diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 704c620e..96f2b281 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,193 +2,56 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Ventura, Revision 2.0] - 2023-06-26 +== [Sonoma, Revision 1.0] - 2023-09-21 * Rules ** Added Rules -*** os_home_folders_default -*** supplemental_stig +*** icloud_freeform_disable +*** os_account_modification_disable +*** os_on_device_dictation_enforce +*** os_setup_assistant_filevault_enforce +*** os_sshd_channel_timeout_configure +*** os_sshd_unused_connection_timeout_configure ** Modified Rules -*** audit_acls_files_configure -*** audit_acls_folders_configure -*** audit_auditd_enabled -*** audit_control_mode_configure -*** audit_files_group_configure -*** audit_files_mode_configure -*** audit_files_owner_configure -*** audit_folder_group_configure -*** audit_folder_group_configure -*** audit_folders_mode_configure *** auth_ssh_password_authentication_disable -*** icloud_appleid_preference_pane_disable -*** icloud_appleid_system_settings_disable -*** os_anti_virus_installed -*** os_home_folders_secure -*** os_policy_banner_loginwindow_enforce -*** os_policy_banner_ssh_configure *** os_policy_banner_ssh_enforce -*** os_screensaver_timeout_loginwindow_enforce *** os_sshd_client_alive_count_max_configure *** os_sshd_client_alive_interval_configure -*** os_sshd_fips_140_ciphers -*** os_sshd_fips_140_macs *** os_sshd_fips_compliant -*** os_sshd_key_exchange_algorithm_configure *** os_sshd_login_grace_time_configure *** os_sshd_permit_root_login_configure -*** pwpolicy_account_lockout_timeout_enforce -*** pwpolicy_minimum_length_enforce -*** pwpolicy_special_character_enforce -*** system_settings_assistant_disable +*** system_settings_location_services_menu_enforce +*** system_settings_siri_disable +** Deleted Rules +*** icloud_appleid_preference_pane_disable.yaml +*** os_efi_integrity_validated +*** os_sshd_key_exchange_algorithm_configure +*** os_sshd_fips_140_ciphers +*** os_sshd_fips_140_macs *** system_settings_bluetooth_prefpane_disable -*** system_settings_firewall_enable -*** system_settings_firewall_stealth_mode_enable -*** system_settings_guest_account_disable *** system_settings_internet_accounts_preference_pane_disable *** system_settings_siri_prefpane_disable *** system_settings_touch_id_pane_disable -*** system_settings_usb_restricted_mode *** system_settings_wallet_applepay_prefpane_disable *** system_settings_wallet_applepay_prefpane_hide - -* Baselines -** Added Baselines -*** cmmc_lvl1 -*** cmmc_lvl2 -*** cnssi-1253_high -*** cnssi-1253_moderate -*** cnssi-1253_low -*** DISA-STIG -** Modified Baselines -*** all_rules -*** Removed Baselines -** cnssi-1253 - -* Scripts -** generate_guidance -*** Added base64 support for documentation logo -*** Added support for CMMC references -*** Added ssh key generation to compliance script -*** Added cfc argument to compliance script -*** Bug Fixes -** generate_baseline -*** Bug Fixes -** generate_scap -*** Bug Fixes - -* Includes -** mscp-data -*** Added CMMC data -*** Updated CNSSI-1253 data -** supported_payloads -*** Added com.apple.sharingd -*** Removed com.apple.locationmenu - -== [Ventura, Revision 1.1] - 2022-12-08 - -* Rules -** Added Rules -*** icloud_game_center_disable -*** os_safari_advertising_privacy_protection_enable -*** os_safari_prevent_cross-site_tracking_enable -*** os_safari_show_full_website_address_enable -*** os_safari_warn_fraudulent_website_enable -** Modified Rules -*** os_dvdram_disable -*** os_hibernate_mode_enable -*** os_rapid_security_response_removal_disable -*** os_tftpd_disable -*** system_settings_automatic_logout_enforce -*** system_settings_internet_accounts_disable -*** system_settings_ssh_enable -*** system_settings_system_wide_preferences_configure -*** system_settings_time_server_configure -*** system_settings_time_server_enforce -*** supplemental_cis_manual -** Bug fixes - -* Baselines -** Updated all baselines - -* Scripts -** generate_guidance -*** Added custom references to compliance check script -*** Added debug option -*** Bug Fixes -** generate_baseline -*** Added author function -*** Bug Fixes -** generate_mapping -*** Bug Fixes - -== [Ventura, Revision 1] - 2022-10-20 - -* Rules -** Added ODV support -** Added Rules -*** icloud_appleid_system_settings_disable -*** os_config_profile_ui_install_disable -*** os_firewall_ui_disable -*** os_power_nap_enable -*** os_rapid_security_response_allow -*** os_rapid_security_response_removal_disable -*** os_software_update_deferral -*** system_settings_USB_restricted_mode -*** system_settings_internet_accounts_disable -** Modified Rules -*** os_power_nap_disable -*** os_ssh_fips_compliant -*** os_ssh_server_alive_count_max_configure -*** os_ssh_server_alive_interval_configure -*** os_sshd_client_alive_count_max_configure -*** os_sshd_client_alive_interval_configure -*** os_sshd_fips_140_ciphers -*** os_sshd_fips_140_macs -*** os_sshd_fips_compliant -*** os_sshd_key_exchange_algorithm_configure -*** os_sshd_login_grace_time_configure -*** os_sshd_permit_root_login_configure -*** os_sudo_timeout_configure -*** os_sudoers_timestamp_type_configure -*** pwpolicy_account_inactivity_enforce.yaml -*** pwpolicy_account_lockout_enforce.yaml -*** pwpolicy_account_lockout_timeout_enforce.yaml -*** pwpolicy_alpha_numeric_enforce.yaml -*** pwpolicy_history_enforce.yaml -*** pwpolicy_lower_case_character_enforce.yaml -*** pwpolicy_max_lifetime_enforce.yaml -*** pwpolicy_minimum_length_enforce.yaml -*** pwpolicy_minimum_lifetime_enforce.yaml -*** pwpolicy_simple_sequence_disable.yaml -*** pwpolicy_special_character_enforce.yaml -*** pwpolicy_upper_case_character_enforce.yaml -*** system_settings_system_wide_preferences_configure -*** System Preferences -> System Settings -** Deleted Rules -*** os_sudoers_tty_configure ** Bug Fixes * Baselines ** Modified existing baselines -** Added parent_values * Scripts ** generate_guidance -*** Added ODV support -*** Added Ruby gem generation -*** Added support for fix/check in compliance script -*** Added unified log support to compliance script +*** Added iOS support +*** Added support for pwpolicy regex +*** Modified ssh_key_check *** Bug Fixes ** generate_baseline -*** Added ODV support -*** Added tailoring support +*** Added iOS support *** Bug Fixes ** generate_mappings +*** Added iOS support *** Bug Fixes ** generate_scap -*** Added support for ODV -*** Added support for new checks -*** Generate scap, xccdf, or oval -*** Bug Fixes - - +*** Added iOS support +*** Added support for pwpolicy regex +*** Bug Fixes \ No newline at end of file diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc index 36a78080..91d5bc7d 100644 --- a/CONTRIBUTING.adoc +++ b/CONTRIBUTING.adoc @@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the These operating rules describe and govern NIST’s management of this repository and contributors’ responsibilities. NIST reserves the right to modify this policy at any time. === Criteria for Contributions and Feedback -This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. +This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. -NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: -* states or implies NIST endorsement of any entities, services, or products; -* is inaccurate; -* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content; -* is clearly "off topic"; +NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: +* states or implies NIST endorsement of any entities, services, or products; +* is inaccurate; +* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content; +* is clearly "off topic"; * makes unsupported accusations; -* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, +* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, * contains .exe or .jar file types. _These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._ @@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito * responding to NIST representatives in a timely manner; * keeping contributions and contributor GitHub username up to date -*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. +*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. diff --git a/LICENSE.md b/LICENSE.md index 84660b48..5170c646 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo 5. _Downstream recipients._ **A.** _Offer from the Licensor_ – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. - + **B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. - + 6. _No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). ## b. Other rights. @@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following **i.** identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); **ii.** a copyright notice; - + **iii.** a notice that refers to this Public License; - + **iv.** a notice that refers to the disclaimer of warranties; - + **v.** a URI or hyperlink to the Licensed Material to the extent reasonably practicable; - + **B.** indicate if You modified the Licensed Material and retain an indication of any previous modifications; and - + **C.** indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. - + **2.** You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. **3.** If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. @@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your **a.** This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. **b.** Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: - + **1.** automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or - + **2.** upon express reinstatement by the Licensor. - + For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. **c.** For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. diff --git a/README.adoc b/README.adoc index 8bc5f2e0..95635302 100644 --- a/README.adoc +++ b/README.adoc @@ -1,7 +1,7 @@ image::templates/images/mscp_banner_outline.png[] // settings: :idprefix: -:idseparator: - +:idseparator: - ifndef::env-github[:icons: font] ifdef::env-github[] :status: @@ -18,7 +18,7 @@ endif::[] ifdef::status[] image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"] -image:https://badgen.net/badge/icon/13.0?icon=apple&label[link="https://www.apple.com/macos"] +image:https://badgen.net/badge/icon/14.0?icon=apple&label[link="https://www.apple.com/macos"] endif::[] IMPORTANT: We recommend working off of one of the OS branches, rather than the `main` branch. @@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21 Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page. -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. To learn more about the project, please see the {uri-repo}/wiki[wiki]. @@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta == Changelog -Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. +Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. == NIST Disclaimer diff --git a/VERSION.yaml b/VERSION.yaml index 8e74529c..b2d8fd1a 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,4 +1,5 @@ -os: "13.0" -version: "Ventura Guidance, Revision 2.0" -cpe: o:apple:macos:13.0 -date: "2023-06-26" +os: "14.0" +platform: macOS +version: "Sonoma Guidance, Revision 1.0" +cpe: o:apple:macos:14.0 +date: "2023-09-21" diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 2b44c8c8..c725766d 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - NIST 800-171 Rev 2" +title: "macOS 14.0: Security Configuration - NIST 800-171 Rev 2" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST 800-171 Rev 2 security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the NIST 800-171 Rev 2 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -47,6 +47,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -57,11 +58,11 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_authenticated_root_enable - os_bonjour_disable - - os_calendar_app_disable - os_config_profile_ui_install_disable - os_filevault_autologin_disable - os_firewall_default_deny_require @@ -76,6 +77,7 @@ profile: - os_ir_support_disable - os_mdm_require - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -93,9 +95,11 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant + - os_sshd_unused_connection_timeout_configure - os_tftpd_disable - os_time_server_enabled - os_touchid_prompt_disable @@ -107,14 +111,13 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_apple_watch_unlock_disable diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index 61727568..a963f3c1 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact" +title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -52,6 +52,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -62,13 +63,13 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_asl_log_files_owner_group_configure - os_asl_log_files_permissions_configure - os_authenticated_root_enable - os_bonjour_disable - - os_calendar_app_disable - os_certificate_authority_trust - os_config_data_install_enforce - os_config_profile_ui_install_disable @@ -88,6 +89,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -106,10 +108,12 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only @@ -124,15 +128,14 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 36e7420d..9d337456 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact" +title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -50,6 +50,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -60,11 +61,11 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_authenticated_root_enable - os_bonjour_disable - - os_calendar_app_disable - os_config_data_install_enforce - os_config_profile_ui_install_disable - os_filevault_autologin_disable @@ -77,6 +78,7 @@ profile: - os_ir_support_disable - os_mdm_require - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -103,14 +105,13 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -177,4 +178,4 @@ profile: - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index 13df87a8..23fa64d4 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact" +title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -51,6 +51,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -61,13 +62,13 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_asl_log_files_owner_group_configure - os_asl_log_files_permissions_configure - os_authenticated_root_enable - os_bonjour_disable - - os_calendar_app_disable - os_certificate_authority_trust - os_config_data_install_enforce - os_config_profile_ui_install_disable @@ -86,6 +87,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -104,9 +106,11 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant + - os_sshd_unused_connection_timeout_configure - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only @@ -121,15 +125,14 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml deleted file mode 100644 index 03dc8508..00000000 --- a/baselines/DISA-STIG.yaml +++ /dev/null @@ -1,165 +0,0 @@ -title: "macOS 13.0: Security Configuration - Apple macOS 13 (Ventura) DISA STIG - Ver 1, Rel 1" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Apple macOS 13 (Ventura) STIG - Ver 1, Rel 1 security baseline. -authors: | - *macOS Security Compliance Project* - - |=== - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |Bob Gendler|National Institute of Standards and Technology - |=== -parent_values: "stig" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_preference_pane_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_reminders_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_anti_virus_installed - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_blank_bluray_disable - - os_blank_cd_disable - - os_blank_dvd_disable - - os_bluray_read_only_enforce - - os_bonjour_disable - - os_burn_support_disable - - os_camera_disable - - os_cd_read_only_enforce - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_directory_services_configured - - os_disk_image_disable - - os_dvdram_disable - - os_erase_content_and_settings_disable - - os_filevault_authorized_users - - os_filevault_autologin_disable - - os_firmware_password_require - - os_gatekeeper_enable - - os_handoff_disable - - os_home_folders_default - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_password_proximity_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_privacy_setup_prompt_disable - - os_removable_media_disable - - os_screensaver_loginwindow_enforce - - os_screensaver_timeout_loginwindow_enforce - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - - os_sshd_fips_140_macs - - os_sshd_key_exchange_algorithm_configure - - os_sshd_login_grace_time_configure - - os_sshd_permit_root_login_configure - - os_sudo_timeout_configure - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - section: "systemsettings" - rules: - - system_settings_apple_watch_unlock_disable - - system_settings_assistant_disable - - system_settings_automatic_login_disable - - system_settings_bluetooth_disable - - system_settings_bluetooth_prefpane_disable - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_preference_pane_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_password_hints_disable - - system_settings_rae_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_siri_prefpane_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touch_id_pane_disable - - system_settings_wallet_applepay_prefpane_disable - - system_settings_wallet_applepay_prefpane_hide - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard - - supplemental_stig diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 2333e8f4..73e57d22 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - All Rules" +title: "macOS 14.0: Security Configuration - All Rules" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the All Rules security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the All Rules security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -54,11 +54,11 @@ profile: - section: "icloud" rules: - icloud_addressbook_disable - - icloud_appleid_preference_pane_disable - icloud_appleid_system_settings_disable - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -69,6 +69,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_anti_virus_installed - os_appleid_prompt_disable @@ -90,7 +91,6 @@ profile: - os_directory_services_configured - os_disk_image_disable - os_dvdram_disable - - os_efi_integrity_validated - os_erase_content_and_settings_disable - os_ess_installed - os_facetime_app_disable @@ -103,8 +103,9 @@ profile: - os_gatekeeper_rearm - os_guest_folder_removed - os_handoff_disable + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_default - os_home_folders_secure - os_httpd_disable @@ -119,6 +120,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_parental_controls_enable - os_password_autofill_disable - os_password_hint_remove @@ -136,13 +138,17 @@ profile: - os_removable_media_disable - os_root_disable - os_safari_advertising_privacy_protection_enable + - os_safari_javascript_enabled - os_safari_open_safe_downloads_disable + - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable + - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - os_screensaver_loginwindow_enforce - os_screensaver_timeout_loginwindow_enforce - os_secure_boot_verify + - os_setup_assistant_filevault_enforce - os_show_filename_extensions_enable - os_sip_enable - os_siri_prompt_disable @@ -152,14 +158,13 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - - os_sshd_fips_140_macs - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only @@ -180,6 +185,7 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce @@ -198,7 +204,6 @@ profile: - system_settings_automatic_logout_enforce - system_settings_bluetooth_disable - system_settings_bluetooth_menu_enable - - system_settings_bluetooth_prefpane_disable - system_settings_bluetooth_sharing_disable - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable @@ -217,7 +222,6 @@ profile: - system_settings_improve_siri_dictation_disable - system_settings_install_macos_updates_enforce - system_settings_internet_accounts_disable - - system_settings_internet_accounts_preference_pane_disable - system_settings_internet_sharing_disable - system_settings_location_services_disable - system_settings_location_services_enable @@ -235,7 +239,6 @@ profile: - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - - system_settings_siri_prefpane_disable - system_settings_smbd_disable - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce @@ -249,12 +252,9 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_token_removal_enforce - - system_settings_touch_id_pane_disable - system_settings_touchid_unlock_disable - system_settings_usb_restricted_mode - system_settings_wake_network_access_disable - - system_settings_wallet_applepay_prefpane_disable - - system_settings_wallet_applepay_prefpane_hide - system_settings_wifi_disable - system_settings_wifi_menu_enable - section: "Inherent" @@ -342,4 +342,3 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard - - supplemental_stig diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index b677cf73..ec3b650d 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)" +title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) security baseline. authors: | *macOS Security Compliance Project* @@ -31,24 +31,29 @@ profile: - section: "macos" rules: - os_airdrop_disable + - os_anti_virus_installed - os_authenticated_root_enable - os_config_data_install_enforce - - os_efi_integrity_validated - os_firewall_log_enable - os_gatekeeper_enable - os_guest_folder_removed - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_hint_remove - os_power_nap_disable - os_root_disable - os_safari_advertising_privacy_protection_enable + - os_safari_javascript_enabled - os_safari_open_safe_downloads_disable + - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable + - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - os_show_filename_extensions_enable - os_sip_enable @@ -63,6 +68,7 @@ profile: - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_history_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce @@ -106,7 +112,6 @@ profile: - section: "Supplemental" rules: - supplemental_cis_manual - - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 8ce92cd2..629edc47 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)" +title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) security baseline. authors: | *macOS Security Compliance Project* @@ -41,28 +41,34 @@ profile: - section: "macos" rules: - os_airdrop_disable + - os_anti_virus_installed - os_authenticated_root_enable - os_bonjour_disable - os_config_data_install_enforce - - os_efi_integrity_validated - os_firewall_log_enable - os_gatekeeper_enable - os_guest_folder_removed + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_hint_remove - os_policy_banner_loginwindow_enforce - os_power_nap_disable - os_root_disable - os_safari_advertising_privacy_protection_enable + - os_safari_javascript_enabled - os_safari_open_safe_downloads_disable + - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable + - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - os_show_filename_extensions_enable - os_sip_enable @@ -78,13 +84,13 @@ profile: - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -132,8 +138,7 @@ profile: - section: "Supplemental" rules: - supplemental_cis_manual - - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 4f2b39fb..8fa63285 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - CIS Controls Version 8" +title: "macOS 14.0: Security Configuration - CIS Controls Version 8" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Controls Version 8 security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Controls Version 8 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -53,6 +53,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -62,22 +63,23 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable + - os_anti_virus_installed - os_appleid_prompt_disable - os_authenticated_root_enable - os_bonjour_disable - - os_calendar_app_disable - os_config_data_install_enforce - os_directory_services_configured - - os_efi_integrity_validated - os_ess_installed - os_filevault_autologin_disable - os_firewall_log_enable - os_gatekeeper_enable - os_gatekeeper_rearm - os_handoff_disable + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable @@ -87,6 +89,7 @@ profile: - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_hint_remove - os_password_proximity_disable @@ -95,9 +98,12 @@ profile: - os_privacy_setup_prompt_disable - os_root_disable - os_safari_advertising_privacy_protection_enable + - os_safari_javascript_enabled - os_safari_open_safe_downloads_disable + - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable + - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - os_show_filename_extensions_enable - os_sip_enable @@ -121,14 +127,13 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -197,8 +202,7 @@ profile: - os_access_control_mobile_devices - section: "Supplemental" rules: - - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index bf5f4204..7f4fff21 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - US CMMC 2.0 Level 1" +title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 1" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the US CMMC 2.0 Level 1 security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 1 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -26,6 +26,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -36,6 +37,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_authenticated_root_enable @@ -50,6 +52,7 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_nfsd_disable + - os_on_device_dictation_enforce - os_rapid_security_response_allow - os_rapid_security_response_removal_disable - os_recovery_lock_enable @@ -88,6 +91,9 @@ profile: rules: - os_logical_access - os_malicious_code_prevention + - section: "Permanent" + rules: + - os_auth_peripherals - section: "Supplemental" rules: - supplemental_controls diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 08b66fa2..94e024f3 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - US CMMC 2.0 Level 2" +title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 2" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the US CMMC 2.0 Level 2 security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 2 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -57,6 +57,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -67,6 +68,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_authenticated_root_enable @@ -97,6 +99,7 @@ profile: - os_ir_support_disable - os_mdm_require - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_hint_remove - os_password_proximity_disable @@ -111,6 +114,7 @@ profile: - os_recovery_lock_enable - os_removable_media_disable - os_root_disable + - os_screensaver_loginwindow_enforce - os_sip_enable - os_siri_prompt_disable - os_skip_screen_time_prompt_enable @@ -118,11 +122,12 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure + - os_sshd_unused_connection_timeout_configure - os_tftpd_disable - os_time_server_enabled - os_touchid_prompt_disable @@ -135,14 +140,13 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -163,6 +167,8 @@ profile: - system_settings_gatekeeper_override_disallow - system_settings_guest_access_smb_disable - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_hot_corners_secure - system_settings_improve_siri_dictation_disable - system_settings_internet_accounts_disable - system_settings_internet_sharing_disable @@ -199,6 +205,7 @@ profile: - os_prevent_priv_functions - os_prevent_unauthorized_disclosure - os_prohibit_remote_activation_collab_devices + - os_secure_enclave - os_separate_functionality - os_store_encrypted_passwords - os_unique_identification @@ -206,6 +213,7 @@ profile: - section: "Permanent" rules: - audit_records_processing + - os_auth_peripherals - system_settings_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml index c0ad8357..e1de98eb 100644 --- a/baselines/cnssi-1253_high.yaml +++ b/baselines/cnssi-1253_high.