch /etc/security/audit_control
fi
/bin/launchctl enable system/com.apple.auditd
/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist
/usr/sbin/audit -i
----
references:
cce:
- CCE-91704-7
- CCE-92704-6
cci:
- CCI-000130
- CCI-000131
@@ -60,7 +57,7 @@ references:
- AU-12(3)
- AU-14(1)
- MA-4(1)
- CM-5(1)
- CM-5(1)
800-53r4:
- AU-3
- AU-3(1)
@@ -84,7 +81,7 @@ references:
- SRG-OS-000358-GPOS-00145
- SRG-OS-000359-GPOS-00146
disa_stig:
- APPL-13-001003
- N/A
800-171r2:
- 3.3.1
- 3.3.2
@@ -99,7 +96,7 @@ references:
- AU.L2-3.3.2
- AU.L2-3.3.6
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -115,7 +112,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

15
rules/audit/audit_configure_capacity_notify.yaml
View File

@@ -1,7 +1,7 @@
id: audit_configure_capacity_notify
title: "Configure Audit Capacity Warning"
discussion: |
The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.
The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.
This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.
check: |
@@ -11,34 +11,33 @@ result:
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-91705-4
- CCE-92705-3
cci:
- CCI-001855
800-53r5:
- AU-5(1)
800-53r4:
800-53r4:
- AU-5(1)
srg:
- SRG-OS-000343-GPOS-00134
disa_stig:
- APPL-13-001030
- N/A
macOS:
- "13.0"
- "14.0"
odv:
hint: "Percentage of free space."
recommended: 25
stig: 25
tags:
- 800-53r5_high
- 800-53r5_high
- 800-53r4_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- stig
severity: "medium"
severity: "low"
mobileconfig: false

6
rules/audit/audit_control_acls_configure.yaml
View File

@@ -4,7 +4,7 @@ discussion: |
/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs).
check: |
/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
result:
result:
integer: 0
fix: |
[source,bash]
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-91706-2
- CCE-92706-1
cci:
- N/A
800-53r5:
@@ -34,7 +34,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- cis_lvl1
- cis_lvl2

4
rules/audit/audit_control_group_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-91707-0
- CCE-92707-9
cci:
- N/A
800-53r5:
@@ -34,7 +34,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- cis_lvl1
- cis_lvl2

4
rules/audit/audit_control_mode_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-91708-8
- CCE-92708-7
cci:
- N/A
800-53r5:
@@ -34,7 +34,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- cis_lvl1
- cis_lvl2

4
rules/audit/audit_control_owner_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-91709-6
- CCE-92709-5
cci:
- N/A
800-53r5:
@@ -34,7 +34,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- cis_lvl1
- cis_lvl2

10
rules/audit/audit_enforce_dual_auth.yaml
View File

@@ -2,17 +2,17 @@ id: audit_enforce_dual_auth
title: "Enforce Dual Authorization for Movement and Deletion of Audit Information"
discussion: |
All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed.
An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation.
To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-91710-4
- CCE-92710-3
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- permanent
- cnssi-1253_high

27
rules/audit/audit_failure_halt.yaml
View File

@@ -1,11 +1,11 @@
id: audit_failure_halt
title: "Configure System to Shut Down Upon Audit Failure"
discussion: |
The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
check: |
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
result:
integer: 1
fix: |
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91711-2
- CCE-92711-1
cci:
- CCI-000140
800-53r5:
@@ -25,26 +25,25 @@ references:
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- APPL-13-001010
- N/A
800-171r2:
- 3.3.4
cmmc:
- AU.L2-3.3.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

9
rules/audit/audit_files_group_configure.yaml
View File

@@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel"
discussion: |
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
check: |
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-91712-0
- CCE-92712-9
cci:
- CCI-000162
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-13-001014
- N/A
800-171r2:
- 3.3.8
cis:
@@ -38,7 +38,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -54,7 +54,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

9
rules/audit/audit_files_mode_configure.yaml
View File

@@ -1,7 +1,7 @@
id: audit_files_mode_configure
title: "Configure Audit Log Files to Mode 440 or Less Permissive"
discussion: |
The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
check: |
/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-91713-8
- CCE-92713-7
cci:
- CCI-000162
800-53r5:
@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-13-001016
- N/A
800-171r2:
- 3.3.8
cis:
@@ -34,7 +34,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -50,7 +50,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