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)" +title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -15,7 +15,6 @@ parent_values: "recommended" profile: - section: "auditing" rules: - - audit_acls_files_configure - audit_acls_folders_configure - audit_auditd_enabled - audit_configure_capacity_notify @@ -57,6 +56,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -67,6 +67,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_asl_log_files_owner_group_configure @@ -78,6 +79,7 @@ profile: - os_bluray_read_only_enforce - os_bonjour_disable - os_burn_support_disable + - os_calendar_app_disable - os_cd_read_only_enforce - os_certificate_authority_trust - os_config_data_install_enforce @@ -105,6 +107,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_parental_controls_enable - os_password_autofill_disable - os_password_hint_remove @@ -129,12 +132,13 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only - os_tftpd_disable @@ -149,15 +153,14 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -270,4 +273,4 @@ profile: - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml index 890a0317..85a35897 100644 --- a/baselines/cnssi-1253_low.yaml +++ b/baselines/cnssi-1253_low.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)" +title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -57,6 +57,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -67,6 +68,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_asl_log_files_owner_group_configure @@ -78,6 +80,7 @@ profile: - os_bluray_read_only_enforce - os_bonjour_disable - os_burn_support_disable + - os_calendar_app_disable - os_cd_read_only_enforce - os_certificate_authority_trust - os_config_data_install_enforce @@ -104,6 +107,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_parental_controls_enable - os_password_autofill_disable - os_password_hint_remove @@ -127,12 +131,13 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only - os_tftpd_disable @@ -146,14 +151,13 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml index a41774e7..f89a5ba7 100644 --- a/baselines/cnssi-1253_moderate.yaml +++ b/baselines/cnssi-1253_moderate.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)" +title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -57,6 +57,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -67,6 +68,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_asl_log_files_owner_group_configure @@ -78,6 +80,7 @@ profile: - os_bluray_read_only_enforce - os_bonjour_disable - os_burn_support_disable + - os_calendar_app_disable - os_cd_read_only_enforce - os_certificate_authority_trust - os_config_data_install_enforce @@ -104,6 +107,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_parental_controls_enable - os_password_autofill_disable - os_password_hint_remove @@ -120,6 +124,7 @@ profile: - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce + - os_screensaver_timeout_loginwindow_enforce - os_secure_boot_verify - os_sip_enable - os_siri_prompt_disable @@ -128,12 +133,13 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only - os_tftpd_disable @@ -148,15 +154,14 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable diff --git a/includes/enablePF-mscp.sh b/includes/enablePF-mscp.sh index ade19866..f47035c9 100644 --- a/includes/enablePF-mscp.sh +++ b/includes/enablePF-mscp.sh @@ -4,9 +4,9 @@ enable_macos_application_firewall () { /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail + /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on - /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on + /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on } @@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () { launchctl enable system/macsec.pfctl launchctl bootstrap system $macsec_pfctl_plist - pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) + pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) } @@ -147,7 +147,7 @@ block log proto tcp to any port 540 ENDCONFIG } -#### +#### enable_macos_application_firewall create_macsec_pf_anchors diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 70772490..cc0d8ce4 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -1,6 +1,6 @@ --- authors: - all_rules: + all_rules: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration @@ -10,7 +10,7 @@ authors: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - 800-53r5_moderate: + 800-53r5_moderate: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration @@ -20,12 +20,12 @@ authors: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - 800-171: + 800-171: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - cis_lvl1: + cis_lvl1: preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) names: - Edward Byrd|Center for Internet Security @@ -72,22 +72,22 @@ authors: - Ekkehard Koch| - Bob Gendler|National Institute of Standards and Technology stig: - names: + names: - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - - Bob Gendler|National Institute of Standards and Technology + - Bob Gendler|National Institute of Standards and Technology titles: all_rules: All Rules 800-53r5_high: NIST SP 800-53 Rev 5 High Impact 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 2 - cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low) cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate) cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High) - stig: Apple macOS 13 (Ventura) STIG - Ver 1, Rel 1 + stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1 diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml index 033c86d9..e927999b 100644 --- a/includes/supported_payloads.yaml +++ b/includes/supported_payloads.yaml @@ -1,4 +1,4 @@ -payloads_types: +payloads_types: - com.apple.ADCertificate.managed - com.apple.AIM.account - com.apple.AssetCache.managed diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index e3dc37b6..1bd86415 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91701-3 + - CCE-92701-2 cci: - CCI-000162 - CCI-001314 @@ -27,7 +27,7 @@ references: - SRG-OS-000057-GPOS-00027 - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-000030 + - N/A 800-171r2: - 3.3.8 cis: @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low @@ -52,9 +52,7 @@ tags: - cisv8 - cnssi-1253_moderate - cnssi-1253_low - - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 78f6fff8..a0032d60 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91702-1 + - CCE-92702-0 cci: - CCI-000162 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-000031 + - N/A 800-171r2: - 3.3.8 cis: @@ -36,7 +36,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -52,7 +52,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index 747b4c27..8cd8ed74 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91703-9 + - CCE-92703-8 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent mobileconfig: false diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index e5995880..6fe7e4d2 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -9,10 +9,11 @@ discussion: | The information system initiates session audits at system start-up. - NOTE: Security auditing is enabled by default on macOS. + NOTE: Security auditing is NOT enabled by default on macOS Sonoma. check: | LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) - if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then + AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING") + if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then echo "pass" else echo "fail" @@ -22,21 +23,17 @@ result: fix: | [source,bash] ---- - LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) - - if [[ ! $LAUNCHD_RUNNING == 1 ]]; then - /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist - fi - if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control - else - /usr/bin/touch /etc/security/audit_control fi + + /bin/launchctl enable system/com.apple.auditd + /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist + /usr/sbin/audit -i ---- references: cce: - - CCE-91704-7 + - CCE-92704-6 cci: - CCI-000130 - CCI-000131 @@ -60,7 +57,7 @@ references: - AU-12(3) - AU-14(1) - MA-4(1) - - CM-5(1) + - CM-5(1) 800-53r4: - AU-3 - AU-3(1) @@ -84,7 +81,7 @@ references: - SRG-OS-000358-GPOS-00145 - SRG-OS-000359-GPOS-00146 disa_stig: - - APPL-13-001003 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -99,7 +96,7 @@ references: - AU.L2-3.3.2 - AU.L2-3.3.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -115,7 +112,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index a1510bfa..382f02bf 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -1,7 +1,7 @@ id: audit_configure_capacity_notify title: "Configure Audit Capacity Warning" discussion: | - The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. + The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs. check: | @@ -11,34 +11,33 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: - - CCE-91705-4 + - CCE-92705-3 cci: - CCI-001855 800-53r5: - AU-5(1) - 800-53r4: + 800-53r4: - AU-5(1) srg: - SRG-OS-000343-GPOS-00134 disa_stig: - - APPL-13-001030 + - N/A macOS: - - "13.0" + - "14.0" odv: hint: "Percentage of free space." recommended: 25 stig: 25 tags: - - 800-53r5_high + - 800-53r5_high - 800-53r4_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" severity: "low" mobileconfig: false diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index bdabe586..5f4ac8be 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -4,7 +4,7 @@ discussion: | /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs). check: | /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" -result: +result: integer: 0 fix: | [source,bash] @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91706-2 + - CCE-92706-1 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index 1f0b4271..5f48df85 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91707-0 + - CCE-92707-9 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index ae04af47..42ad490f 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91708-8 + - CCE-92708-7 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index f75172d1..0e4612c2 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91709-6 + - CCE-92709-5 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index cc64ff06..a9d7742f 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -2,17 +2,17 @@ id: audit_enforce_dual_auth title: "Enforce Dual Authorization for Movement and Deletion of Audit Information" discussion: | All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed. - + An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation. - - To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91710-4 + - CCE-92710-3 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent - cnssi-1253_high diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index cdd10d54..3a83c20b 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -1,11 +1,11 @@ id: audit_failure_halt title: "Configure System to Shut Down Upon Audit Failure" discussion: | - The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. + The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. - Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' + /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91711-2 + - CCE-92711-1 cci: - CCI-000140 800-53r5: @@ -25,26 +25,25 @@ references: srg: - SRG-OS-000047-GPOS-00023 disa_stig: - - APPL-13-001010 + - N/A 800-171r2: - 3.3.4 cmmc: - AU.L2-3.3.4 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index d67e0060..8f53435d 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91712-0 + - CCE-92712-9 cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001014 + - N/A 800-171r2: - 3.3.8 cis: @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index f82d67a9..54877401 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -1,7 +1,7 @@ id: audit_files_mode_configure title: "Configure Audit Log Files to Mode 440 or Less Permissive" discussion: | - The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' result: @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91713-8 + - CCE-92713-7 cci: - CCI-000162 800-53r5: @@ -23,7 +23,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001016 + - N/A 800-171r2: - 3.3.8 cis: @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -50,7 +50,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 2e8ad15f..2cc9eeb6 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_files_owner_configure -title: "Configure Audit Log Files to be Owned by Root" +title: "Configure Audit Log Files to be Owned by Root" discussion: | Audit log files _MUST_ be owned by root. @@ -7,7 +7,7 @@ discussion: | Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | - /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' + /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' result: integer: 0 fix: | @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91714-6 + - CCE-92714-5 cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001012 + - N/A 800-171r2: - 3.3.8 cis: @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 16063eb9..2d4e11c0 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -2,9 +2,9 @@ id: audit_flags_aa_configure title: "Configure System to Audit All Authorization and Authentication Events" discussion: | The auditing system _MUST_ be configured to flag authorization and authentication (aa) events. - - Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. - + + Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. + Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91715-3 + - CCE-92715-2 cci: - CCI-000172 800-53r5: @@ -36,7 +36,7 @@ references: - SRG-OS-000473-GPOS-00218 - SRG-OS-000475-GPOS-00220 disa_stig: - - APPL-13-001044 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -52,23 +52,22 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cis_lvl2 - cisv8 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 5d48b4b7..c0b3fcd1 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -21,7 +21,7 @@ fix: | ---- references: cce: - - CCE-91716-1 + - CCE-92716-0 cci: - CCI-000018 - CCI-000172 @@ -56,7 +56,7 @@ references: - SRG-OS-000476-GPOS-00221 - SRG-OS-000477-GPOS-00222 disa_stig: - - APPL-13-001001 + - N/A 800-171r2: - 3.1.7 - 3.3.1 @@ -73,7 +73,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low @@ -89,7 +89,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index a89025e0..69a96ae7 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -3,9 +3,9 @@ title: "Configure System to Audit All Failed Program Execution on the System" discussion: | The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. - Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). - - This configuration ensures that audit lists include events in which program execution has failed. + Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). + + This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' @@ -18,9 +18,9 @@ fix: | ---- references: cce: - - CCE-91718-7 + - CCE-92717-8 cci: - - N/A + - N/A 800-53r5: - AC-2(12) - AU-12 @@ -47,9 +47,9 @@ references: cmmc: - AU.L2-3.3.3 - AU.L2-3.3.6 - - SI.L2-3.14.3 + - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 035bcd7e..42ed5269 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91719-5 + - CCE-92718-6 cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - N/A cmmc: @@ -57,7 +57,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r5_low @@ -67,7 +67,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index a18995e6..fe72171e 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_configure title: "Configure System to Audit All Changes of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). - This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. + This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91720-3 + - CCE-92719-4 cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - N/A cmmc: @@ -57,13 +57,12 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index d5184315..dc12ed32 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_failed_configure title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). - Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). - - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. + Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91721-1 + - CCE-92720-2 cci: - N/A 800-53r5: @@ -29,13 +29,13 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) - MA-4(1) - srg: + srg: - N/A disa_stig: - N/A @@ -56,7 +56,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r5_low diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 35ac96e2..93a5a06b 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91722-9 + - CCE-92721-0 cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -66,7 +66,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low @@ -82,7 +82,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index f03d553d..7f90327f 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91723-7 + - CCE-92722-8 cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -66,7 +66,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low @@ -82,7 +82,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index c570974f..9ce5ba3d 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91724-5 + - CCE-92723-6 cci: - CCI-000067 - CCI-000172 @@ -36,7 +36,7 @@ references: - SRG-OS-000032-GPOS-00013 - SRG-OS-000462-GPOS-00206 disa_stig: - - APPL-13-001002 + - N/A 800-171r2: - 3.1.12 - 3.3.1 @@ -54,7 +54,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low @@ -70,7 +70,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index bae04a6c..dd88df81 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Folders Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91725-2 + - CCE-92724-4 cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001015 + - N/A 800-171r2: - 3.3.8 cis: @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index f92bb848..5a8b6d61 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_folder_owner_configure -title: "Configure Audit Log Folders to be Owned by Root" +title: "Configure Audit Log Folders to be Owned by Root" discussion: | Audit log folders _MUST_ be owned by root. @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91726-0 + - CCE-92725-1 cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001013 + - N/A 800-171r2: - 3.3.8 cis: @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 6c229398..727f172c 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -1,9 +1,9 @@ id: audit_folders_mode_configure title: "Configure Audit Log Folders to Mode 700 or Less Permissive" discussion: | - The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. + The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. - Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') result: @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91727-8 + - CCE-92726-9 cci: - CCI-000162 - CCI-000163 @@ -29,7 +29,7 @@ references: - SRG-OS-000058-GPOS-00028 - SRG-OS-000059-GPOS-00029 disa_stig: - - APPL-13-001017 + - N/A 800-171r2: - 3.3.8 cis: @@ -40,7 +40,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -56,7 +56,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 604b8d65..9511bb94 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -3,16 +3,16 @@ title: "Off-Load Audit Records" discussion: | Audit records should be off-loaded onto a different system or media from the system being audited. - Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. + Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91728-6 + - CCE-92727-7 cci: - N/A 800-53r5: @@ -29,7 +29,7 @@ references: controls v8: - 8.9 macOS: - - "13.0" + - "14.0" tags: - permanent - cisv8 diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index e1f11e99..21ba6043 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -1,8 +1,8 @@ id: audit_record_reduction_report_generation title: "Audit Record Reduction and Report Generation" discussion: | - The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. - + The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). @@ -12,12 +12,12 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91729-4 - cci: + - CCE-92728-5 + cci: - N/A 800-53r5: - AU-7 - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -28,7 +28,7 @@ references: cmmc: - AU.L2-3.3.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index a50cadb1..3618de30 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -2,7 +2,7 @@ id: audit_records_processing title: "Audit Record Reduction and Report Generation" discussion: | The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. - + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. check: | The technology does not support this requirement. This is an applicable-does not meet finding. @@ -10,12 +10,12 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91730-2 - cci: + - CCE-92729-3 + cci: - N/A 800-53r5: - AU-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -26,7 +26,7 @@ references: cmmc: - AU.L2-3.3.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index d2a0d184..253272ba 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91731-0 + - CCE-92730-1 cci: - CCI-001849 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000341-GPOS-00132 disa_stig: - - APPL-13-001029 + - N/A cis: benchmark: - 3.4 (level 1) @@ -37,7 +37,7 @@ references: cmmc: - AU.L2-3.3.1 macOS: - - "13.0" + - "14.0" odv: hint: "See man audit_control for possible values." recommended: 7d diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 924b2ecf..5f29c5e9 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91732-8 + - CCE-92731-9 cci: - CCI-001858 800-53r5: @@ -27,13 +27,13 @@ references: srg: - SRG-OS-000344-GPOS-00135 disa_stig: - - APPL-13-001031 + - N/A 800-171r2: - 3.3.4 cmmc: - AU.L2-3.3.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -44,7 +44,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 07d0ecf1..ce788528 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - CCE-91733-6 + - CCE-92732-7 cci: - CCI-000366 800-53r5: @@ -51,7 +51,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003050 + - N/A 800-171r2: - 3.5.3 cis: @@ -65,7 +65,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -79,7 +79,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 7fa36032..48409184 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-91734-4 + - CCE-92733-5 cci: - CCI-000366 800-53r5: @@ -46,7 +46,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003051 + - N/A 800-171r2: - 3.5.3 cis: @@ -60,7 +60,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -74,7 +74,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 5d665fdb..6b50c45e 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-91735-1 + - CCE-92734-3 cci: - CCI-000366 800-53r5: @@ -45,7 +45,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003052 + - N/A 800-171r2: - 3.5.3 cis: @@ -59,7 +59,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -73,7 +73,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 8a5223e8..c0153ef3 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -1,10 +1,10 @@ id: auth_smartcard_allow title: "Allow Smartcard Authentication" discussion: | - Smartcard authentication _MUST_ be allowed. + Smartcard authentication _MUST_ be allowed. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. - + When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. check: | /usr/bin/osascript -l JavaScript << EOS @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91736-9 + - CCE-92735-0 cci: - CCI-000187 - CCI-000767 @@ -26,7 +26,7 @@ references: - IA-2(1) - IA-2(2) - IA-2(12) - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(11) srg: @@ -34,7 +34,7 @@ references: - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 disa_stig: - - APPL-13-003020 + - N/A cis: benchmark: - N/A @@ -47,7 +47,7 @@ references: - IA.L1-3.5.2 - IA.L2-3.5.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -61,7 +61,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 883355a1..0aaf5fc7 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -1,8 +1,8 @@ id: auth_smartcard_certificate_trust_enforce_high title: "Set Smartcard Certificate Trust to High" discussion: | - The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). - + The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). + To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed. @@ -19,13 +19,13 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91737-7 - cci: + - CCE-92736-8 + cci: - N/A 800-53r5: - IA-5(2) - SC-17 - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(2) srg: @@ -35,7 +35,7 @@ references: cmmc: - SC.L2-3.13.