11
rules/audit/audit_files_owner_configure.yaml
View File

@@ -1,5 +1,5 @@
id: audit_files_owner_configure
title: "Configure Audit Log Files to be Owned by Root"
title: "Configure Audit Log Files to be Owned by Root"
discussion: |
Audit log files _MUST_ be owned by root.
@@ -7,7 +7,7 @@ discussion: |
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
check: |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
result:
integer: 0
fix: |
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-91714-6
- CCE-92714-5
cci:
- CCI-000162
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-13-001012
- N/A
800-171r2:
- 3.3.8
cis:
@@ -38,7 +38,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -54,7 +54,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

29
rules/audit/audit_flags_aa_configure.yaml
View File

@@ -2,9 +2,9 @@ id: audit_flags_aa_configure
title: "Configure System to Audit All Authorization and Authentication Events"
discussion: |
The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
check: |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-91715-3
- CCE-92715-2
cci:
- CCI-000172
800-53r5:
@@ -36,7 +36,7 @@ references:
- SRG-OS-000473-GPOS-00218
- SRG-OS-000475-GPOS-00220
disa_stig:
- APPL-13-001044
- N/A
800-171r2:
- 3.3.1
- 3.3.2
@@ -52,23 +52,22 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cis_lvl2
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/audit/audit_flags_ad_configure.yaml
View File

@@ -21,7 +21,7 @@ fix: |
----
references:
cce:
- CCE-91716-1
- CCE-92716-0
cci:
- CCI-000018
- CCI-000172
@@ -56,7 +56,7 @@ references:
- SRG-OS-000476-GPOS-00221
- SRG-OS-000477-GPOS-00222
disa_stig:
- APPL-13-001001
- N/A
800-171r2:
- 3.1.7
- 3.3.1
@@ -73,7 +73,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low
@@ -89,7 +89,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

14
rules/audit/audit_flags_ex_configure.yaml
View File

@@ -3,9 +3,9 @@ title: "Configure System to Audit All Failed Program Execution on the System"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex'
@@ -18,9 +18,9 @@ fix: |
----
references:
cce:
- CCE-91718-7
- CCE-92717-8
cci:
- N/A
- N/A
800-53r5:
- AC-2(12)
- AU-12
@@ -47,9 +47,9 @@ references:
cmmc:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low

7
rules/audit/audit_flags_fd_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-91719-5
- CCE-92718-6
cci:
- CCI-000172
- CCI-001814
@@ -48,7 +48,7 @@ references:
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
disa_stig:
- APPL-13-001020
- N/A
800-171r2:
- N/A
cmmc:
@@ -57,7 +57,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r5_low
@@ -67,7 +67,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

11
rules/audit/audit_flags_fm_configure.yaml
View File

@@ -1,11 +1,11 @@
id: audit_flags_fm_configure
title: "Configure System to Audit All Changes of Object Attributes"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm).
The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file.
This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-91720-3
- CCE-92719-4
cci:
- CCI-000172
- CCI-001814
@@ -48,7 +48,7 @@ references:
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
disa_stig:
- APPL-13-001020
- N/A
800-171r2:
- N/A
cmmc:
@@ -57,13 +57,12 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

18
rules/audit/audit_flags_fm_failed_configure.yaml
View File

@@ -1,11 +1,11 @@
id: audit_flags_fm_failed_configure
title: "Configure System to Audit All Failed Change of Object Attributes"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm).
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-91721-1
- CCE-92720-2
cci:
- N/A
800-53r5:
@@ -29,13 +29,13 @@ references:
- AU-9
- CM-5(1)
- MA-4(1)
800-53r4:
- AU-2
800-53r4:
- AU-2
- AU-12
- AU-9
- CM-5(1)
- MA-4(1)
srg:
srg:
- N/A
disa_stig:
- N/A
@@ -56,7 +56,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r5_low

7
rules/audit/audit_flags_fr_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-91722-9
- CCE-92721-0
cci:
- CCI-000172
- CCI-001814
@@ -48,7 +48,7 @@ references:
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
disa_stig:
- APPL-13-001020
- N/A
800-171r2:
- 3.3.1
- 3.3.2
@@ -66,7 +66,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low
@@ -82,7 +82,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/audit/audit_flags_fw_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-91723-7
- CCE-92722-8
cci:
- CCI-000172
- CCI-001814
@@ -48,7 +48,7 @@ references:
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
disa_stig:
- APPL-13-001020
- N/A
800-171r2:
- 3.3.1
- 3.3.2
@@ -66,7 +66,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low
@@ -82,7 +82,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/audit/audit_flags_lo_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-91724-5
- CCE-92723-6
cci:
- CCI-000067
- CCI-000172
@@ -36,7 +36,7 @@ references:
- SRG-OS-000032-GPOS-00013
- SRG-OS-000462-GPOS-00206
disa_stig:
- APPL-13-001002
- N/A
800-171r2:
- 3.1.12
- 3.3.1
@@ -54,7 +54,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low
@@ -70,7 +70,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

9
rules/audit/audit_folder_group_configure.yaml
View File

@@ -3,7 +3,7 @@ title: "Configure Audit Log Folders Group to Wheel"
discussion: |
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
check: |
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-91725-2
- CCE-92724-4
cci:
- CCI-000162
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-13-001015
- N/A
800-171r2:
- 3.3.8
cis:
@@ -38,7 +38,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -54,7 +54,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

9
rules/audit/audit_folder_owner_configure.yaml
View File

@@ -1,5 +1,5 @@
id: audit_folder_owner_configure
title: "Configure Audit Log Folders to be Owned by Root"
title: "Configure Audit Log Folders to be Owned by Root"
discussion: |
Audit log folders _MUST_ be owned by root.
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-91726-0
- CCE-92725-1
cci:
- CCI-000162
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-13-001013
- N/A
800-171r2:
- 3.3.8
cis:
@@ -38,7 +38,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -54,7 +54,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

11
rules/audit/audit_folders_mode_configure.yaml
View File

@@ -1,9 +1,9 @@
id: audit_folders_mode_configure
title: "Configure Audit Log Folders to Mode 700 or Less Permissive"
discussion: |
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
check: |
/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
result:
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91727-8
- CCE-92726-9
cci:
- CCI-000162
- CCI-000163
@@ -29,7 +29,7 @@ references:
- SRG-OS-000058-GPOS-00028
- SRG-OS-000059-GPOS-00029
disa_stig:
- APPL-13-001017
- N/A
800-171r2:
- 3.3.8
cis:
@@ -40,7 +40,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -56,7 +56,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/audit/audit_off_load_records.yaml
View File

@@ -3,16 +3,16 @@ title: "Off-Load Audit Records"
discussion: |
Audit records should be off-loaded onto a different system or media from the system being audited.
Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-91728-6
- CCE-92727-7
cci:
- N/A
800-53r5:
@@ -29,7 +29,7 @@ references:
controls v8:
- 8.9
macOS:
- "13.0"
- "14.0"
tags:
- permanent
- cisv8

12
rules/audit/audit_record_reduction_report_generation.yaml
View File

@@ -1,8 +1,8 @@
id: audit_record_reduction_report_generation
title: "Audit Record Reduction and Report Generation"
discussion: |
The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability.
The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability.
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP).
@@ -12,12 +12,12 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-91729-4
cci:
- CCE-92728-5
cci:
- N/A
800-53r5:
- AU-7
800-53r4:
800-53r4:
- N/A
srg:
- N/A
@@ -28,7 +28,7 @@ references:
cmmc:
- AU.L2-3.3.6
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_high
- 800-53r4_high

10
rules/audit/audit_records_processing.yaml
View File

@@ -2,7 +2,7 @@ id: audit_records_processing
title: "Audit Record Reduction and Report Generation"
discussion: |
The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields.
Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
@@ -10,12 +10,12 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-91730-2
cci:
- CCE-92729-3
cci:
- N/A
800-53r5:
- AU-7(1)
800-53r4:
800-53r4:
- N/A
srg:
- N/A
@@ -26,7 +26,7 @@ references:
cmmc:
- AU.L2-3.3.6
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_high
- 800-53r4_high

6
rules/audit/audit_retention_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91731-0
- CCE-92730-1
cci:
- CCI-001849
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- APPL-13-001029
- N/A
cis:
benchmark:
- 3.4 (level 1)
@@ -37,7 +37,7 @@ references:
cmmc:
- AU.L2-3.3.1
macOS:
- "13.0"
- "14.0"
odv:
hint: "See man audit_control for possible values."
recommended: 7d