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r4_high - 800-53r5_high diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 85b8747a..f2d86b43 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91738-5 + - CCE-92737-6 cci: - CCI-000186 - CCI-001953 @@ -39,18 +39,17 @@ references: - SRG-OS-000384-GPOS-00167 - SRG-OS-000403-GPOS-00182 disa_stig: - - APPL-13-001060 + - N/A cmmc: - SC.L2-3.13.10 macOS: - - "13.0" + - "14.0" tags: - - 800-53r4_moderate - - 800-53r5_moderate + - 800-53r4_moderate + - 800-53r5_moderate - cnssi-1253_moderate - cnssi-1253_low - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 81e109d7..773a2493 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -21,7 +21,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91739-3 + - CCE-92738-4 cci: - CCI-000187 - CCI-000767 @@ -49,7 +49,7 @@ references: - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 disa_stig: - - APPL-13-003020 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -67,7 +67,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -82,7 +82,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index fdc2a3d7..c195756b 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)' + /usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)' result: integer: 2 fix: | @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-91740-1 + - CCE-92739-2 cci: - N/A 800-53r5: @@ -77,15 +77,15 @@ references: - IA.L2-3.5.4 - MA.L2-3.7.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index c94d33be..6a493827 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -1,7 +1,7 @@ id: icloud_addressbook_disable title: "Disable iCloud Address Book" discussion: | - The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91741-9 + - CCE-92740-0 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002014 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml deleted file mode 100644 index f3d19d72..00000000 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: icloud_appleid_preference_pane_disable -title: "Disable the Preference Pane for Apple ID" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.AppleIDPrefPane" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92006-6 - cci: - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-13-002031 - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "13.0" -tags: - - stig -severity: "high" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.AppleIDPrefPane \ No newline at end of file diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml index afac4260..baa536ca 100644 --- a/rules/icloud/icloud_appleid_system_settings_disable.yaml +++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91939-9 + - CCE-92742-6 cci: - N/A 800-53r5: @@ -43,7 +43,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 08e26f47..c6228db0 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91743-5 + - CCE-92743-4 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002042 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 802c1732..3540b7c5 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91744-3 + - CCE-92744-2 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002012 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -64,7 +64,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 3af8bcd3..3386e2d3 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91745-0 + - CCE-92745-9 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002041 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml new file mode 100644 index 00000000..1ca63765 --- /dev/null +++ b/rules/icloud/icloud_freeform_disable.yaml @@ -0,0 +1,71 @@ +id: icloud_freeform_disable +title: "Disable the iCloud Freeform Services" +discussion: | + The macOS built-in Freeform.app connection to Apple's iCloud service _MUST_ be disabled. + + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudFreeform').js + EOS +result: + string: "false" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-92746-7 + cci: + - CCI-000381 + - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + - AC-20(1) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + - 15.3 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 +severity: "low" +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowCloudFreeform: false diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 85ddb2a9..63b01813 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92001-7 + - CCE-92747-5 cci: - N/A 800-53r5: @@ -22,7 +22,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -47,16 +47,16 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high - 800-171 - - cisv8 + - cisv8 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index ffd2cd3d..85394731 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91746-8 + - CCE-92748-3 cci: - CCI-001774 - CCI-000381 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002040 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index d3dc3fc9..045798cf 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91747-6 + - CCE-92749-1 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002015 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index c9f30d4a..52bef441 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -1,7 +1,7 @@ id: icloud_notes_disable title: "Disable iCloud Notes" discussion: | - The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91748-4 + - CCE-92750-9 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002016 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index e8600d6d..031c98c9 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91749-2 + - CCE-92751-7 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002043 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index b395b879..fe05db63 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91750-0 + - CCE-92752-5 cci: - N/A 800-53r5: @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,15 +48,15 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index f4a5793e..52e243cb 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -1,7 +1,7 @@ id: icloud_reminders_disable title: "Disable iCloud Reminders" discussion: | - The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91751-8 + - CCE-92753-3 cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002013 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 2c04eefa..39b61e25 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -3,7 +3,7 @@ title: "Disable iCloud Desktop and Document Folder Sync" discussion: | The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91752-6 + - CCE-92754-1 cci: - N/A 800-53r5: @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,7 +48,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index dc732260..246f8107 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91753-4 + - CCE-92755-8 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: cmmc: - AC.L2-3.1.18 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml new file mode 100644 index 00000000..b8c63014 --- /dev/null +++ b/rules/os/os_account_modification_disable.yaml @@ -0,0 +1,75 @@ +id: os_account_modification_disable +title: "Disable AppleID and Internet Account Modifications" +discussion: | + The system _MUST_ disable account modification. + + Account modification includes adding additional or modifying internet acounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane. + + This prevents the addition of unauthorized accounts. + + [IMPORTANT] + ==== + Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAccountModification').js + EOS +result: + string: "false" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93012-3 + cci: + - N/A + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + - AC-20(1) + - SC-7(10) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAccountModification: false \ No newline at end of file diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 6f4b7481..f4597b12 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -3,7 +3,7 @@ title: "Disable AirDrop" discussion: AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. - AirDrop allows users to share and receive files from other nearby Apple devices. + AirDrop allows users to share and receive files from other nearby Apple devices. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91754-2 + - CCE-92756-6 cci: - CCI-000381 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002009 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -51,7 +51,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -68,7 +68,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index 1f92305a..c8a4f645 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91755-9 + - CCE-92757-4 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 9c5ccf2f..605b8b19 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-91756-7 + - CCE-92758-2 cci: - CCI-000366 800-53r5: @@ -24,13 +24,22 @@ references: 800-53r4: - SI-2 srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-13-002070 + - N/A + cis: + benchmark: + - 5.10 (level 1) + controls v8: + - 10.5 + - 10.1 + - 10.2 macOS: - - "13.0" + - "14.0" tags: - - stig + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index fe1a500a..4f08f077 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -2,7 +2,7 @@ id: os_appleid_prompt_disable title: "Disable Apple ID Setup during Setup Assistant" discussion: | The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. - + macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. check: | /usr/bin/osascript -l JavaScript << EOS @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91757-5 + - CCE-92759-0 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002035 + - N/A 800-171r2: - 3.1.20 cis: @@ -37,7 +37,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -52,7 +52,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 5a8cd6d2..adf5f6f3 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -1,8 +1,8 @@ id: os_application_sandboxing title: "Ensure Seperate Execution Domain for Processes" discussion: | - The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. - + The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. + link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91758-3 + - CCE-92760-8 800-53r5: - SC-39 800-53r4: @@ -22,7 +22,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 5706a7f4..c93a744d 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91759-1 + - CCE-92761-6 cci: - CCI-001314 800-53r5: @@ -25,18 +25,17 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004001 + - N/A 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index a43b16ab..52236337 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91760-9 + - CCE-92762-4 cci: - CCI-001314 800-53r5: @@ -23,18 +23,17 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004002 + - N/A 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 30ebd9e2..a8b14132 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -5,10 +5,10 @@ discussion: | check: | The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level. fix: | - This requirement is a permanent finding and can be fixed by implementing a third party solution. + This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - - CCE-91761-7 + - CCE-92763-2 cci: - N/A 800-53r5: @@ -24,11 +24,13 @@ references: - 3.5.2 cis: benchmark: - - N/A + - N/A controls v8: - 13.9 + cmmc: + - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high @@ -39,5 +41,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 08c17266..27e96a5c 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -1,12 +1,12 @@ id: os_authenticated_root_enable title: "Enable Authenticated Root" discussion: | - Authenticated Root _MUST_ be enabled. - + Authenticated Root _MUST_ be enabled. + When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. - + WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input. check: | /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' @@ -20,8 +20,8 @@ fix: | NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-91762-5 - cci: + - CCE-92764-0 + cci: - N/A 800-53r5: - AC-3 @@ -55,7 +55,7 @@ references: - CM.L2-3.4.5 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 1b53057c..391a0615 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91763-3 + - CCE-92765-7 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 87145f13..baec4c10 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91764-1 + - CCE-92766-5 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index e1a431ce..05ea9009 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91765-8 + - CCE-92767-3 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 15d05cee..916ae5a7 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91766-6 + - CCE-92768-1 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 771a02ab..60144c00 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91767-4 + - CCE-92769-9 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002005 + - N/A 800-171r2: - 3.4.6 cis: @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -53,7 +53,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 65e160f7..60e8c89a 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91768-2 + - CCE-92770-7 cci: - CCI-000366 800-53r5: @@ -25,18 +25,17 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005053 + - N/A cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 869799bc..da2bdd35 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -5,7 +5,12 @@ discussion: | [IMPORTANT] ==== - Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Calendar.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -28,8 +33,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91769-0 - cci: + - CCE-92771-5 + cci: - N/A 800-53r5: - AC-20 @@ -57,20 +62,15 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: "medium" mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Calendar.app diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 380d3739..04f6cde6 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91770-8 + - CCE-92772-3 cci: - CCI-000381 - CCI-001774 @@ -25,11 +25,11 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002017 + - N/A macOS: - - "13.0" + - "14.0" tags: - - stig + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 2ee54186..c8d70f7d 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91771-6 + - CCE-92773-1 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index 99b41f05..58ee242f 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -10,7 +10,7 @@ fix: | Obtain the approved certificates from the appropriate authority and install them to the System Keychain. references: cce: - - CCE-91772-4 + - CCE-92774-9 cci: - CCI-000185 - CCI-002450 @@ -26,7 +26,7 @@ references: - SC.L2-3.13.10 - APPL-13-003001 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high @@ -37,7 +37,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index 5ff8a041..966b50bd 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -1,9 +1,9 @@ id: os_change_security_attributes title: "Allow Administrators to Modify Security Settings and System Attributes" discussion: | - The information system _IS_ configured to allow administrators to modify security settings and system attributes. - - The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . + The information system _IS_ configured to allow administrators to modify security settings and system attributes. + + The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91773-2 + - CCE-92775-6 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 08e20fa2..1b8f6d0e 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91774-0 + - CCE-92776-4 cci: - CCI-000366 800-53r5: @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002070 + - N/A 800-171r2: - 3.14.1 - 3.14.2 @@ -47,7 +47,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -60,7 +60,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index 3a77985a..eee79dc3 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -13,9 +13,9 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91775-7 + - CCE-92777-2 cci: - - N/A + - N/A 800-53r5: - CM-5 800-171r2: @@ -28,10 +28,10 @@ references: cmmc: - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index 3afd277f..42e158f4 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91776-5 + - CCE-92778-0 cci: - N/A 800-53r5: @@ -20,13 +20,13 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - permanent + - permanent - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 5a90dffc..65d4abe9 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -1,20 +1,20 @@ id: os_crypto_audit title: "Protect Audit Integrity with Cryptographic Mechanisms" discussion: | - The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. - - The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. - + The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. + + The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. + link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[] - - NOTE: This will only apply to a Mac that includes a T2 security chip. + + NOTE: This will only apply to a Mac that includes a T2 security chip. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91777-3 + - CCE-92779-8 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 38a4b9c5..bd13d64d 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -1,18 +1,18 @@ id: os_directory_services_configured title: "Integrate System into a Directory Services Infrastructure" discussion: | - The macOS system _MUST_ be integrated into a directory services infrastructure. + The macOS system _MUST_ be integrated into a directory services infrastructure. A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system. check: | /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $? result: - integer: 0 + integer: 0 fix: | Integrate the system into an existing directory services infrastructure. references: cce: - - CCE-91778-1 + - CCE-92780-6 cci: - CCI-000366 800-53r5: @@ -22,17 +22,16 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-000016 + - N/A cis: benchmark: - N/A controls v8: - 6.7 macOS: - - "13.0" + - "14.0" tags: - cisv8 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 69e1fda3..ec14d08b 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91779-9 + - CCE-92781-4 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index a420f4ff..4037400c 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91780-7 + - CCE-92782-2 cci: - CCI-000366 800-53r5: @@ -33,20 +33,19 @@ references: srg: - SRG-OS-000480-GPOS-0022 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml deleted file mode 100644 index 6136f9e7..00000000 --- a/rules/os/os_efi_integrity_validated.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: os_efi_integrity_validated -title: "Ensure Extensible Firmware Interface Version is Valid" -discussion: | - The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple. -check: | - if /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi -result: - integer: 1 -fix: | - Install a known good version of macOS. -references: - cce: - - CCE-91781-5 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 5.9 (level 1) - controls v8: - - 2.2 -macOS: - - "13.0" -tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 - - i386 -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 3a8ae231..3ba26a56 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -2,8 +2,8 @@ id: os_enforce_access_restrictions title: "Enforce Access Restrictions" discussion: | The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions. - - The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. + + The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91782-3 + - CCE-92784-8 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 4475c550..de312163 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91783-1 + - CCE-92785-5 cci: - CCI-000381 800-53r5: @@ -25,18 +25,17 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005061 + - N/A cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index 4684e9b6..e9fd5965 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91784-9 + - CCE-92786-3 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml index 7617fb10..5a0611c2 100644 --- a/rules/os/os_ess_installed.yaml +++ b/rules/os/os_ess_installed.yaml @@ -11,7 +11,7 @@ fix: | Install the approved ESS solution onto the system. references: cce: - - CCE-91785-6 + - CCE-92787-1 cci: - CCI-001233 800-53r5: @@ -21,9 +21,9 @@ references: srg: - SRG-OS-000191-GPOS-00080 disa_stig: - - APPL-13-000015 + - N/A macOS: - - "13.0" + - "14.0" tags: - manual - cisv8 diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index d7cb0a6f..13addb48 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -1,10 +1,15 @@ id: os_facetime_app_disable title: "Disable FaceTime.app" discussion: | - The macOS built-in FaceTime.app _MUST_ be disabled. + The macOS built-in FaceTime.app _MUST_ be disabled. - The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. -check: | + The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -25,8 +30,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91786-4 - cci: + - CCE-92788-9 + cci: - N/A 800-53r5: - AC-20 @@ -54,7 +59,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low @@ -64,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/FaceTime.app diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index f4d6ca9c..81090220 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -1,11 +1,11 @@ id: os_fail_secure_state title: "Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails" discussion: | - The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. + The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. - Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. + Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. - Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. + Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. link:https://developer.apple.com/videos/play/wwdc2017/715/[] check: | @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91787-2 + - CCE-92789-7 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index aae4a2a7..d9bf8eab 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91788-0 + - CCE-92790-5 cci: - CCI-000366 800-53r5: @@ -25,14 +25,13 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-000032 + - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - manual - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 17d99cfc..8ccbf107 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -3,7 +3,7 @@ title: "Disable FileVault Automatic Login" discussion: | If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. - The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. + The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91789-8 + - CCE-92791-3 cci: - CCI-000366 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-000033 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -44,7 +44,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -59,7 +59,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 2cd25142..8c7571d1 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -1,13 +1,13 @@ id: os_firewall_default_deny_require title: "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy" discussion: | - A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. + A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. - If you are using a third-party firewall solution, this setting does not apply. + If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== @@ -21,7 +21,7 @@ fix: | NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule. references: cce: - - CCE-91790-6 + - CCE-92792-1 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: - AC.L2-3.1.3 - SC.L2-3.13.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index a0ddcac9..0408a07b 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -1,11 +1,11 @@ id: os_firewall_log_enable title: "Enable Firewall Logging" discussion: | - Firewall logging _MUST_ be enabled. + Firewall logging _MUST_ be enabled. - Firewall logging ensures that malicious network activity will be logged to the system. + Firewall logging ensures that malicious network activity will be logged to the system. - NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. + NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -26,13 +26,13 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91791-4 - cci: + - CCE-92793-9 + cci: - N/A 800-53r5: - AU-12 - SC-7 - 800-53r4: + 800-53r4: - SC-7 - AU-12 srg: @@ -56,7 +56,7 @@ references: - AU.L2-3.3.6 - SC.L1-3.13.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 0af4c037..db593d1f 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -24,7 +24,7 @@ fix: | NOTE: See discussion on remediation and how to enable firmware password. references: cce: - - CCE-91792-2 + - CCE-92794-7 cci: - CCI-000366 800-53r5: @@ -34,14 +34,14 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003013 + - N/A 800-171r2: - 3.1.5 cmmc: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high @@ -54,7 +54,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 984c0dc6..05736d17 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91793-0 + - CCE-92795-4 cci: - CCI-001749 800-53r5: @@ -34,12 +34,12 @@ references: srg: - SRG-OS-000366-GPOS-00153 disa_stig: - - APPL-13-002064 + - N/A 800-171r2: - 3.4.5 cis: benchmark: - - 2.6.4 (level 1) + - 2.6.5 (level 1) controls v8: - 10.1 - 10.2 @@ -50,7 +50,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -66,7 +66,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 04b84d75..11a6d7a9 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -13,12 +13,12 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91794-8 - cci: + - CCE-92796-2 + cci: - N/A 800-53r5: - CM-5 - 800-53r4: + 800-53r4: - CM-5 - SI-3 srg: @@ -38,7 +38,7 @@ references: - SI.L1-3.14.4 - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index e69881e9..3bc7b904 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -1,8 +1,8 @@ id: os_grant_privs title: "Allow Administrators to Promote Other Users to Administrator Status" discussion: | - The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. - + The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. + The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users. link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[] @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91795-5 + - CCE-92797-0 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 9265daee..83692f3c 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -1,6 +1,6 @@ id: os_guest_folder_removed title: "Remove Guest Folder if Present" -discussion: | +discussion: | The guest folder _MUST_ be deleted if present. check: | /bin/ls /Users/ | /usr/bin/grep -c "Guest" @@ -13,8 +13,8 @@ fix: | ---- references: cce: - - CCE-91796-3 - cci: + - CCE-92798-8 + cci: - N/A 800-53r5: - N/A @@ -28,11 +28,11 @@ references: - N/A cis: benchmark: - - 5.10 (level 1) - controls v8: + - 5.9 (level 1) + controls v8: - 4.