7
rules/audit/audit_settings_failure_notify.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91732-8
- CCE-92731-9
cci:
- CCI-001858
800-53r5:
@@ -27,13 +27,13 @@ references:
srg:
- SRG-OS-000344-GPOS-00135
disa_stig:
- APPL-13-001031
- N/A
800-171r2:
- 3.3.4
cmmc:
- AU.L2-3.3.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -44,7 +44,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/auth/auth_pam_login_smartcard_enforce.yaml
View File

@@ -37,7 +37,7 @@ fix: |
----
references:
cce:
- CCE-91733-6
- CCE-92732-7
cci:
- CCI-000366
800-53r5:
@@ -51,7 +51,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-003050
- N/A
800-171r2:
- 3.5.3
cis:
@@ -65,7 +65,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -79,7 +79,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/auth/auth_pam_su_smartcard_enforce.yaml
View File

@@ -32,7 +32,7 @@ fix: |
----
references:
cce:
- CCE-91734-4
- CCE-92733-5
cci:
- CCI-000366
800-53r5:
@@ -46,7 +46,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-003051
- N/A
800-171r2:
- 3.5.3
cis:
@@ -60,7 +60,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -74,7 +74,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/auth/auth_pam_sudo_smartcard_enforce.yaml
View File

@@ -31,7 +31,7 @@ fix: |
----
references:
cce:
- CCE-91735-1
- CCE-92734-3
cci:
- CCI-000366
800-53r5:
@@ -45,7 +45,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-003052
- N/A
800-171r2:
- 3.5.3
cis:
@@ -59,7 +59,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -73,7 +73,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

13
rules/auth/auth_smartcard_allow.yaml
View File

@@ -1,10 +1,10 @@
id: auth_smartcard_allow
title: "Allow Smartcard Authentication"
discussion: |
Smartcard authentication _MUST_ be allowed.
Smartcard authentication _MUST_ be allowed.
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91736-9
- CCE-92735-0
cci:
- CCI-000187
- CCI-000767
@@ -26,7 +26,7 @@ references:
- IA-2(1)
- IA-2(2)
- IA-2(12)
800-53r4:
800-53r4:
- IA-2(12)
- IA-5(11)
srg:
@@ -34,7 +34,7 @@ references:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
disa_stig:
- APPL-13-003020
- N/A
cis:
benchmark:
- N/A
@@ -47,7 +47,7 @@ references:
- IA.L1-3.5.2
- IA.L2-3.5.3
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -61,7 +61,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

12
rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
View File

@@ -1,8 +1,8 @@
id: auth_smartcard_certificate_trust_enforce_high
title: "Set Smartcard Certificate Trust to High"
discussion: |
The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking.
By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed.
@@ -19,13 +19,13 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91737-7
cci:
- CCE-92736-8
cci:
- N/A
800-53r5:
- IA-5(2)
- SC-17
800-53r4:
800-53r4:
- IA-2(12)
- IA-5(2)
srg:
@@ -35,7 +35,7 @@ references:
cmmc:
- SC.L2-3.13.10
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r4_high
- 800-53r5_high

11
rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
View File

@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91738-5
- CCE-92737-6
cci:
- CCI-000186
- CCI-001953
@@ -39,18 +39,17 @@ references:
- SRG-OS-000384-GPOS-00167
- SRG-OS-000403-GPOS-00182
disa_stig:
- APPL-13-001060
- N/A
cmmc:
- SC.L2-3.13.10
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r4_moderate
- 800-53r5_moderate
- 800-53r4_moderate
- 800-53r5_moderate
- cnssi-1253_moderate
- cnssi-1253_low
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

7
rules/auth/auth_smartcard_enforce.yaml
View File

@@ -21,7 +21,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91739-3
- CCE-92738-4
cci:
- CCI-000187
- CCI-000767
@@ -49,7 +49,7 @@ references:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
disa_stig:
- APPL-13-003020
- N/A
800-171r2:
- 3.5.1
- 3.5.2
@@ -67,7 +67,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -82,7 +82,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:

18
rules/auth/auth_ssh_password_authentication_disable.yaml
View File

@@ -7,7 +7,7 @@ discussion: |
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/sbin/sshd -T | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)'
/usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)'
result:
integer: 2
fix: |
@@ -32,7 +32,7 @@ fix: |
----
references:
cce:
- CCE-91740-1
- CCE-92739-2
cci:
- N/A
800-53r5:
@@ -77,15 +77,15 @@ references:
- IA.L2-3.5.4
- MA.L2-3.7.5
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low