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 7edf10b3..432a4f30 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91797-1 + - CCE-92799-6 cci: - CCI-000381 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005058 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -64,7 +64,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml new file mode 100644 index 00000000..aeb824c0 --- /dev/null +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -0,0 +1,66 @@ +id: os_hibernate_mode_apple_silicon_enable +title: "Enable Hibernate Mode (Apple Silicon)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + + Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. + This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time. + + NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a sleep 10 + /usr/bin/pmset -a displaysleep 15 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - CCE-92800-2 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.2 (level 2) + controls v8: + - 4.1 +macOS: + - "14.0" +tags: + - cis_lvl2 + - cisv8 + - arm64 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index dfc19e8e..dc622409 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_destroyfvkeyonstandby_enable title: "Enable DestroyFVKeyOnStandby on Hibernate" discussion: | - DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. + DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91798-9 + - CCE-92801-0 cci: - N/A 800-53r5: @@ -28,11 +28,11 @@ references: - N/A cis: benchmark: - - 2.9.3 (level 2) - controls v8: + - 2.9.1.3 (level 2) + controls v8: - 4.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml deleted file mode 100644 index dfef4553..00000000 --- a/rules/os/os_hibernate_mode_enable.yaml +++ /dev/null @@ -1,75 +0,0 @@ -id: os_hibernate_mode_enable -title: "Enable Hibernate Mode" -discussion: | - Hibernate mode _MUST_ be enabled. - - NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. -check: | - error_count=0 - if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') - - if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then - ((error_count++)) - fi - else - if [[ "$(/usr/bin/pmset -g | /usr/bin/grep standbydelay 2>&1 | /usr/bin/awk '{print $2}')" -gt 900 ]]; then - ((error_count++)) - fi - fi - if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then - ((error_count++)) - fi - fi - echo "$error_count" -result: - integer: 0 -fix: | - [source,bash] - ---- - /usr/bin/pmset -a hibernatemode 25 - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - /usr/bin/pmset -a standbydelayhigh 600 - /usr/bin/pmset -a standbydelaylow 600 - /usr/bin/pmset -a highstandbythreshold 90 - else - /usr/bin/pmset -a standbydelay 900 - fi - ---- -references: - cce: - - CCE-91799-7 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 2.9.3 (level 2) - controls v8: - - 4.1 -macOS: - - "13.0" -tags: - - cis_lvl2 - - cisv8 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml new file mode 100644 index 00000000..cb2414eb --- /dev/null +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -0,0 +1,67 @@ +id: os_hibernate_mode_intel_enable +title: "Enable Hibernate Mode (Intel)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a standbydelaylow 900 + /usr/bin/pmset -a standbydelayhigh 900 + /usr/bin/pmset -a highstandbythreshold 90 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - CCE-92802-8 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.1 (level 2) + controls v8: + - 4.1 +macOS: + - "14.0" +tags: + - cis_lvl2 + - cisv8 + - i386 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 9bd36df6..705a3b62 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -2,27 +2,27 @@ id: os_home_folders_default title: "Configure User's Home Folders to Apple's Default" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - + Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures. check: |- Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: /bin/ls -le /Users - + This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be: 0: group:everyone deny delete - + For every authorized user account, also run the following command: - /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. - + /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. + This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: - drwx------+ + drwx------+ 0: group:everyone deny delete The exception is the \"Public\" directory, whose permissions must match the following: - drwxr-xr-x+ + drwxr-xr-x+ 0: group:everyone deny delete - + If the permissions returned by either of these checks differ from what is shown, this is a finding. result: "" fix: |- @@ -33,7 +33,7 @@ fix: |- NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected. references: cce: - - CCE-92007-4 + - CCE-92803-6 cci: - CCI-000366 800-53r5: @@ -43,7 +43,7 @@ references: srg: - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-13-002068 + - N/A 800-171r2: - N/A cis: @@ -52,10 +52,9 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - manual - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 95ec564a..a0f5fbdf 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -2,7 +2,7 @@ id: os_home_folders_secure title: "Secure User's Home Folders" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - + The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. check: | /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91800-3 + - CCE-92804-4 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 26de9b59..f7e0b3ec 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91801-1 + - CCE-92805-1 cci: - CCI-000381 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002008 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -39,7 +39,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -56,7 +56,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 6ebb2663..26aac781 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91802-9 + - CCE-92806-9 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002037 + - N/A 800-171r2: - 3.1.20 cis: @@ -37,7 +37,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -52,7 +52,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 4dbb2b25..b9ac41e4 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91803-7 + - CCE-92807-7 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 61b3938b..9d3c135c 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -1,14 +1,14 @@ id: os_implement_cryptography title: "Configure the System to Implement Approved Cryptography to Protect Information" discussion: | - The information system _IS_ configured to implement approved cryptography to protect information. + The information system _IS_ configured to implement approved cryptography to protect information. - Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91804-5 + - CCE-92808-5 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: - MP.L2-3.8.6 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index c4893dc3..99a1207e 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -3,23 +3,23 @@ title: "Configure the System to Protect Memory from Unauthorized Code Execution" discussion: | The information system _IS_ configured to implement non-executable data to protect memory from code execution. - Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] - + link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] link:https://www.apple.com/macos/security/[] - + check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91805-2 + - CCE-92809-3 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index 290923f9..38eab6c6 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -2,7 +2,7 @@ id: os_information_validation title: "Information Input Validation" discussion: | Check the validity of the following information inputs: organization-defined information inputs to the systems. - + Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. check: | This requirement is NA for this technology. @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91806-0 + - CCE-92810-1 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 034ec389..8946b804 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -1,7 +1,7 @@ id: os_install_log_retention_configure title: "Configure Install.log Retention to $ODV" discussion: | - The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. + The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. check: | /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' result: @@ -10,12 +10,12 @@ fix: | [source,bash] ---- /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=$ODV/g" /etc/asl/com.apple.install - ---- + ---- NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: cce: - - CCE-91807-8 + - CCE-92811-9 cci: - N/A 800-53r5: @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.1 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 365 diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 0b8b497c..1bec9ec0 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -1,10 +1,10 @@ id: os_ir_support_disable title: "Disable Infrared (IR) support" discussion: | - Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. - - By default, if IR is enabled, the system will accept IR control from any remote device. - + Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. + + By default, if IR is enabled, the system will accept IR control from any remote device. + NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | /usr/bin/osascript -l JavaScript << EOS @@ -17,21 +17,21 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91808-6 - cci: + - CCE-92812-7 + cci: - N/A 800-53r5: - AC-18 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-18 srg: - N/A disa_stig: - - AOSX-13-000075 + - N/A 800-171r2: - 3.1.16 - 3.4.6 @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 386ecfb5..804837eb 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -1,8 +1,8 @@ id: os_isolate_security_functions title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to isolate security functions from non-security functions. - + The information system _IS_ configured to isolate security functions from non-security functions. + link:https://support.apple.com/guide/security/welcome/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91809-4 + - CCE-92813-5 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index b53059d9..cefbf83d 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -1,6 +1,6 @@ id: os_library_validation_enabled title: "Enable Library Validation" -discussion: +discussion: Library validation _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91810-2 - cci: + - CCE-92814-3 + cci: - N/A 800-53r5: - N/A @@ -33,7 +33,7 @@ references: - 2.3 - 2.6 macOS: - - "13.0" + - "14.0" tags: - cisv8 mobileconfig: true diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index 67b165c4..8a6d4e3b 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91811-0 + - CCE-92815-0 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 4be54640..b8b10799 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_limit_dos_attacks title: "Limit Impact of Denial of Service Attacks" discussion: | - The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. + The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91812-8 + - CCE-92816-8 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent - cnssi-1253_moderate diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index fa60c38b..7e83e52e 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -1,7 +1,7 @@ id: os_limit_gui_sessions title: "Limit Concurrent GUI Sessions to 10 for all Accounts" discussion: | - The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. + The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. check: | @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91813-6 + - CCE-92817-6 cci: - N/A 800-53r5: @@ -22,7 +22,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 20d951a1..c1d491e0 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -1,9 +1,9 @@ id: os_logical_access title: "Enforce Approved Authorization for Logical Access" discussion: | - The information system _IS_ configured to enforce an approved authorization process before granting users logical access. + The information system _IS_ configured to enforce an approved authorization process before granting users logical access. - The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. + The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91814-4 + - CCE-92818-4 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index a8f1fefc..ef800d41 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91815-1 + - CCE-92819-2 cci: - N/A 800-53r5: @@ -23,7 +23,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 0310bba5..c95c15e3 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -1,15 +1,20 @@ id: os_mail_app_disable title: "Disable Mail App" discussion: | - The macOS built-in Mail.app _MUST_ be disabled. + The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. - + [IMPORTANT] ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== -check: | + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -30,8 +35,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91816-9 - cci: + - CCE-92820-0 + cci: - N/A 800-53r5: - AC-20 @@ -59,7 +64,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low @@ -69,5 +74,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Mail.app diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index c6834843..e54584b0 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -2,31 +2,31 @@ id: os_malicious_code_prevention title: "Ensure the System Implements Malicious Code Protection Mechanisms" discussion: | The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. - - 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. - The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: - * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. - * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. + + 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. + The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: + * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. + * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. * In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: * an app is first launched, * an app has been changed (in the file system), and * XProtect signatures are updated. * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. - * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. + * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. - 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. - The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: + 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. + The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: * XProtect (defined above). * Gatekeeper (defined above). * Notarization (defined above). - 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. - The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: + 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. + The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: * Apple's XProtect: a technology included on all macOS systems. XProtect will remediate infections upon receiving updated information delivered and when infections are detected link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] - + link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -34,7 +34,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91817-7 + - CCE-92821-8 cci: - N/A 800-53r5: @@ -57,7 +57,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index f460790f..55c81734 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91818-5 + - CCE-92822-6 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: cmmc: - AC.L2-3.1.14 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index d20c450f..6b6475e6 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -8,7 +8,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91819-3 + - CCE-92823-4 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 45260dcf..81d5391c 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -2,9 +2,9 @@ id: os_mdm_require title: "Enforce Enrollment in Mobile Device Management" discussion: | You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software. - + User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: - + * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload @@ -12,7 +12,7 @@ discussion: | * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: - + * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates @@ -26,7 +26,7 @@ fix: | Ensure that system is enrolled via UAMDM. references: cce: - - CCE-91820-1 + - CCE-92824-2 cci: - N/A 800-53r5: @@ -38,20 +38,20 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - 3.4.1 - 3.4.2 cis: benchmark: - - N/A + - 1.8 (level 1) controls v8: - 4.1 - 5.1 cmmc: - CM.L2-3.4.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -60,6 +60,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 + - cis_lvl1 + - cis_lvl2 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index def7ebb8..ea360c73 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -1,9 +1,14 @@ id: os_messages_app_disable title: "Disable Messages App" discussion: | - The macOS built-in Messages.app _MUST_ be disabled. + The macOS built-in Messages.app _MUST_ be disabled. - The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. + The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -25,8 +30,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91821-9 - cci: + - CCE-92825-9 + cci: - N/A 800-53r5: - AC-20 @@ -54,7 +59,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low @@ -64,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Messages.app diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 3389680d..0f1c8e32 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91822-7 + - CCE-92826-7 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: controls v8: - 5.6 macOS: - - "13.0" + - "14.0" tags: - inherent - cisv8 diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index 25506923..136d72e1 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91823-5 + - CCE-92827-5 cci: - N/A 800-53r5: @@ -21,7 +21,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index fa096c5a..b0f8a483 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -1,6 +1,6 @@ id: os_mobile_file_integrity_enable title: "Enable Apple Mobile File Integrity" -discussion: +discussion: Mobile file integrity _MUST_ be ebabled. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" @@ -13,8 +13,8 @@ fix: | ---- references: cce: - - CCE-91824-3 - cci: + - CCE-92828-3 + cci: - N/A 800-53r5: - N/A @@ -33,7 +33,7 @@ references: - 2.3 - 2.6 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index fab972fc..69208967 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91825-0 + - CCE-92829-1 cci: - CCI-001314 800-53r5: @@ -25,18 +25,17 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004001 + - N/A 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 3f3f954b..0c98b6b2 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-91826-8 + - CCE-92830-9 cci: - CCI-001314 800-53r5: @@ -24,18 +24,17 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004002 + - N/A 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index ec7c29e3..90300572 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -14,7 +14,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91827-6 + - CCE-92831-7 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002003 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -38,7 +38,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -55,7 +55,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index ff1fb886..c8c5d9d9 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91828-4 + - CCE-92832-5 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - n_a diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 2b810773..388952a1 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -1,14 +1,14 @@ id: os_nonlocal_maintenance title: "Configure the System for Nonlocal Maintenance" discussion: | - Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. + Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. check: | This requirement is NA for this technology. fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91829-2 + - CCE-92833-3 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: cmmc: - MA.L2-3.7.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 2aee2f06..edb08d65 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Notify upon Account Created Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91830-0 + - CCE-92834-1 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 4e7142d9..e7a881c3 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -5,14 +5,14 @@ discussion: | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91831-8 + - CCE-92835-8 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index bfd92f59..72e74a25 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Notify upon Account Enabled Actions " discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91832-6 + - CCE-92836-6 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index a82ce151..593898c2 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Notify upon Account Modified Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91833-4 + - CCE-92837-4 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 9ca853d3..f765a10b 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -4,15 +4,15 @@ discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - - To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91834-2 + - CCE-92838-2 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index f094dc8f..d8656c7b 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Notify upon Baseline Configuration Changes" discussion: | The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified. - Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. - To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91835-9 + - CCE-92839-0 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent - cnssi-1253_high diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index cf63f644..61bc6133 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91836-7 + - CCE-92840-8 cci: - N/A 800-53r5: @@ -39,7 +39,7 @@ references: - IA.L2-3.5.9 - IA.L2-3.5.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml new file mode 100644 index 00000000..8bf1d87f --- /dev/null +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -0,0 +1,69 @@ +id: os_on_device_dictation_enforce +title: "Enforce On Device Dictation" +discussion: | + Dictation _MUST_ be restricted to on device only to prevent potential data exfiltration. + + The information system _MUST_ be configured to provide only essential capabilities. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('forceOnDeviceOnlyDictation').js + EOS +result: + string: "true" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-92841-6 + cci: + - N/A + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + - SC-7(10) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - 2.18.1 (level 1) + controls v8: + - 4.1 + - 4.8 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 + - cis_lvl1 + - cis_lvl2 +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + forceOnDeviceOnlyDictation: true \ No newline at end of file diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index abd07e17..76be9ffd 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -1,8 +1,8 @@ id: os_parental_controls_enable title: "Enable Parental Controls" discussion: | - Parental Controls _MUST_ be enabled. - + Parental Controls _MUST_ be enabled. + Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline. Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. @@ -17,12 +17,12 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91837-5 - cci: + - CCE-92842-4 + cci: - N/A 800-53r5: - CM-7(2) - 800-53r4: + 800-53r4: - CM-7(2) srg: - N/A @@ -36,7 +36,7 @@ references: controls v8: - 4.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index a2d0c98c..0d63b799 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -1,7 +1,7 @@ id: os_password_autofill_disable title: "Disable Password Autofill" discussion: | - Password Autofill _MUST_ be disabled. + Password Autofill _MUST_ be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91838-3 + - CCE-92843-2 cci: - N/A 800-53r5: @@ -50,7 +50,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 1d270c92..a86c5994 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -9,15 +9,15 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done ---- references: cce: - - CCE-91839-1 + - CCE-92844-0 cci: - - N/A + - N/A 800-53r5: - IA-6 800-53r4: @@ -32,7 +32,7 @@ references: cmmc: - IA.L2-3.5.11 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 8576e5ec..03afbab3 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -1,8 +1,8 @@ id: os_password_proximity_disable title: "Disable Proximity Based Password Sharing Requests" discussion: | - Proximity based password sharing requests _MUST_ be disabled. - + Proximity based password sharing requests _MUST_ be disabled. + The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91840-9 + - CCE-92845-7 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005060 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -39,7 +39,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -53,7 +53,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 93027962..0466e921 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -1,8 +1,8 @@ id: os_password_sharing_disable title: "Disable Password Sharing" discussion: | - Password Sharing _MUST_ be disabled. - + Password Sharing _MUST_ be disabled. + The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91841-7 + - CCE-92846-5 800-53r5: - IA-5 800-53r4: @@ -37,7 +37,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index fb02ee8a..1fac6a63 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -2,7 +2,7 @@ id: os_peripherals_identify title: The macOS system must uniquely identify peripherals before establishing a connection. discussion: | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - + Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91842-5 + - CCE-92847-3 cci: - N/A 800-53r5: @@ -22,9 +22,9 @@ references: disa_stig: - N/A 800-171r2: - - N/A + - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml index 63bea8ad..dec2c04a 100644 --- a/rules/os/os_pii_deidentification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91843-3 + - CCE-92848-1 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml index f0682077..fcae6549 100644 --- a/rules/os/os_pii_quality_control.yaml +++ b/rules/os/os_pii_quality_control.