9
rules/icloud/icloud_addressbook_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_addressbook_disable
title: "Disable iCloud Address Book"
discussion: |
The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled.
The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service.
check: |
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91741-9
- CCE-92740-0
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002014
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

44
rules/icloud/icloud_appleid_preference_pane_disable.yaml
View File

@@ -1,44 +0,0 @@
id: icloud_appleid_preference_pane_disable
title: "Disable the Preference Pane for Apple ID"
discussion: |
This is required for compliance with the DISA STIG for macOS.
The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key.
link:https://developer.apple.com/documentation/devicemanagement/systempreferences[]
check: |
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.AppleIDPrefPane"
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-92006-6
cci:
- CCI-001774
800-53r5:
- N/A
800-53r4:
- N/A
srg:
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002031
800-171r2:
- N/A
cis:
benchmark:
- N/A
controls v8:
- N/A
macOS:
- "13.0"
tags:
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:
DisabledPreferencePanes:
- com.apple.preferences.AppleIDPrefPane

4
rules/icloud/icloud_appleid_system_settings_disable.yaml
View File

@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91939-9
- CCE-92742-6
cci:
- N/A
800-53r5:
@@ -43,7 +43,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate

7
rules/icloud/icloud_bookmarks_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91743-5
- CCE-92743-4
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002042
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

7
rules/icloud/icloud_calendar_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91744-3
- CCE-92744-2
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-13-002012
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -64,7 +64,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

7
rules/icloud/icloud_drive_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91745-0
- CCE-92745-9
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002041
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

71
rules/icloud/icloud_freeform_disable.yaml Normal file
View File

@@ -0,0 +1,71 @@
id: icloud_freeform_disable
title: "Disable the iCloud Freeform Services"
discussion: |
The macOS built-in Freeform.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudFreeform').js
EOS
result:
string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-92746-7
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-171r2:
- 3.1.20
- 3.4.6
cis:
benchmark:
- N/A
controls v8:
- 4.1
- 4.8
- 15.3
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudFreeform: false

20
rules/icloud/icloud_game_center_disable.yaml
View File

@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-92001-7
- CCE-92747-5
cci:
- N/A
800-53r5:
@@ -22,7 +22,7 @@ references:
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
@@ -47,16 +47,16 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

7
rules/icloud/icloud_keychain_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91746-8
- CCE-92748-3
cci:
- CCI-001774
- CCI-000381
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002040
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

7
rules/icloud/icloud_mail_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91747-6
- CCE-92749-1
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002015
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

9
rules/icloud/icloud_notes_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_notes_disable
title: "Disable iCloud Notes"
discussion: |
The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled.
The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service.
check: |
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91748-4
- CCE-92750-9
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002016
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

7
rules/icloud/icloud_photos_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91749-2
- CCE-92751-7
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002043
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

20
rules/icloud/icloud_private_relay_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91750-0
- CCE-92752-5
cci:
- N/A
800-53r5:
@@ -23,7 +23,7 @@ references:
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
@@ -48,15 +48,15 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

9
rules/icloud/icloud_reminders_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_reminders_disable
title: "Disable iCloud Reminders"
discussion: |
The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled.
The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service.
check: |
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91751-8
- CCE-92753-3
cci:
- CCI-000381
- CCI-001774
@@ -34,7 +34,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002013
- N/A
800-171r2:
- 3.1.20
- 3.4.6
@@ -50,7 +50,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,7 +65,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

8
rules/icloud/icloud_sync_disable.yaml
View File

@@ -3,7 +3,7 @@ title: "Disable iCloud Desktop and Document Folder Sync"
discussion: |
The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91752-6
- CCE-92754-1
cci:
- N/A
800-53r5:
@@ -23,7 +23,7 @@ references:
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
@@ -48,7 +48,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_access_control_mobile_devices.yaml
View File

@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-91753-4
- CCE-92755-8
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
cmmc:
- AC.L2-3.1.18
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate

75
rules/os/os_account_modification_disable.yaml Normal file
View File

@@ -0,0 +1,75 @@
id: os_account_modification_disable
title: "Disable AppleID and Internet Account Modifications"
discussion: |
The system _MUST_ disable account modification.
Account modification includes adding additional or modifying internet acounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane.
This prevents the addition of unauthorized accounts.
[IMPORTANT]
====
Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAccountModification').js
EOS
result:
string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-93012-3
cci:
- N/A
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
- SC-7(10)
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- 3.1.20
- 3.4.6
cis:
benchmark:
- N/A
controls v8:
- 4.1
- 4.8
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowAccountModification: false