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91844-1 + - CCE-92849-9 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 0582a0b6..2988465d 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -6,7 +6,7 @@ discussion: | System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. - + The banner text of the document _MUST_ read: [source,text] @@ -28,7 +28,7 @@ fix: | ---- references: cce: - - CCE-91845-8 + - CCE-92850-7 cci: - CCI-000048 - CCI-000050 @@ -46,7 +46,7 @@ references: - SRG-OS-000024-GPOS-00007 - SRG-OS-000228-GPOS-00088 disa_stig: - - APPL-13-000025 + - N/A 800-171r2: - 3.1.9 cis: @@ -57,7 +57,7 @@ references: cmmc: - AC.L2-3.1.9 macOS: - - "13.0" + - "14.0" odv: hint: "Organization's Policy Text" recommended: |- @@ -65,15 +65,15 @@ odv: cis_lvl1: "Center for Internet Security Test Message" cis_lvl2: "Center for Internet Security Test Message" stig: |- - You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: - -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - -At any time, the USG may inspect and seize data stored on this IS. + -At any time, the USG may inspect and seize data stored on this IS. - -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. - -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. tags: @@ -89,7 +89,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 3b336c35..8ef024a7 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91846-6 + - CCE-92851-5 cci: - CCI-000048 800-53r5: @@ -29,13 +29,13 @@ references: srg: - SRG-OS-000023-GPOS-00006 disa_stig: - - APPL-13-000023 + - N/A 800-171r2: - 3.1.9 cmmc: - AC.L2-3.1.9 macOS: - - "13.0" + - "14.0" odv: hint: "Organization's Policy Text" recommended: |- @@ -60,18 +60,17 @@ odv: -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 0f2eb55b..330d7d3e 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -1,7 +1,7 @@ id: os_policy_banner_ssh_enforce title: "Enforce SSH to Display Policy Banner" discussion: | - SSH _MUST_ be configured to display a policy banner. + SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -c "^banner /etc/banner" + /usr/sbin/sshd -G | /usr/bin/grep -c "^banner /etc/banner" result: integer: 1 fix: | @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91847-4 + - CCE-92852-3 cci: - CCI-000048 - CCI-000050 @@ -47,26 +47,25 @@ references: - SRG-OS-000023-GPOS-00006 - SRG-OS-000024-GPOS-00007 disa_stig: - - APPL-13-000024 + - N/A 800-171r2: - 3.1.9 cmmc: - AC.L2-3.1.9 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index ad5f082a..a78d4fb7 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Power Nap" discussion: | Power Nap _MUST_ be disabled. - NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. + NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. The following Macs support Power Nap: @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-91848-2 + - CCE-92853-1 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: - N/A cis: benchmark: - - 2.9.1 (level 1) + - 2.9.2 (level 1) controls v8: - 4.1 - 4.8 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index 25ba06a0..a6e39a71 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -3,7 +3,7 @@ title: "Enable Power Nap" discussion: | Power Nap _MUST_ be enabled. - NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. + NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. The following Macs support Power Nap: @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-91849-0 + - CCE-92854-9 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - N/A cis: @@ -43,7 +43,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - none mobileconfig: false diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index c1237ecb..46da8db7 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91850-8 + - CCE-92855-6 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 11c72fcd..78ebe659 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -3,8 +3,8 @@ title: "Prevent Software From Executing at Higher Privilege Levels than Users Ex discussion: | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. - + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91851-6 + - CCE-92856-4 cci: - N/A 800-53r5: @@ -24,9 +24,9 @@ references: srg: - N/A 800-171r2: - - 3.1.7 + - 3.1.7 macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 18fdef20..8d6f3858 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -1,11 +1,11 @@ id: os_prevent_priv_functions title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions" discussion: | - The information system _IS_ configured to block standard users from executing privileged functions. + The information system _IS_ configured to block standard users from executing privileged functions. - Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. - - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. + + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[] check: | @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91852-4 + - CCE-92857-2 cci: - N/A 800-53r5: @@ -30,7 +30,7 @@ references: cmmc: - AC.L2-3.1.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 66a68df9..5d3d1a09 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -1,9 +1,9 @@ id: os_prevent_unauthorized_disclosure title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources" discussion: | - The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. - - The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. + The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. + + The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91853-2 + - CCE-92858-0 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: cmmc: - SC.L2-3.13.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml index 5f8ac977..4a517f3b 100644 --- a/rules/os/os_privacy_principle_minimization.yaml +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91854-0 + - CCE-92859-8 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index e5e7dfd4..c4f625e6 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91855-7 + - CCE-92860-6 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002036 + - N/A cis: benchmark: - N/A @@ -38,14 +38,13 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cisv8 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index 7390501d..041d9466 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -2,13 +2,13 @@ id: os_prohibit_remote_activation_collab_devices title: "Prohibit Remote Activation of Collaborative Computing Devices" discussion: | The inherent configuration of the macOS _IS_ in compliance. - + Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There is an orange dot indicator by the Control Center pull down menu item to indicate when the system's microphone is listening or activated. The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. - + link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] - + link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/12.0/mac/12.0[] @@ -18,7 +18,7 @@ fix: | The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. references: cce: - - CCE-91856-5 + - CCE-92861-4 800-53r5: - SC-15 800-53r4: @@ -30,7 +30,7 @@ references: cmmc: - SC.L2-3.13.12 macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 5d98c2a7..8e201d7e 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_protect_dos_attacks title: "Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces" discussion: | - The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. - - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. + + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91857-3 + - CCE-92862-2 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 45cd2489..766bcf99 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -4,7 +4,7 @@ discussion: | The organization should employ automated mechanisms to support the management of information system accounts. The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management. - + To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91858-1 + - CCE-92863-0 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index 508a9e6d..451b0101 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91859-9 + - CCE-92864-8 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index e927a524..6f49469f 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91860-7 - cci: + - CCE-92865-5 + cci: - N/A 800-53r5: - SI-2 @@ -38,11 +38,11 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index 6d5aca45..c8f8f4da 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -1,7 +1,7 @@ id: os_rapid_security_response_removal_disable title: "Disable User Ability from Being Able to Undo Rapid Security Responses" discussion: | - Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled. + Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91861-5 - cci: + - CCE-92866-3 + cci: - N/A 800-53r5: - SI-2 @@ -38,11 +38,11 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index 6fa8421a..c989af68 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -1,8 +1,8 @@ id: os_reauth_devices_change_authenticators title: "Require Devices to Reauthenticate when Changing Authenticators" discussion: | - The macOS should be configured to require users to reauthenticate when the device authenticator is changed. - + The macOS should be configured to require users to reauthenticate when the device authenticator is changed. + Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate. check: | The technology does not support this requirement. This is an applicable-does not meet finding. @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91862-3 + - CCE-92867-1 cci: - N/A 800-53r5: @@ -22,7 +22,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index 452e47da..3a81b3f7 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91863-1 + - CCE-92868-9 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index 2a204800..b7266190 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91864-9 + - CCE-92869-7 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index 2a23a6af..fc0973e7 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -1,20 +1,20 @@ id: os_recovery_lock_enable title: "Enable Recovery Lock" discussion: | - A recovery lock password _MUST_ be enabled and set. + A recovery lock password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" -result: +result: integer: 1 fix: | - NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. + NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. references: cce: - - CCE-91865-6 + - CCE-92870-5 cci: - N/A 800-53r5: @@ -31,13 +31,13 @@ references: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - arm64 - manual - cnssi-1253_moderate diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index e1fe10e5..9aacaef4 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91866-4 + - CCE-92871-3 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index ac3c46b5..e096b9e6 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -12,7 +12,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91867-2 + - CCE-92872-1 cci: - CCI-000366 800-53r5: @@ -35,20 +35,19 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 09f02823..db84c9e6 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91868-0 + - CCE-92873-9 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 1c4523e7..a37d57f6 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -2,13 +2,13 @@ id: os_required_crypto_module title: "Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met" discussion: | The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication - + macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91869-8 + - CCE-92874-7 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index c23ef123..1e44c3d9 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Root Login" discussion: | To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled. - The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. + The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. check: | /usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" result: @@ -15,9 +15,9 @@ fix: | ---- references: cce: - - CCE-91870-6 + - CCE-92875-4 cci: - - N/A + - N/A 800-53r5: - IA-2 - IA-2(5) @@ -36,7 +36,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index 419e8171..15b42a4a 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_advertising_privacy_protection_enable title: "Ensure Advertising Privacy Protection in Safari Is Enabled" discussion: | - Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari. + Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92002-5 + - CCE-92876-2 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_javascript_enabled.yaml b/rules/os/os_safari_javascript_enabled.yaml new file mode 100644 index 00000000..b794774d --- /dev/null +++ b/rules/os/os_safari_javascript_enabled.yaml @@ -0,0 +1,38 @@ +id: os_safari_javascript_enabled +title: "Ensure JavaScript is Enabled in Safari" +discussion: | + Safari _MUST_ be configured to enable Javascript. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WebKitPreferences.javaScriptEnabled = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93013-1 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - 6.3.10 (level 1) + controls v8: + - 9.1 +macOS: + - "14.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.Safari: + WebKitPreferences.javaScriptEnabled: true diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index ff169c6d..73a1ae35 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -1,7 +1,7 @@ id: os_safari_open_safe_downloads_disable title: "Disable Automatic Opening of Safe Files in Safari" discussion: | - Open "safe" files after downloading _MUST_ be disabled in Safari. + Open "safe" files after downloading _MUST_ be disabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91871-4 + - CCE-92877-0 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 9.1 - 9.6 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_popups_disabled.yaml b/rules/os/os_safari_popups_disabled.yaml new file mode 100644 index 00000000..20d0919a --- /dev/null +++ b/rules/os/os_safari_popups_disabled.yaml @@ -0,0 +1,38 @@ +id: os_safari_popups_disabled +title: "Ensure Pop-Up Windows are Blocked in Safari" +discussion: | + Safari _MUST_ be configured to block Pop-Up windows. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'safariAllowPopups = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93014-9 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - 6.3.10 (level 1) + controls v8: + - 9.1 +macOS: + - "14.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.Safari: + safariAllowPopups: false diff --git a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml index c09b812e..dc1f5f54 100644 --- a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml +++ b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92003-3 + - CCE-92878-8 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 9.1 - 9.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index c1356e22..59556959 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_show_full_website_address_enable title: "Ensure Show Full Website Address in Safari Is Enabled" discussion: | - Show full website address _MUST_ be enabled in Safari. + Show full website address _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowFullURLInSmartSearchField = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92004-1 + - CCE-92879-6 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml new file mode 100644 index 00000000..98d04a29 --- /dev/null +++ b/rules/os/os_safari_show_status_bar_enabled.yaml @@ -0,0 +1,38 @@ +id: os_safari_show_status_bar_enabled +title: "Ensure Show Safari shows the Status Bar is Enabled" +discussion: | + Safari _MUST_ be configured to show the status bar. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowOverlayStatusBar = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93015-6 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - 6.3.11 (level 1) + controls v8: + - 9.1 +macOS: + - "14.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.Safari: + ShowOverlayStatusBar: true diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index 94e02e7b..ddd18de3 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_warn_fraudulent_website_enable title: "Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled" discussion: | - Warn when visiting a fraudulent website _MUST_ be enabled in Safari. + Warn when visiting a fraudulent website _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WarnAboutFraudulentWebsites = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92005-8 + - CCE-92880-4 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 9.1 - 9.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index e7b421d9..a068a6aa 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91872-2 + - CCE-92881-2 cci: - CCI-000060 800-53r5: @@ -23,21 +23,23 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - APPL-13-000006 + - N/A 800-171r2: - 3.1.10 + cmmc: + - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig + - cmmc_lvl2 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 4f9c11eb..b1adbb12 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92010-8 + - CCE-92882-0 cci: - CCI-000057 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000029-GPOS-00010 disa_stig: - - APPL-13-000004 + - N/A 800-171r2: - 3.1.10 cis: @@ -39,14 +39,16 @@ references: - N/A controls v8: - 4.3 + cmmc: + - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 1200 stig: 900 tags: - - stig + - cnssi-1253_moderate severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 1cacd670..fe520f34 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -3,18 +3,18 @@ title: "Ensure Secure Boot Level Set to Full" discussion: | The Secure Boot security setting _MUST_ be set to full. - Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. + Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" -result: +result: integer: 1 fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot references: cce: - - CCE-91873-0 + - CCE-92883-8 cci: - N/A 800-53r5: @@ -29,7 +29,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r5_moderate diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 73aec76c..d5f8ee33 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -2,9 +2,9 @@ id: os_secure_enclave title: "Protected Storage for Cryptographic Keys" discussion: | A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. - + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. - + link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. @@ -13,10 +13,10 @@ check: | result: integer: 0 fix: | - The hardware does not support the requirement. + The hardware does not support the requirement. references: cce: - - CCE-91874-8 + - CCE-92884-6 cci: - N/A 800-53r5: @@ -27,12 +27,15 @@ references: - N/A srg: - N/A + cmmc: + - SC.L2-3.13.10 macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 67e1f31b..73163389 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91875-5 + - CCE-92885-3 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 4.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 30d8b6f0..83df7fb2 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -1,11 +1,11 @@ id: os_separate_functionality title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to separate user and system functionality. - - Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. - - The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. + The information system _IS_ configured to separate user and system functionality. + + Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. + + The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[] check: | @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91876-3 + - CCE-92886-1 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: cmmc: - SC.L2-3.13.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml new file mode 100644 index 00000000..691a80b6 --- /dev/null +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -0,0 +1,51 @@ +id: os_setup_assistant_filevault_enforce +title: "Enforce FileVault in Setup Assistant" +discussion: | + FileVault _MUST_ be enforced in Setup Assistant. + + The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX.FileVault2')\ + .objectForKey('ForceEnableInSetupAssistant').js + EOS +result: + integer: 1 +fix: | + NOTE: See the FileVault supplemental to implement this rule. +references: + cce: + - CCE-92887-9 + cci: + - N/A + 800-53r5: + - SC-28 + - SC-28(1) + 800-53r4: + - SC-28 + - SC-28(1) + srg: + - SRG-OS-000185-GPOS-00079 + - SRG-OS-000404-GPOS-00183 + - SRG-OS-000405-GPOS-00184 + disa_stig: + - N/A + 800-171r2: + - 3.13.16 + cis: + benchmark: + - N/A + controls v8: + - 3.6 + - 3.11 + cmmc: + - SC.L2-3.13.16 +macOS: + - "14.0" +tags: + - none +severity: "high" +mobileconfig: true +mobileconfig_info: + com.apple.MCX.FileVault2: + ForceEnableInSetupAssistant: true \ No newline at end of file diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 38c0c5c9..7a7ff2b8 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -2,8 +2,8 @@ id: os_show_filename_extensions_enable title: "Enable Show All Filename Extensions" discussion: | Show all filename extensions _MUST_ be enabled in the Finder. - - [NOTE] + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] @@ -22,7 +22,7 @@ fix: | ---- references: cce: - - CCE-91877-1 + - CCE-92888-7 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: controls v8: - 2.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index f1d93eb2..6d00a8f4 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -18,7 +18,7 @@ fix: | NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-91878-9 + - CCE-92889-5 cci: - CCI-000154 - CCI-000158 @@ -72,7 +72,7 @@ references: - SRG-OS-000353-GPOS-00141 - SRG-OS-000354-GPOS-00142 disa_stig: - - APPL-13-005001 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -95,7 +95,7 @@ references: - SI.L1-3.14.1 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -112,7 +112,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 4a091119..2be71a8d 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91879-7 + - CCE-92890-3 cci: - CCI-000381 - CCI-001774 @@ -31,7 +31,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002039 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -46,7 +46,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -61,7 +61,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index b67af2d0..f23482d7 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91880-5 + - CCE-92891-1 cci: - CCI-000381 800-53r5: @@ -25,18 +25,17 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005055 + - N/A cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index 7d69813b..56a5ca3a 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91881-3 + - CCE-92892-9 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005056 + - N/A 800-171r2: - 3.1.20 cis: @@ -36,7 +36,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -51,7 +51,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index b227de62..c6f57766 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91882-1 + - CCE-92893-7 cci: - N/A 800-53r5: @@ -40,8 +40,8 @@ references: - 7.3 - 7.4 macOS: - - "13.0" -odv: + - "14.0" +odv: hint: "Number of days." recommended: 30 cis_lvl1: 30 diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index cce4c254..e5af04bf 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -32,18 +32,18 @@ fix: | PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config - ---- + ---- references: cce: - - CCE-91883-9 - cci: + - CCE-92894-5 + cci: - N/A 800-53r5: - AC-17(2) - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) @@ -62,7 +62,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index dcc361b7..f89602e4 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -19,7 +19,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do @@ -29,12 +29,12 @@ fix: | ---- references: cce: - - CCE-91884-7 - cci: + - CCE-92895-2 + cci: - N/A 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -45,10 +45,10 @@ references: cmmc: - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." - recommended: 0 + recommended: 0 tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index ef4478ee..8362b65b 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_ssh_server_alive_interval_configure title: "Configure SSH ServerAliveInterval option set to $ODV" discussion: | - SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. - + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. + Setting the Active Server Alive Maximum Count to $ODV will log users out after a $ODV seconds interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -21,7 +21,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do @@ -31,13 +31,13 @@ fix: | ---- references: cce: - - CCE-91885-4 - cci: + - CCE-92896-0 + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -49,7 +49,7 @@ references: - AC.L2-3.1.11 - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 900 diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml new file mode 100644 index 00000000..0e66b31a --- /dev/null +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -0,0 +1,67 @@ +id: os_sshd_channel_timeout_configure +title: "Configure SSHD Channel Timeout to $ODV" +discussion: | + If SSHD is enabled it _MUST_ be configured with session ChannelTime out set to $ODV. + + This will set the time out when the session is inactive. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/sbin/sshd -G | /usr/bin/awk -F "=" '/channeltimeout session:*/{print $2}' +result: + integer: $ODV +fix: | + [source,bash] + ---- + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') + + if [[ -z $include_dir ]]; then + /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config + fi + + /usr/bin/grep -qxF 'channeltimeout session:*=$ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout session:*=$ODV" >> "${include_dir}01-mscp-sshd.conf" + + for file in $(ls ${include_dir}); do + if [[ "$file" == "100-macos.conf" ]]; then + continue + fi + if [[ "$file" == "01-mscp-sshd.conf" ]]; then + break + fi + /bin/mv ${include_dir}${file} ${include_dir}20-${file} + done + ---- +references: + cce: + - CCE-92897-8 + cci: + - N/A + 800-53r5: + - SC-10 + - AC-12 + 800-53r4: + - SC-10 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.13.9 + cmmc: + - AC.L2-3.1.11 + - SC.L2-3.13.9 +odv: + hint: "Number of seconds." + recommended: 900 +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index e808a6e1..52a93014 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/clientalivecountmax/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}' result: integer: $ODV fix: | @@ -35,38 +35,37 @@ fix: | ---- references: cce: - - CCE-91886-2 - cci: + - CCE-92898-6 + cci: - CCI-001133 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-13-000052 + - N/A 800-171r2: - 3.13.9 cmmc: - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 0 stig: 1 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 6555a002..c81cf4ad 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_sshd_client_alive_interval_configure title: "Configure SSHD ClientAliveInterval to $ODV" discussion: | - If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to $ODV. - + If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to $ODV. + Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. This setting works in conjuction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached. @@ -11,7 +11,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/clientaliveinterval/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}' result: integer: $ODV fix: | @@ -37,25 +37,25 @@ fix: | ---- references: cce: - - CCE-91887-0 - cci: + - CCE-92899-4 + cci: - CCI-001133 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-13-000051 + - N/A 800-171r2: - 3.13.9 cmmc: - AC.L2-3.1.11 - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 900 @@ -63,14 +63,13 @@ odv: tags: - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high + - 800-53r4_moderate + - 800-53r4_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml deleted file mode 100644 index d2a31aa3..00000000 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: os_sshd_fips_140_ciphers -title: "Limit SSHD to FIPS 140 Validated Ciphers" -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the ciphers to specific algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -T | /usr/bin/grep -ci "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - CCE-91888-8 - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - SC-13 - - SC-8(1) - 800-53r4: - - AC-17(2) - - IA-7 - - SC-8(1) - - SC-13 - - MA-4(6) - srg: - - N/A - disa_stig: - - APPL-13-000054 - 800-171r2: - - 3.1.13 - - 3.13.8 - - 3.13.11 - cmmc: - - AC.L2-3.1.13 - - MP.L2-3.8.6 - - SC.L2-3.13.8 - - SC.L2-3.13.11 -macOS: - - "13.0" -tags: - - stig -severity: "high" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml deleted file mode 100644 index ce639928..00000000 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: os_sshd_fips_140_macs -title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms" -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -T | /usr/bin/grep -ci "^MACs hmac-sha2-256,hmac-sha2-512" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'MACs hmac-sha2-256,hmac-sha2-512' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "MACs hmac-sha2-256,hmac-sha2-512" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - CCE-91889-6 - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - SC-13 - - SC-8(1) - 800-53r4: - - AC-17(2) - - IA-7 - - SC-8(1) - - SC-13 - - MA-4(6) - srg: - - N/A - disa_stig: - - APPL-13-000055 - 800-171r2: - - 3.1.13 - - 3.13.8 - - 3.13.11 - cmmc: - - AC.L2-3.1.13 - - MP.L2-3.8.6 - - SC.L2-3.13.8 - - SC.L2-3.13.11 -macOS: - - "13.0" -tags: - - stig -severity: "high" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index a3f13a16..719c56b3 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -5,14 +5,14 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") total=0 for config in $fips_sshd_config; do - total=$(expr $(/usr/sbin/sshd -T | /usr/bin/grep -i -c "$config") + $total) + total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total) done echo $total @@ -28,7 +28,7 @@ fix: | fi fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") - + for config in $fips_sshd_config; do /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf" done @@ -42,18 +42,18 @@ fix: | fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done - ---- + ---- references: cce: - - CCE-91890-4 - cci: + - CCE-92902-6 + cci: - N/A 800-53r5: - AC-17(2) - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) @@ -73,7 +73,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml deleted file mode 100644 index b957d9bb..00000000 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ /dev/null @@ -1,67 +0,0 @@ -id: os_sshd_key_exchange_algorithm_configure -title: "Configure SSHD to Use Secure Key Exchange Algorithms" -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the Message Key Exchange Algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -T | /usr/bin/grep -ci "^KexAlgorithms diffie-hellman-group-exchange-sha256" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'KexAlgorithms diffie-hellman-group-exchange-sha256' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "KexAlgorithms diffie-hellman-group-exchange-sha256" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - CCE-91891-2 - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - MA-4(6) - 800-53r4: - - IA-7 - - AC-17(2) - - MA-4(6) - srg: - - N/A - disa_stig: - - APPL-13-000056 - 800-171r2: - - N/A - cmmc: - - AC.L2-3.1.13 -macOS: - - "13.0" -tags: - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 - - stig -severity: "high" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 69d82dff..0ae3b852 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -5,7 +5,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/logingracetime/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}' result: integer: $ODV fix: | @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-91892-0 + - CCE-92904-2 cci: - CCI-001133 800-53r5: @@ -41,13 +41,13 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-13-000053 + - N/A 800-171r2: - 3.13.9 cmmc: - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 30 @@ -57,7 +57,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index e4c5e125..6886efba 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}' result: string: "no" fix: | @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-91893-8 + - CCE-92905-9 cci: - CCI-000770 800-53r5: @@ -43,16 +43,15 @@ references: srg: - SRG-OS-000109-GPOS-00056 disa_stig: - - APPL-13-001100 + - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml new file mode 100644 index 00000000..2826b3b7 --- /dev/null +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -0,0 +1,67 @@ +id: os_sshd_unused_connection_timeout_configure +title: "Configure SSHD Unused Connection Timeout to $ODV" +discussion: | + If SSHD is enabled it _MUST_ be configured with unused connectione timeout set to $ODV. + + This will set the time out when there are no open channels within an session. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectiontimeout/{print $2}' +result: + integer: $ODV +fix: | + [source,bash] + ---- + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') + + if [[ -z $include_dir ]]; then + /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config + fi + + /usr/bin/grep -qxF 'unusedconnectiontimeout $ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectiontimeout $ODV" >> "${include_dir}01-mscp-sshd.conf" + + for file in $(ls ${include_dir}); do + if [[ "$file" == "100-macos.conf" ]]; then + continue + fi + if [[ "$file" == "01-mscp-sshd.conf" ]]; then + break + fi + /bin/mv ${include_dir}${file} ${include_dir}20-${file} + done + ---- +references: + cce: + - CCE-92906-7 + cci: + - N/A + 800-53r5: + - SC-10 + - AC-12 + 800-53r4: + - SC-10 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.13.9 + cmmc: + - AC.L2-3.1.11 + - SC.L2-3.13.9 +odv: + hint: "Number of seconds." + recommended: 900 +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 68965f56..f7cb6ae5 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91894-6 + - CCE-92907-5 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 58657ed1..bfcc4aa8 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-91895-3 + - CCE-92908-3 cci: - CCI-002038 800-53r5: @@ -24,14 +24,14 @@ references: srg: - SRG-OS-000373-GPOS-00156 disa_stig: - - APPL-13-004022 + - N/A cis: benchmark: - 5.4 (level 1) controls v8: - 4.3 macOS: - - "13.0" + - "14.0" odv: hint: "Number of minutes." recommended: 0 @@ -45,6 +45,5 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - stig mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index 7d35309d..e7d5ffa6 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91896-1 + - CCE-92909-1 cci: - N/A 800-53r5: @@ -33,11 +33,11 @@ references: controls v8: - 4.3 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cis_lvl1 - cis_lvl2 - cisv8 diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 9886d234..3ccc1a35 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -6,13 +6,13 @@ discussion: | NOTE: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' -result: +result: string: "No" fix: | - NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. + NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - - CCE-91898-7 + - CCE-92910-9 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index 865a6da5..e7a7d44b 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-91899-5 + - CCE-92911-7 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: controls v8: - 3.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 952110f3..1038d88f 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -1,7 +1,7 @@ id: os_terminal_secure_keyboard_enable title: "Ensure Secure Keyboard Entry Terminal.app is Enabled" discussion: | - Secure keyboard entry _MUST_ be enabled in Terminal.app. + Secure keyboard entry _MUST_ be enabled in Terminal.app. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91900-1 - cci: + - CCE-92912-5 + cci: - N/A 800-53r5: - N/A @@ -32,7 +32,7 @@ references: controls v8: - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 45dc2994..fe33f62b 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91901-9 + - CCE-92913-3 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 5d93b7aa..f5c4f433 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Trivial File Transfer Protocol Service" discussion: | If the system does not require Trivial File Transfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. + The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. NOTE: TFTP service is disabled at startup by default macOS. check: | @@ -18,7 +18,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91902-7 + - CCE-92914-1 cci: - CCI-000197 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000074-GPOS-00042 disa_stig: - - APPL-13-002038 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -48,7 +48,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -63,7 +63,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 9279d760..ce5bd763 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -13,16 +13,16 @@ fix: | ---- references: cce: - - CCE-91903-5 - cci: - - N/A + - CCE-92915-8 + cci: + - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -32,7 +32,7 @@ references: controls v8: - 8.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 1cda91c9..2b6df84c 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91904-3 + - CCE-92916-6 cci: - CCI-002046 - CCI-001891 @@ -28,7 +28,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - APPL-13-000014 + - N/A 800-171r2: - 3.3.7 cis: @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r5_low @@ -52,7 +52,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 4b288f8a..efee84d6 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91905-0 + - CCE-92917-4 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005054 + - N/A 800-171r2: - 3.4.1 - 3.4.2 @@ -37,7 +37,7 @@ references: cmmc: - CM.L2-3.4.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -51,7 +51,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index de06a3c1..823919f0 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91906-8 + - CCE-92918-2 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: cmmc: - IA.L2-3.5.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 053d02b9..26268bc7 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -1,8 +1,8 @@ id: os_unlock_active_user_session_disable title: "Disable Login to Other User's Active and Locked Sessions" discussion: | - The ability to log in to another user's active or locked session _MUST_ be disabled. - + The ability to log in to another user's active or locked session _MUST_ be disabled. + macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. check: | /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91907-6 + - CCE-92919-0 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 4abd1cd3..0e4bc80b 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -1,9 +1,14 @@ id: os_user_app_installation_prohibit title: "Prohibit User Installation of Software into /Users/" discussion: | - Users _MUST_ not be allowed to install software into /Users/. - + Users _MUST_ not be allowed to install software into /Users/. + Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -25,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91908-4 + - CCE-92920-8 cci: - N/A 800-53r5: @@ -39,7 +44,7 @@ references: cmmc: - CM.L2-3.4.9 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low @@ -50,5 +55,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - "/Users/" diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index b135d65b..c1618048 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Unix-to-Unix Copy Protocol Service" discussion: | The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. - UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. + UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. NOTE: UUCP service is disabled at startup by default macOS. check: | @@ -18,7 +18,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91909-2 + - CCE-92921-6 cci: - CCI-000381 800-53r5: @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002006 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -43,7 +43,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index 1834869f..771fe846 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91910-0 + - CCE-92922-4 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 0a84c0c0..136646e5 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91911-8 + - CCE-92923-2 cci: - N/A 800-53r5: @@ -37,7 +37,7 @@ references: controls v8: - 3.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 6dfe4d4a..7e8eb61c 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -3,20 +3,20 @@ title: "Ensure No World Writable Files Exist in the System Folder" discussion: | Folders in /System/Volumes/Data/System _MUST_ not be world-writable. check: | - /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "downloadDir" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do + for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "downloadDir" ); do /bin/chmod -R o-w "$sysPermissions" done ---- references: cce: - - CCE-91912-6 + - CCE-92924-0 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: controls v8: - 3.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index 4e5954e7..0247cb6b 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -1,18 +1,18 @@ id: pwpolicy_50_percent title: "Require a Minimum of Fifty Percent Character Change in New Passwords" discussion: | - The macOS should be configured to require users to change at least 50% of the characters when setting a new password. - + The macOS should be configured to require users to change at least 50% of the characters when setting a new password. + If the operating system allows users to consecutively reuse extensive portions of passwords, this increases the window of opportunity for a malicious user to guess the password. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. - - To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. + + To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91913-4 + - CCE-92925-7 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index a14ded87..71203b15 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -3,16 +3,16 @@ title: "Disable Accounts after $ODV Days of Inactivity" discussion: | The macOS _MUST_ be configured to disable accounts after $ODV days of inactivity. - This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. -check: | + This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. +check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' - result: integer: $ODV fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to disable an inactive user after $ODV days, edit the current password policy to contain the following within the "policyCategoryAuthentication": - + [source,xml] ---- @@ -28,7 +28,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -36,8 +36,8 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91914-2 - cci: + - CCE-92926-5 + cci: - N/A 800-53r5: - AC-2(3) @@ -58,7 +58,7 @@ references: cmmc: - IA.L2-3.5.6 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 35 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index cbe1032e..6dd85776 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91915-9 + - CCE-92927-3 cci: - CCI-002238 800-53r5: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000329-GPOS-00128 disa_stig: - - APPL-13-000022 + - N/A 800-171r2: - 3.1.8 cis: @@ -33,7 +33,7 @@ references: cmmc: - AC.L2-3.1.8 macOS: - - "13.0" + - "14.0" odv: hint: "Number of failed attempts." recommended: 3 @@ -55,7 +55,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 331815a6..4d9cab9b 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91916-7 + - CCE-92928-1 cci: - CCI-002238 800-53r5: @@ -22,22 +22,24 @@ references: srg: - SRG-OS-000329-GPOS-00128 disa_stig: - - APPL-13-000022 + - N/A 800-171r2: - 3.1.8 cis: benchmark: - - N/A + - 5.2.1 (level 1) controls v8: - - 4.1 + - 6.2 cmmc: - AC.L2-3.1.8 macOS: - - "13.0" + - "14.0" odv: hint: "Number of minutes." recommended: 15 stig: 15 + cis_lvl1: 15 + cis_lvl2: 15 tags: - 800-171 - 800-53r4_low @@ -47,11 +49,12 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - cis_lvl1 + - cis_lvl2 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 07c15682..c981aa0f 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91917-5 + - CCE-92929-9 cci: - CCI-000194 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000071-GPOS-00039 disa_stig: - - APPL-13-003007 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -44,7 +44,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low @@ -59,7 +59,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml new file mode 100644 index 00000000..e9663bcb --- /dev/null +++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml @@ -0,0 +1,74 @@ +id: pwpolicy_custom_regex_enforce +title: Require Passwords to Match the Defined Custom Regular Expression +discussion: | + The macOS _MUST_ be configured to meet complexity requirements defined in $ODV. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: The configuration profile generated must be installed from an MDM server. +check: | + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''$ODV'\''")])' +result: + string: 'true' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93011-5 + cci: + - N/A + 800-53r5: + - IA-5(1) + 800-53r4: + - IA-5 + - IA-5(1) + disa_stig: + - N/A + srg: + - SRG-OS-000070-GPOS-00038 + - SRG-OS-000069-GPOS-00037 + 800-171r2: + - 3.5.1 + - 3.5.2 + - 3.5.7 + - 3.5.8 + - 3.5.9 + - 3.5.10 + cis: + benchmark: + - 5.2.6 (level 2) + controls v8: + - 5.2 + cmmc: + - IA.L2-3.5.7 + - IA.L2-3.5.8 + - IA.L2-3.5.9 +macOS: + - '14.0' +odv: + hint: Custom regex (recommended is 1 upper and 1 lowercase) + recommended: .*[A-Z]{1,}[a-z]{1,}.* + cis_lvl2: .*[A-Z]{1,}[a-z]{1,}.* +tags: + - 800-171 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl2 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 +mobileconfig: true +mobileconfig_info: + com.apple.mobiledevice.passwordpolicy: + customRegex: + passwordContentRegex: $ODV + passwordContentDescription: + default: Password must match custom regex. diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 53ef1d2b..5bee2b8b 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -1,11 +1,11 @@ id: pwpolicy_emergency_accounts_disable title: "Automatically Remove or Disable Emergency Accounts within 72 Hours" discussion: | - The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. + The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. + Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. @@ -16,19 +16,19 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91918-3 + - CCE-92930-7 cci: - N/A 800-53r5: - AC-2(2) - 800-53r4: + 800-53r4: - AC-2(2) srg: - N/A disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index a3bc9672..bd59b1b9 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -17,7 +17,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91919-1 + - CCE-92931-5 cci: - N/A 800-53r5: @@ -46,7 +46,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 65c88dd2..c9629a0e 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91920-9 + - CCE-92932-3 cci: - CCI-000200 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000077-GPOS-00045 disa_stig: - - APPL-13-003009 + - N/A 800-171r2: - 3.5.7 - 3.5.8 @@ -42,7 +42,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of previous passwords." recommended: 5 @@ -64,7 +64,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 44cbd51f..edadfd9f 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -2,19 +2,21 @@ id: pwpolicy_lower_case_character_enforce title: "Require Passwords Contain a Minimum of One Lowercase Character" discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. - - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least $ODV lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +32,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,12 +40,12 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91921-7 - cci: + - CCE-92933-1 + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: @@ -59,7 +61,7 @@ references: - 3.5.10 cis: benchmark: - - 5.2.6 (level 2) + - N/A controls v8: - 5.2 cmmc: @@ -67,24 +69,11 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of lowercase characters." recommended: 1 - cis_lvl2: 1 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - cis_lvl2 - - cisv8 - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 + - none mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index 94abb915..1528fa1a 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91922-5 + - CCE-92935-6 cci: - CCI-000199 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000076-GPOS-00044 disa_stig: - - APPL-13-003008 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -42,7 +42,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 60 @@ -64,7 +64,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index e3b1b0fd..a87b4254 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -7,14 +7,14 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91923-3 + - CCE-92936-4 cci: - CCI-000205 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000078-GPOS-00046 disa_stig: - - APPL-13-003010 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -43,7 +43,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Minimum password length." recommended: 15 @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index b40ba467..cdd60d46 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -6,15 +6,15 @@ discussion: | This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require a minimum password lifetime, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,12 +38,12 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91924-1 - cci: + - CCE-92937-2 + cci: - N/A - 800-53r5: + 800-53r5: - IA-5 - 800-53r4: + 800-53r4: - IA-5(1) disa_stig: - N/A @@ -63,7 +63,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of hours." recommended: 24 diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 64934275..0e847f44 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -1,10 +1,10 @@ id: pwpolicy_prevent_dictionary_words title: "Prevent the Use of Dictionary Words for Passwords" discussion: | - The macOS should be configured to forbid users to use dictionary words for passwords. - - If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. - + The macOS should be configured to forbid users to use dictionary words for passwords. + + If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. + To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding. @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91925-8 + - CCE-92938-0 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent mobileconfig: false diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 71d03351..fe6247e2 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91926-6 + - CCE-92939-8 cci: - CCI-001619 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000266-GPOS-00101 disa_stig: - - APPL-13-003011 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -43,7 +43,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low @@ -57,7 +57,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 4b68717e..86249892 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -4,19 +4,19 @@ discussion: | The macOS _MUST_ be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91927-4 + - CCE-92940-6 cci: - CCI-001619 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000266-GPOS-00101 disa_stig: - - APPL-13-003011 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -45,7 +45,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of special characters." recommended: 1 @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 7aa43c9c..d7fb3a2e 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_temporary_accounts_disable title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours" discussion: | - The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. + The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91928-2 + - CCE-92941-4 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 8fdc5eeb..dc618b79 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -56,7 +56,7 @@ fix: | /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file references: cce: - - CCE-91929-0 + - CCE-92942-2 cci: - CCI-001682 - CCI-000016 @@ -68,15 +68,14 @@ references: - SRG-OS-000002-GPOS-00002 - SRG-OS-000123-GPOS-00064 disa_stig: - - APPL-13-000012 + - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - stig - manual - cnssi-1253_moderate - cnssi-1253_high diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index d156efff..fd4e76f0 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -3,18 +3,20 @@ title: "Require Passwords Contain a Minimum of One Uppercase Character" discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least $ODV lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +32,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,12 +40,12 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91930-8 - cci: + - CCE-92943-0 + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: @@ -59,7 +61,7 @@ references: - 3.5.10 cis: benchmark: - - 5.2.6 (level 2) + - N/A controls v8: - 5.2 cmmc: @@ -67,25 +69,11 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of special characters." recommended: 1 - cis_lvl1: 1 - cis_lvl2: 1 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - cis_lvl2 - - cisv8 - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 + - none mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 52ffd548..c23cd064 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -2,7 +2,7 @@ id: supplemental_cis_manual title: "CIS Manual Recommendations" discussion: | List of CIS recommendations that are manual check in the CIS macOS Benchmark. - + [cols="15%h, 85%a"] |=== |Section @@ -10,16 +10,21 @@ discussion: | |Recommendations |2.1.1.1 Audit iCloud Keychain + - 2.1.1.2 Audit iCloud Drive + + 2.1.1.2 Audit iCloud Drive + + 2.1.1.4 Audit Security Keys Used With AppleIDs + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + 2.6.1.3 Audit Location Services Access + - 2.6.6 Audit Lockdown Mode + + 2.6.2.1 Audit Full Disk Access for Applications + + 2.6.7 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + - 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings + + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + - 2.14.1 Audit Notification & Focus Settings + + 2.14.1 Audit Game Center Settings + + 2.15.1 Audit Notification & Focus Settings + + 2.16.1 Audit Wallet & Apple Pay Settings + + 2.17.1 Audit Internet Accounts for Authorized Use + |=== [cols="15%h, 85%a"] @@ -43,7 +48,6 @@ discussion: | 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + - 5.5 Ensure Login Keychain is Locked when the Computer Sleeps + |=== [cols="15%h, 85%a"] @@ -54,23 +58,23 @@ discussion: | |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + - 6.3.7 Audit History and Remove History Items + + 6.3.8 Audit Autofill + |=== check: | fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 6fc2bbff..d443bdf2 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -1,20 +1,20 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - [cols="15%h, 85%a"] |=== |Family |Access Control (AC) - |Controls + |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3[AC-3(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -34,7 +34,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9[AU-9(2)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -44,7 +44,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3(6)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -54,7 +54,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1[CM-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4[CM-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8[CM-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10[CM-10], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11[CM-11] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -64,7 +64,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1[CP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2[CP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3[CP-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4[CP-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9[CP-9], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10[CP-10] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -74,7 +74,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1[IA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(4)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -84,7 +84,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -114,7 +114,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1[PE-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2[PE-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3[PE-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6[PE-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8[PE-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12[PE-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13[PE-13], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14[PE-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15[PE-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16[PE-16] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -135,7 +135,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1[PS-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2[PS-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3[PS-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4[PS-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5[PS-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6[PS-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7[PS-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8[PS-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -181,9 +181,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A @@ -192,7 +192,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 7ed5b438..e02955bf 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -4,7 +4,7 @@ discussion: | The supplemental guidance found in this section is applicable for the following rules: * system_settings_filevault_enforce - In macOS 11 the internal Apple File System (APFS) data volume can be protected by FileVault. The system volume is always cryptographically protected (T2 and Apple Silicon) and is a read-only volume. + In macOS the internal Apple File System (APFS) data volume can be protected by FileVault. The system volume is always cryptographically protected (T2 and Apple Silicon) and is a read-only volume. NOTE: FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with a secure enclave (T2 and Apple Silicon) utilize the hardware security features of the architecture. @@ -58,7 +58,7 @@ references: cci: - N/A 800-53r5: - - N/A + - N/A 800-53r4: - N/A srg: @@ -68,7 +68,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 0374f340..3bb5376b 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -2,17 +2,17 @@ id: supplemental_firewall_pf title: "Packet Filter (pf) Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - + * os_firewall_default_deny_require macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. - + * The ALF can block incoming traffic on a per-application basis and prevent applications from gaining control of network ports, but it cannot be configured to block outgoing traffic. - ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 - - * The PF firewall can manipulate virtually any packet data and is highly configurable. + ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 + + * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. @@ -106,9 +106,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A @@ -117,7 +117,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index ab9a7f52..f744cabe 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -9,21 +9,21 @@ discussion: | * pwpolicy_minimum_lifetime_enforce Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the `pwpolicy` command: - + * Enforcing at least 1 lowercase character * Enforcing at least 1 uppercase character * Disabling an account after 35 days of inactivity * Password minimum lifetime To set the local policy to meet these requirements, save the following XML password policy to a file. - + [source,xml] ---- include::../../includes/pwpolicy.xml[] ---- Run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,9 +38,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A @@ -49,7 +49,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index 709d33d2..c70a1950 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -302,7 +302,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_stig.yaml b/rules/supplemental/supplemental_stig.yaml deleted file mode 100644 index 273b729b..00000000 --- a/rules/supplemental/supplemental_stig.yaml +++ /dev/null @@ -1,78 +0,0 @@ - -id: supplemental_stig -title: "DISA STIG Supplemental" -discussion: | - This supplemental contains DISA STIG controls that may not produce intended results when applied. Where discrepancies exist between the DISA STIG and macOS Security Compliance Project guidelines, the appropriate recommendations are outlined below. - - [cols="20%h, 80%a"] - |=== - |STIG ID - |Notes - - |APPL-13-000011| DISA STIG requires SSHD must be disabled due to the implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 validated cryptographic module. - - Apple has provided methods to configure SSHD for FIPS compliance, the man page `apple_ssh_and_fips` and https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[macOS security certifications] both provide information on configuring SSHD for FIPS compliance. + - |APPL-13-000054| DISA STIG requires the following setting within SSHD for FIPS compliance `ciphers aes256-ctr,aes192-ctr,aes128-ctr`. - - In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `ciphers \aes128-gcm@openssh.com`. + - |APPL-13-000055| DISA STIG requires the following setting within SSHD for FIPS compliance `macs hmac-sha2-512,hmac-sha2-256`. - - In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `macs hmac-sha2-nistp256` + - |APPL-13-000056| DISA STIG requires the following setting within SSHD for FIPS compliance `kexalgorithms diffie-hellman-group-exchange-sha256`. - - In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `kexalgorithms ecdh-sha2-nistp256`. + - |APPL-13-000014| DISA STIG's expected results are `Network Time:On`. - - The output from the command `systemsetup -getusingnetworktime` is `Network Time: On`. + - |APPL-13-002063| DISA STIG recommends setting the configuration profile key DisableGuestAccount to true. - - In order to disable the Guest account, you must set DisableGuestAccount to true and EnableGuestAccount to false, https://github.com/apple/device-management/blob/5a8fb0deb23799aa77ff15f284c9b31208d39ad1/mdm/profiles/com.apple.MCX(Accounts).yaml#L16C1-L32[com.Apple.MCX documentation] + - |APPL-13-002069| DISA STIG states the macOS system must authenticate peripherals before establishing a connection. - - The check and fix for this are not related to peripherals. In order to potentially meet the requirement of the SRG, administrators may want to investigate into usage of USB Restricted mode on macOS. + - |APPL-13-002070| DISA STIG recommends the check `/bin/launchctl list \| /usr/bin/grep -cE "(com.apple.XprotectFramework.PluginService\|com.apple.Xprotect.daemon.scan)"` and `/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist \| /usr/bin/grep "ConfigDataInstall"` - - The regex provided to search for com.apple.XprotectFramework.PluginService and com.apple.Xprotect.daemon.scan is incorrect, the search should be `com.apple.XprotectFramework.PluginService$\|com.apple.XProtect.daemon.scan$`. The result will then be 2. - - The recommended method in the DISA STIG to enforce that the key `ConfigDataInstall` is set properly is to do it with a configuration profile, the DISA provided check will fail. - - These rules are handled within the project `os_anti_virus_installed` and `os_config_data_install_enforce`. + - |APPL-13-000051 - APPL-13-000052| This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.+ - |APPL-13-002031 - APPL-13-002051 - APPL-13-002032 - APPL-13-002053 - APPL-13-002062| DISA STIG requires `com.apple.preferences.AppleIDPrefPane`, `com.apple.preferences.internetaccounts`, `com.apple.preference.speech`,`com.apple.preferences.Bluetooth`, `com.apple.preferences.password`, `com.apple.preferences.wallet` to be set within the key `DisabledPreferencePanes`. - - Apple has deprecated the `com.apple.systempreferences` preference domain, however in macOS Ventura it is recommended to use the key `DisabledSystemSettings` with the values `com.apple.systempreferences.AppleIDSettings`, `com.apple.Internet-Accounts-Settings.extension`, `com.apple.Siri-Settings.extension`, `com.apple.BluetoothSettings`, `com.apple.Touch-ID-Settings.extension`, `com.apple.WalletSettingsExtension`. + - |APPL-13-000004| DISA STIG requires the screen saver after 15 minutes of inactivity. - - The keys required are `loginWindowIdleTime` and `IdleTime` in the `com.apple.screensaver` prefernece domain. + - |APPL-13-002020| DISA STIG requires that siri and dictation must be disabled. The DISA STIG requires the keys `Assistant Allowed` and `Ironwood Allowed`. - - The key `Assistant Allowed` does not exist in the preference domain `com.apple.ironwood.support`. + - |APPL-13-002052| DISA STIG requires hiding the Wallet and Apple Pay System Setting Pane. - - In macOS Ventura, hiding preference panes is not possible. + - |=== -check: | -fix: | -references: - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A -macOS: - - "13.0" -tags: - - stig - - supplemental -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 75f328f7..a6457539 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -1,8 +1,8 @@ id: system_settings_airplay_receiver_disable title: "Disable Airplay Receiver" discussion: | - Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. - + Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. + Support for Airplay Receiver is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. @@ -17,13 +17,13 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91932-4 - cci: + - CCE-92944-8 + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -41,7 +41,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 45431c7c..609cf4e0 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91933-2 + - CCE-92945-5 cci: - CCI-000056 800-53r5: @@ -25,24 +25,23 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-13-000001 + - N/A 800-171r2: - 3.1.10 cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml index 06c204c0..e2bfc8c9 100644 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ b/rules/system_settings/system_settings_assistant_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92008-2 + - CCE-92946-3 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002020 + - N/A 800-171r2: - N/A cis: @@ -38,9 +38,9 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - - stig + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index bfe23adf..de2c76f2 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91934-0 + - CCE-92947-1 cci: - CCI-000366 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000480-GPOS-00229 disa_stig: - - APPL-13-002066 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -40,7 +40,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -57,7 +57,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index b794bb42..6321951c 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -1,7 +1,7 @@ id: system_settings_automatic_logout_enforce title: "Enforce Auto Logout After $ODV Seconds of Inactivity" discussion: | - Auto logout _MUST_ be configured to automatically terminate a user session and log out the after $ODV seconds of inactivity. + Auto logout _MUST_ be configured to automatically terminate a user session and log out the after $ODV seconds of inactivity. NOTE:The maximum that macOS can be configured for autologoff is $ODV seconds. @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91935-7 + - CCE-92948-9 cci: - N/A 800-53r5: @@ -38,7 +38,7 @@ references: - AC.L2-3.1.10 - AC.L2-3.1.11 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds" recommended: 86400 @@ -56,5 +56,5 @@ mobileconfig: true mobileconfig_info: .GlobalPreferences: com.apple.autologout.AutoLogOutDelay: $ODV - + diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index 52e3afd4..872606fa 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91936-5 + - CCE-92949-7 cci: - CCI-001967 - CCI-002418 @@ -33,7 +33,7 @@ references: - SRG-OS-000379-GPOS-00164 - SRG-OS-000481-GPOS-00481 disa_stig: - - APPL-13-002062 + - N/A 800-171r2: - 3.13.8 cis: @@ -46,7 +46,7 @@ references: cmmc: - AC.L2-3.1.16 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_moderate @@ -59,7 +59,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index fcd3120a..d2766fa0 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -13,16 +13,16 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91937-3 - cci: + - CCE-92950-5 + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -31,9 +31,9 @@ references: - 2.4.2 (level 1) controls v8: - 4.8 - - 13.9 + - 13.9 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml deleted file mode 100644 index 8416e3ad..00000000 --- a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: system_settings_bluetooth_prefpane_disable -title: "Disable the Bluetooth System Preference Pane" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preferences.Bluetooth -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92012-4 - cci: - - CCI-002418 - - CCI-001967 - 800-53r5: - - N/A - 800-53r4: - - SC-8 - srg: - - SRG-OS-000379-GPOS-00164 - - SRG-OS-000481-GPOS-00481 - disa_stig: - - APPL-13-002062 - 800-171r2: - - N/A -macOS: - - "12.0" -tags: - - stig -severity: "low" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.Bluetooth \ No newline at end of file diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 703d353f..4b393f53 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -1,11 +1,11 @@ id: system_settings_bluetooth_sharing_disable title: "Disable Bluetooth Sharing" discussion: | - Bluetooth Sharing _MUST_ be disabled. + Bluetooth Sharing _MUST_ be disabled. - Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. - - [NOTE] + Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] @@ -24,15 +24,15 @@ fix: | ---- references: cce: - - CCE-91940-7 - cci: + - CCE-92952-1 + cci: - N/A 800-53r5: - AC-3 - AC-18(4) - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - AC-3 - AC-18(4) - CM-7 @@ -57,7 +57,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml index 1224db4c..9c85376e 100644 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_cd_dvd_sharing_disable title: "Disable CD/DVD Sharing" discussion: | - CD/DVD Sharing _MUST_ be disabled. + CD/DVD Sharing _MUST_ be disabled. check: | /usr/bin/pgrep -q ODSAgent; /bin/echo $? result: @@ -13,23 +13,23 @@ fix: | ---- references: cce: - - CCE-91942-3 - cci: + - CCE-92953-9 + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.1 (level 1) controls v8: - 4.1 @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index 85ae4f91..4b0c670d 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -1,9 +1,9 @@ id: system_settings_content_caching_disable title: "Disable Content Caching Service" discussion: | - Content caching _MUST_ be disabled. + Content caching _MUST_ be disabled. - Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. + Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -15,8 +15,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91943-1 - cci: + - CCE-92954-7 + cci: - N/A 800-53r5: - CM-7 @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index fef8649d..31cc1d0d 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -1,7 +1,7 @@ id: system_settings_critical_update_install_enforce title: "Enforce Critical Security Updates to be Installed" discussion: | - Ensure that security updates are installed as soon as they are available from Apple. + Ensure that security updates are installed as soon as they are available from Apple. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ @@ -13,12 +13,12 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91944-9 - cci: + - CCE-92955-4 + cci: - N/A 800-53r5: - SI-2 - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -37,7 +37,7 @@ references: - SI.L1-3.14.1 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index ee2da1be..13851c97 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -2,7 +2,7 @@ id: system_settings_diagnostics_reports_disable title: "Disable Sending Diagnostic and Usage Data to Apple" discussion: | The ability to submit diagnostic data to Apple _MUST_ be disabled. - + The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | /usr/bin/osascript -l JavaScript << EOS @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91945-6 + - CCE-92956-2 cci: - CCI-000382 800-53r5: @@ -37,19 +37,19 @@ references: srg: - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-13-002021 + - N/A 800-171r2: - 3.1.20 cis: benchmark: - - 2.6.2 (level 2) + - 2.6.3 (level 2) controls v8: - 4.1 - 4.8 cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index df1c8ad4..a416b27c 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -22,7 +22,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - CCE-91946-4 + - CCE-92957-0 cci: - CCI-001199 - CCI-002475 @@ -38,19 +38,19 @@ references: - SRG-OS-000404-GPOS-00183 - SRG-OS-000405-GPOS-00184 disa_stig: - - APPL-13-005020 + - N/A 800-171r2: - 3.13.16 cis: benchmark: - - 2.6.5 (level 1) + - 2.6.6 (level 1) controls v8: - 3.6 - 3.11 cmmc: - SC.L2-3.13.16 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high @@ -64,7 +64,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index f6cf8cee..ec4606e9 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -4,7 +4,7 @@ discussion: | The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. - + Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | /usr/bin/osascript -l JavaScript << EOS @@ -28,14 +28,14 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91947-2 - cci: + - CCE-92958-8 + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -58,7 +58,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -80,4 +80,4 @@ mobileconfig_info: allowFindMyFriends: false com.apple.icloud.managed: DisableFMMiCloudSetting: true - + diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 506cf4ea..5258da07 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_firewall_enable title: "Enable macOS Application Firewall" discussion: | - The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. + The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | @@ -27,8 +27,8 @@ fix: | ---- references: cce: - - CCE-91948-0 - cci: + - CCE-92959-6 + cci: - CCI-000366 800-53r5: - AC-4 @@ -36,7 +36,7 @@ references: - CM-7 - CM-7(1) - SC-7 - 800-53r4: + 800-53r4: - AC-4 - AC-6(1) - AC-19 @@ -47,7 +47,7 @@ references: srg: - SRG-OS-000480-GPOS-00232 disa_stig: - - APPL-13-005050 + - N/A 800-171r2: - 3.1.3 - 3.1.5 @@ -57,9 +57,9 @@ references: - 3.13.2 - 3.13.5 cis: - benchmark: + benchmark: - 2.2.1 (level 1) - controls v8: + controls v8: - 4.1 - 4.5 - 13.1 @@ -69,15 +69,15 @@ references: - CM.L2-3.4.7 - SC.L1-3.13.1 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cis_lvl1 - cis_lvl2 - cisv8 @@ -86,7 +86,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index a0800a09..49edf5cc 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-91949-8 + - CCE-92960-4 cci: - CCI-000366 800-53r5: @@ -48,7 +48,7 @@ references: srg: - SRG-OS-000480-GPOS-00232 disa_stig: - - APPL-13-005050 + - N/A 800-171r2: - 3.4.6 - 3.13.1 @@ -66,7 +66,7 @@ references: - CM.L2-3.4.7 - SC.L1-3.13.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -83,7 +83,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index c21ca710..92e4916a 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -2,7 +2,7 @@ id: system_settings_gatekeeper_identified_developers_allowed title: "Apply Gatekeeper Settings to Block Applications from Unidentified Developers" discussion: | The information system implements cryptographic mechanisms to authenticate software prior to installation. - + Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91950-6 + - CCE-92961-2 cci: - CCI-000366 800-53r5: @@ -30,25 +30,24 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002060 + - N/A 800-171r2: - 3.4.5 cmmc: - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index 09b3b989..bd4285c8 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -1,9 +1,9 @@ id: system_settings_gatekeeper_override_disallow title: "Configure Gatekeeper to Disallow End User Override" discussion: | - Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. + Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. - If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. + If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ @@ -15,13 +15,13 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91951-4 - cci: + - CCE-92962-0 + cci: - N/A 800-53r5: - CM-5 - SI-7(15) - 800-53r4: + 800-53r4: - CM-5 - SI-7(15) srg: @@ -33,14 +33,14 @@ references: cmmc: - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high @@ -50,4 +50,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempolicy.managed: DisableOverride: true - + diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index dc64e32f..8b636677 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -1,8 +1,8 @@ id: system_settings_guest_access_smb_disable title: "Disable Guest Access to Shared SMB Folders" discussion: | - Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. - + Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. + Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess @@ -15,9 +15,9 @@ fix: | ---- references: cce: - - CCE-91952-2 - cci: - - N/A + - CCE-92963-8 + cci: + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -32,14 +32,14 @@ references: srg: - N/A cis: - benchmark: + benchmark: - 2.12.2 (level 1) - controls v8: + controls v8: - 3.3 cmmc: - AC.L1-3.1.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index ba90f50f..a2e663f8 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91953-0 + - CCE-92964-6 cci: - CCI-001813 800-53r5: @@ -36,7 +36,7 @@ references: srg: - SRG-OS-000364-GPOS-00151 disa_stig: - - APPL-13-002063 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -50,7 +50,7 @@ references: cmmc: - AC.L1-3.1.