9
rules/os/os_airdrop_disable.yaml
View File

@@ -3,7 +3,7 @@ title: "Disable AirDrop"
discussion:
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91754-2
- CCE-92756-6
cci:
- CCI-000381
800-53r5:
@@ -31,7 +31,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-13-002009
- N/A
800-171r2:
- 3.1.1
- 3.1.2
@@ -51,7 +51,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -68,7 +68,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

4
rules/os/os_allow_info_passed.yaml
View File

@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-91755-9
- CCE-92757-4
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- inherent
- cnssi-1253_moderate

19
rules/os/os_anti_virus_installed.yaml
View File

@@ -16,7 +16,7 @@ fix: |
----
references:
cce:
- CCE-91756-7
- CCE-92758-2
cci:
- CCI-000366
800-53r5:
@@ -24,13 +24,22 @@ references:
800-53r4:
- SI-2
srg:
- SRG-OS-000480-GPOS-00227
- N/A
disa_stig:
- APPL-13-002070
- N/A
cis:
benchmark:
- 5.10 (level 1)
controls v8:
- 10.5
- 10.1
- 10.2
macOS:
- "13.0"
- "14.0"
tags:
- stig
- cis_lvl1
- cis_lvl2
- cisv8
severity: "high"
mobileconfig: false
mobileconfig_info:

9
rules/os/os_appleid_prompt_disable.yaml
View File

@@ -2,7 +2,7 @@ id: os_appleid_prompt_disable
title: "Disable Apple ID Setup during Setup Assistant"
discussion: |
The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91757-5
- CCE-92759-0
cci:
- CCI-000381
800-53r5:
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-13-002035
- N/A
800-171r2:
- 3.1.20
cis:
@@ -37,7 +37,7 @@ references:
cmmc:
- AC.L1-3.1.20
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -52,7 +52,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

8
rules/os/os_application_sandboxing.yaml
View File

@@ -1,8 +1,8 @@
id: os_application_sandboxing
title: "Ensure Seperate Execution Domain for Processes"
discussion: |
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[]
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[]
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-91758-3
- CCE-92760-8
800-53r5:
- SC-39
800-53r4:
@@ -22,7 +22,7 @@ references:
srg:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- inherent
- 800-53r5_low

7
rules/os/os_asl_log_files_owner_group_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-91759-1
- CCE-92761-6
cci:
- CCI-001314
800-53r5:
@@ -25,18 +25,17 @@ references:
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-13-004001
- N/A
800-171r2:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/os/os_asl_log_files_permissions_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-91760-9
- CCE-92762-4
cci:
- CCI-001314
800-53r5:
@@ -23,18 +23,17 @@ references:
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-13-004002
- N/A
800-171r2:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

12
rules/os/os_auth_peripherals.yaml
View File

@@ -5,10 +5,10 @@ discussion: |
check: |
The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level.
fix: |
This requirement is a permanent finding and can be fixed by implementing a third party solution.
This requirement is a permanent finding and can be fixed by implementing a third party solution.
references:
cce:
- CCE-91761-7
- CCE-92763-2
cci:
- N/A
800-53r5:
@@ -24,11 +24,13 @@ references:
- 3.5.2
cis:
benchmark:
- N/A
- N/A
controls v8:
- 13.9
cmmc:
- IA.L1-3.5.2
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -39,5 +41,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
mobileconfig: false
mobileconfig_info:

12
rules/os/os_authenticated_root_enable.yaml
View File

@@ -1,12 +1,12 @@
id: os_authenticated_root_enable
title: "Enable Authenticated Root"
discussion: |
Authenticated Root _MUST_ be enabled.
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
check: |
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'
@@ -20,8 +20,8 @@ fix: |
NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
cce:
- CCE-91762-5
cci:
- CCE-92764-0
cci:
- N/A
800-53r5:
- AC-3
@@ -55,7 +55,7 @@ references:
- CM.L2-3.4.5
- SC.L2-3.13.11
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate

9
rules/os/os_blank_bluray_disable.yaml
View File

@@ -10,7 +10,7 @@ discussion: |
[IMPORTANT]
====
Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91763-3
- CCE-92765-7
cci:
- CCI-000366
800-53r5:
@@ -33,20 +33,19 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-005051
- N/A
800-171r2:
- 3.8.8
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

9
rules/os/os_blank_cd_disable.yaml
View File

@@ -10,7 +10,7 @@ discussion: |
[IMPORTANT]
====
Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91764-1
- CCE-92766-5
cci:
- CCI-000366
800-53r5:
@@ -33,20 +33,19 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-005051
- N/A
800-171r2:
- 3.8.8
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

9
rules/os/os_blank_dvd_disable.yaml
View File

@@ -10,7 +10,7 @@ discussion: |
[IMPORTANT]
====
Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91765-8
- CCE-92767-3
cci:
- CCI-000366
800-53r5:
@@ -33,20 +33,19 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-005051
- N/A
800-171r2:
- 3.8.8
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

9
rules/os/os_bluray_read_only_enforce.yaml
View File

@@ -10,7 +10,7 @@ discussion: |
[IMPORTANT]
====
Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91766-6
- CCE-92768-1
cci:
- CCI-000366
800-53r5:
@@ -33,20 +33,19 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-005051
- N/A
800-171r2:
- 3.8.8
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

7
rules/os/os_bonjour_disable.yaml
View File

@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91767-4
- CCE-92769-9
cci:
- CCI-000381
800-53r5:
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-13-002005
- N/A
800-171r2:
- 3.4.6
cis:
@@ -38,7 +38,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -53,7 +53,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

7
rules/os/os_burn_support_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91768-2
- CCE-92770-7
cci:
- CCI-000366
800-53r5:
@@ -25,18 +25,17 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-005053
- N/A
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:

26
rules/os/os_calendar_app_disable.yaml
View File

@@ -5,7 +5,12 @@ discussion: |
[IMPORTANT]
====
Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Calendar.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
[IMPORTANT]
====
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -28,8 +33,8 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91769-0
cci:
- CCE-92771-5
cci:
- N/A
800-53r5:
- AC-20
@@ -57,20 +62,15 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
familyControlsEnabled: true
pathBlackList:
pathBlackList:
- /Applications/Calendar.app

8
rules/os/os_camera_disable.yaml
View File

@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91770-8
- CCE-92772-3
cci:
- CCI-000381
- CCI-001774
@@ -25,11 +25,11 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- APPL-13-002017
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- stig
- none
severity: "medium"
mobileconfig: true
mobileconfig_info:

9
rules/os/os_cd_read_only_enforce.yaml
View File

@@ -10,7 +10,7 @@ discussion: |
[IMPORTANT]
====
Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91771-6
- CCE-92773-1
cci:
- CCI-000366
800-53r5:
@@ -33,20 +33,19 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-005051
- N/A
800-171r2:
- 3.8.8
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- "13.0"
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:

5
rules/os/os_certificate_authority_trust.yaml
View File

@@ -10,7 +10,7 @@ fix: |
Obtain the approved certificates from the appropriate authority and install them to the System Keychain.
references:
cce:
- CCE-91772-4
- CCE-92774-9
cci:
- CCI-000185
- CCI-002450
@@ -26,7 +26,7 @@ references:
- SC.L2-3.13.10
- APPL-13-003001
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -37,7 +37,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: "high"
mobileconfig: false
mobileconfig_info:

10
rules/os/os_change_security_attributes.yaml
View File

@@ -1,9 +1,9 @@
id: os_change_security_attributes
title: "Allow Administrators to Modify Security Settings and System Attributes"
discussion: |
The information system _IS_ configured to allow administrators to modify security settings and system attributes.
The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. .
The information system _IS_ configured to allow administrators to modify security settings and system attributes.
The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. .
link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]
check: |
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-91773-2
- CCE-92775-6
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- N/A
macOS:
- "13.0"
- "14.0"
tags:
- inherent
- cnssi-1253_moderate

7
rules/os/os_config_data_install_enforce.yaml
View File

@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91774-0
- CCE-92776-4
cci:
- CCI-000366
800-53r5:
@@ -30,7 +30,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-13-002070
- N/A
800-171r2:
- 3.14.1
- 3.14.2
@@ -47,7 +47,7 @@ references:
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -60,7 +60,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:

10
rules/os/os_config_profile_ui_install_disable.yaml
View File

@@ -13,9 +13,9 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91775-7
- CCE-92777-2
cci:
- N/A
- N/A
800-53r5:
- CM-5
800-171r2:
@@ -28,10 +28,10 @@ references:
cmmc:
- CM.L2-3.4.5
macOS:
- "13.0"
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253_moderate

Some files were not shown because too many files have changed in this diff Show More