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -67,7 +67,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index f7a648f9..a508e2de 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91954-8 + - CCE-92965-3 cci: - CCI-000060 800-53r5: @@ -22,21 +22,23 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - APPL-13-000007 + - N/A 800-171r2: - 3.1.10 + cmmc: + - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig + - cmmc_lvl2 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 60499bd8..c91c17a7 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -1,7 +1,7 @@ id: system_settings_hot_corners_secure title: "Secure Hot Corners" discussion: | - Hot corners _MUST_ be secured. + Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | @@ -25,16 +25,16 @@ fix: | ---- references: cce: - - CCE-91955-5 - cci: + - CCE-92966-1 + cci: - N/A 800-53r5: - AC-11(1) - 800-53r4: + 800-53r4: - AC-11(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -43,13 +43,16 @@ references: - 2.7.1 (level 2) controls v8: - 4.3 + cmmc: + - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index 791f2746..16460905 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91956-3 + - CCE-92967-9 cci: - CCI-000382 800-53r5: @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-13-002021 + - N/A cis: benchmark: - N/A @@ -46,7 +46,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -61,7 +61,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig mobileconfig: true mobileconfig_info: com.apple.assistant.support: diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index dbf2eeeb..d7d000b3 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91957-1 - cci: + - CCE-92968-7 + cci: - N/A 800-53r5: - N/A @@ -27,13 +27,13 @@ references: 800-171r2: - N/A cis: - benchmark: + benchmark: - 1.4 (level 1) - controls v8: + controls v8: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml index de6fd3e2..6b2a3b4b 100644 --- a/rules/system_settings/system_settings_internet_accounts_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91938-1 + - CCE-92969-5 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - AC.L1-3.1.20 - CM.L2-3.4.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml deleted file mode 100644 index 98c7fdec..00000000 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: system_settings_internet_accounts_preference_pane_disable -title: "Disable the Internet Accounts Preference Pane" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] - - [IMPORTANT] - ==== - Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. - ==== -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.internetaccounts" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92009-0 - cci: - - CCI-000381 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-13-002032 - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "13.0" -tags: - - stig -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.internetaccounts diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index 9d159a82..b984f8de 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91960-5 + - CCE-92971-1 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002007 + - N/A 800-171r2: - 3.1.3 - 3.1.20 @@ -41,7 +41,7 @@ references: - AC.L1-3.1.20 - AC.L2-3.1.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index c195dcba..59549796 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91962-1 + - CCE-92972-9 cci: - CCI-000381 800-53r5: @@ -31,27 +31,26 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002004 + - N/A 800-171r2: - 3.4.6 cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index b034c28b..55b78f08 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_location_services_enable title: "Enable Location Services" discussion: | - Location Services _MUST_ be enabled. + Location Services _MUST_ be enabled. check: | /usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\ @@ -16,27 +16,27 @@ fix: | ---- references: cce: - - CCE-91963-9 - cci: + - CCE-92973-7 + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.6.1.1 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 6f65c927..3b7ea012 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -1,42 +1,40 @@ id: system_settings_location_services_menu_enforce -title: "Enable Location Services" +title: "Ensure Location Services Is In the Menu Bar" discussion: | Location Services menu item _MUST_ be enabled. check: | - /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationmenu')\ - .objectForKey('ShowSystemServices').js - EOS + /usr/bin/defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices result: - string: "true" + boolean: 1 fix: | - This is implemented by a Configuration Profile. + [source,bash] + ---- + /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true + ---- references: cce: - - CCE-91963-9 - cci: + - CCE-92974-5 + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.6.1.2 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 -mobileconfig: true -mobileconfig_info: - com.apple.locationmenu: - ShowSystemServices: true +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index 7f5aa665..719dd595 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_loginwindow_loginwindowtext_enable title: "Configure Login Window to Show A Custom Message" discussion: | - The login window _MUST_ be configured to show a custom access warning message. + The login window _MUST_ be configured to show a custom access warning message. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ @@ -13,27 +13,27 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91964-7 - cci: + - CCE-92975-2 + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.10.3 (level 1) controls v8: - 4.1 macOS: - - "13.0" -odv: + - "14.0" +odv: hint: "Organization's approved message." recommended: Center for Internet Security Test Message cis_lvl1: Center for Internet Security Test Message diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index e249f1aa..13013a6e 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91965-4 + - CCE-92976-0 cci: - CCI-000366 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000480-GPOS-00229 disa_stig: - - APPL-13-005052 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -38,7 +38,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -55,7 +55,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index 6ce78559..9f82faf0 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -3,7 +3,7 @@ title: "Disable Media Sharing" discussion: | Media sharing _MUST_ be disabled. - When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. + When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91966-2 + - CCE-92977-8 cci: - N/A 800-53r5: @@ -54,7 +54,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index df00047f..85ec502a 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -2,7 +2,7 @@ id: system_settings_password_hints_disable title: "Disable Password Hints" discussion: | Password hints _MUST_ be disabled. - + Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. check: | /usr/bin/osascript -l JavaScript << EOS @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91967-0 + - CCE-92978-6 cci: - CCI-000366 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003012 + - N/A 800-171r2: - 3.5.11 cis: @@ -36,7 +36,7 @@ references: cmmc: - IA.L2-3.5.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -52,7 +52,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 85dcd16b..672f96f4 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. + The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -15,15 +15,15 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91968-8 - cci: + - CCE-92979-4 + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - - SC-7(10) - 800-53r4: + - SC-7(10) + 800-53r4: - AC-20 - CM-7 - CM-7(1) @@ -36,7 +36,7 @@ references: - 3.4.6 cis: benchmark: - - 2.6.3 (level 1) + - 2.6.4 (level 1) controls v8: - 4.8 cmmc: @@ -44,7 +44,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index 42104bf0..9cac53b0 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_printer_sharing_disable title: "Disable Printer Sharing" discussion: | - Printer Sharing _MUST_ be disabled. + Printer Sharing _MUST_ be disabled. check: | /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" result: @@ -14,23 +14,23 @@ fix: | ---- references: cce: - - CCE-91969-6 - cci: + - CCE-92980-2 + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.4 (level 1) controls v8: - 4.1 @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index f033a159..a9f781e6 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -17,7 +17,7 @@ fix: | NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. references: cce: - - CCE-91970-4 + - CCE-92981-0 cci: - CCI-000382 800-53r5: @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-13-002022 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 59fcdf61..f40ac463 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_remote_management_disable title: "Disable Remote Management" discussion: | - Remote Management _MUST_ be disabled. + Remote Management _MUST_ be disabled. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" result: @@ -13,23 +13,23 @@ fix: | ---- references: cce: - - CCE-91971-2 - cci: + - CCE-92982-8 + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.6 (level 1) controls v8: - 4.1 @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index ced2f122..5db7bf0c 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -16,7 +16,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-91972-0 + - CCE-92983-6 cci: - CCI-000366 800-53r5: @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002050 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index 8e1e61be..a8a9d7a3 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91973-8 + - CCE-92984-4 cci: - CCI-000056 800-53r5: @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-13-000003 + - N/A 800-171r2: - 3.1.10 cis: @@ -43,7 +43,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 5 @@ -63,7 +63,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 9e87054e..608c2e28 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91974-6 + - CCE-92985-1 cci: - CCI-000056 800-53r5: @@ -25,24 +25,23 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-13-000002 + - N/A 800-171r2: - 3.1.10 cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index 86e0f291..e1f75f62 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91975-3 + - CCE-92986-9 cci: - CCI-000057 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000029-GPOS-00010 disa_stig: - - APPL-13-000004 + - N/A 800-171r2: - 3.1.10 cis: @@ -44,7 +44,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 1200 @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index f5f9b8a7..73a698b2 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -6,8 +6,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ - .objectForKey('Ironwood Allowed').js + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAssistant').js EOS result: string: "false" @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91976-1 + - CCE-92987-7 cci: - CCI-000381 - CCI-001774 @@ -32,7 +32,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002020 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -62,9 +62,8 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: - com.apple.ironwood.support: - "Ironwood Allowed": false + com.apple.applicationaccess: + allowAssistant: false \ No newline at end of file diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml deleted file mode 100644 index 499e4e95..00000000 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_siri_prefpane_disable -title: "Disable the System Preference Pane for Siri" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preference.speech -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92011-6 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-13-002053 - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "13.0" -tags: - - stig -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preference.speech \ No newline at end of file diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index 89336647..c19552aa 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91979-5 + - CCE-92989-3 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002001 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml index af749603..f969fba6 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91980-3 - cci: + - CCE-92990-1 + cci: - N/A 800-53r5: - N/A @@ -33,7 +33,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index d8fc89e0..cba551be 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91981-1 - cci: + - CCE-92991-9 + cci: - N/A 800-53r5: - N/A @@ -33,7 +33,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml index ac7e7248..19193006 100644 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_enforce.yaml @@ -13,8 +13,8 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91982-9 - cci: + - CCE-92992-7 + cci: - N/A 800-53r5: - SI-2(5) @@ -35,7 +35,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 98f467fe..d445c87f 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -22,8 +22,8 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-91983-7 - cci: + - CCE-92993-5 + cci: - N/A 800-53r5: - N/A @@ -31,7 +31,7 @@ references: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -42,7 +42,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 41e1d3c6..39d16a3b 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -15,7 +15,7 @@ fix: | NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. references: cce: - - CCE-91984-5 + - CCE-92994-3 cci: - CCI-000068 - CCI-001453 @@ -49,7 +49,7 @@ references: - SRG-OS-000425-GPOS-00189 - SRG-OS-000426-GPOS-00190 disa_stig: - - APPL-13-000011 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -65,7 +65,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 @@ -75,7 +75,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index 33a34b9e..acacec1b 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_ssh_enable title: "Enable SSH Server for Remote Access Sessions" discussion: | - Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. + Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => enabled' result: @@ -13,8 +13,8 @@ fix: | ---- references: cce: - - CCE-91985-2 - cci: + - CCE-92995-0 + cci: - N/A 800-53r5: - IA-2(8) @@ -23,7 +23,7 @@ references: - CM-7(1) - AC-17 800-53r4: - - AC-3 + - AC-3 - CM-7 - CM-7(1) - IA-2(8) @@ -43,15 +43,15 @@ references: - CM.L2-3.4.7 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index f5f3b218..7a4252ae 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-91986-0 + - CCE-92996-8 cci: - CCI-001958 800-53r5: @@ -47,13 +47,13 @@ references: srg: - SRG-OS-000378-GPOS-00163 disa_stig: - - APPL-13-002069 + - N/A 800-171r2: - 3.1.5 - 3.1.6 cis: benchmark: - - 2.6.7 (level 1) + - 2.6.8 (level 1) controls v8: - 4.1 cmmc: @@ -61,7 +61,7 @@ references: - AC.L2-3.1.5 - AC.L2-3.1.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high @@ -76,7 +76,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index 71a41595..2865158e 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -1,38 +1,38 @@ id: system_settings_time_machine_auto_backup_enable title: "Configure Time Machine for Automatic Backups" discussion: | - Automatic backups _MUST_ be enabled when using Time Machine. + Automatic backups _MUST_ be enabled when using Time Machine. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ .objectForKey('AutoBackup').js EOS -result: +result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91987-8 - cci: + - CCE-92997-6 + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.4.1 (level 2) controls v8: - 11.2 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 3e97ac88..121780f0 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -1,7 +1,7 @@ id: system_settings_time_machine_encrypted_configure title: "Ensure Time Machine Volumes are Encrypted" discussion: | - Time Machine volumes _MUST_ be encrypted. + Time Machine volumes _MUST_ be encrypted. check: | error_count=0 for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do @@ -12,7 +12,7 @@ check: | fi done echo "$error_count" -result: +result: integer: 0 fix: | . Go to System Settings -> Time Machine @@ -22,28 +22,28 @@ fix: | . Click *Use Disk* references: cce: - - CCE-91988-6 - cci: + - CCE-92998-4 + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.4.2 (level 1) controls v8: - 3.6 - 3.11 - 11.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index 3b04d915..e3d3245d 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91989-4 + - CCE-92999-2 cci: - CCI-001891 - CCI-002046 @@ -28,7 +28,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - APPL-13-000014 + - N/A 800-171r2: - 3.3.7 cis: @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - "13.0" + - "14.0" odv: hint: "Name of timeserver(s) separated by commas." recommended: "time-a.nist.gov,time-b.nist.gov" @@ -60,7 +60,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index 63c184d3..4c2db4b6 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -15,18 +15,18 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91990-2 - cci: + - CCE-93000-8 + cci: - CCI-001891 - CCI-002046 800-53r5: - AU-12(1) - SC-45(1) - 800-53r4: + 800-53r4: - AU-8(1) srg: - SRG-OS-000355-GPOS-00143 - - SRG-OS-000356-GPOS-00144 + - SRG-OS-000356-GPOS-00144 disa_stig: - N/A 800-171r2: @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r5_low @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 6ae1b34a..07bab8c4 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -20,7 +20,7 @@ fix: This is implemented by a Configuration Profile. references: cce: - - CCE-91991-0 + - CCE-93001-6 cci: - CCI-000058 800-53r5: @@ -30,24 +30,23 @@ references: srg: - SRG-OS-000030-GPOS-00011 disa_stig: - - APPL-13-000005 + - N/A 800-171r2: - 3.1.10 cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml deleted file mode 100644 index 3c0b368c..00000000 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_touch_id_pane_disable -title: "Disable the Touch ID and Password Preference Pane" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.password" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92014-0 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-13-002051 - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "13.0" -tags: - - stig -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.password diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml index 3d05b6b0..a01c1edc 100644 --- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml +++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91994-4 + - CCE-93003-2 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index b5e7a439..125aebdc 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -25,12 +25,12 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91931-6 + - CCE-93004-0 cci: - - N/A + - N/A 800-53r5: - MP-7 - - SC-41 + - SC-41 800-171r2: - N/A cis: @@ -42,7 +42,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index adf73132..648e795e 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91995-1 + - CCE-93005-7 cci: - N/A 800-53r5: @@ -23,16 +23,16 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - N/A cis: benchmark: - - 2.9.2 (level 1) + - 2.9.3 (level 1) controls v8: - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml deleted file mode 100644 index 39567f16..00000000 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_wallet_applepay_prefpane_disable -title: "Disable the System Preference Pane for Wallet and Apple Pay" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preferences.wallet -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92029-8 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-13-002052 - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "13.0" -tags: - - stig -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.wallet \ No newline at end of file diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml deleted file mode 100644 index 7e69776e..00000000 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_wallet_applepay_prefpane_hide -title: "Hide the System Preference Pane for Wallet and Apple Pay" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. Addtionally, hiding System Settings Preference Panes are not possible in macOS 13. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="HiddenPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preferences.wallet -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92013-2 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-13-002052 - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "13.0" -tags: - - stig -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - HiddenPreferencePanes: - - com.apple.preferences.wallet diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index c7859f02..cf149de1 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -1,14 +1,14 @@ id: system_settings_wifi_disable title: "Disable Wi-Fi Interface" discussion: | - The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. + The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | /usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi" -result: +result: integer: 1 fix: | To disable Wi-Fi on a macOS system, run the following command. @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91998-5 + - CCE-93008-1 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: - AC-18 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) @@ -47,7 +47,7 @@ references: - AC.L2-3.1.16 - AC.L2-3.1.17 macOS: - - "13.0" + - "14.0" tags: - manual - 800-53r4_low diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index b07d6226..350b281a 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -1,9 +1,9 @@ id: system_settings_wifi_disable_when_connected_to_ethernet title: "Disable Wi-Fi When Connected to Ethernet" discussion: | - The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. + The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. - The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. + The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | @@ -12,14 +12,14 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91999-3 + - CCE-93009-9 cci: - N/A 800-53r5: - AC-4 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) @@ -34,7 +34,7 @@ references: - AC.L2-3.1.3 - AC.L2-3.1.17 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index ec47199e..3cc6026c 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -13,16 +13,16 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92000-9 - cci: + - CCE-93010-7 + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -33,7 +33,7 @@ references: - 4.8 - 12.6 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index e15e6a3e..d1d9db9f 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -65,13 +65,13 @@ def get_rule_yaml(rule_file, custom=False): else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + try: og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] except IndexError: #assume this is a completely new rule og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] - + # get original/default rule yaml for comparison with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) @@ -131,6 +131,7 @@ def collect_rules(): except: #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) + all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), rule_yaml['id'].replace('|', '\|'), rule_yaml['severity'].replace('|', '\|'), @@ -164,14 +165,15 @@ def create_args(): help="List the available keyword tags to search for.", action="store_true") parser.add_argument("-t", "--tailor", default=None, help="Customize the baseline to your organizations values.", action="store_true") - + return parser.parse_args() -def section_title(section_name): +def section_title(section_name, platform): + os = platform.split(':')[2] titles = { "auth": "authentication", "audit": "auditing", - "os": "macos", + "os": os, "pwpolicy": "passwordpolicy", "icloud": "icloud", "sysprefs": "systempreferences", @@ -179,7 +181,7 @@ def section_title(section_name): "sys_prefs": "systempreferences", "srg": "srg" } - + if section_name in titles: return titles[section_name] else: @@ -191,9 +193,9 @@ def get_controls(all_rules): for control in rule.rule_80053r4: if control not in all_controls: all_controls.append(control) - + all_controls.sort() - + return all_controls def append_authors(authors, name, org): @@ -210,7 +212,7 @@ def parse_authors(authors_from_yaml): if "preamble" in authors_from_yaml.keys(): preamble = authors_from_yaml['preamble'] author_block += f'{preamble}\n ' - + author_block += "|===\n " for name in authors_from_yaml['names']: author_block += f'|{name}\n ' @@ -234,7 +236,7 @@ def available_tags(all_rules): print(tag) return -def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, full_title): +def output_baseline(rules, version, baseline_tailored_string, benchmark, authors, full_title): inherent_rules = [] permanent_rules = [] na_rules = [] @@ -262,21 +264,21 @@ def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, ful if section_name not in sections: sections.append(section_name) if baseline_tailored_string: - output_text = f'title: "macOS {os}: Security Configuration -{full_title} {baseline_tailored_string}"\n' - output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the{full_title} {baseline_tailored_string} security baseline.\n' + output_text = f'title: "{version["platform"]} {version["os"]}: Security Configuration -{full_title} {baseline_tailored_string}"\n' + output_text += f'description: |\n This guide describes the actions to take when securing a {version["platform"]} {version["os"]} system against the{full_title} {baseline_tailored_string} security baseline.\n' else: - output_text = f'title: "macOS {os}: Security Configuration -{full_title}"\n' - output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the{full_title} security baseline.\n' - + output_text = f'title: "{version["platform"]} {version["os"]}: Security Configuration -{full_title}"\n' + output_text += f'description: |\n This guide describes the actions to take when securing a {version["platform"]} {version["os"]} system against the{full_title} security baseline.\n' + if benchmark == "recommended": output_text += "\n Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.\n" - + # # process authors output_text += f'authors: |\n {authors}' output_text += f'parent_values: "{benchmark}"\n' output_text += 'profile:\n' - + # sort the rules other_rules.sort() inherent_rules.sort() @@ -286,12 +288,12 @@ def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, ful if len(other_rules) > 0: for section in sections: - output_text += (' - section: "{}"\n'.format(section_title(section))) + output_text += (' - section: "{}"\n'.format(section_title(section, version["cpe"]))) output_text += (" rules:\n") for rule in other_rules: if rule.startswith(section): output_text += (" - {}\n".format(rule)) - + if len(inherent_rules) > 0: output_text += (' - section: "Inherent"\n') output_text += (" rules:\n") @@ -315,12 +317,12 @@ def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, ful output_text += (" rules:\n") for rule in supplemental_rules: output_text += (" - {}\n".format(rule)) - + return output_text def write_odv_custom_rule(rule, odv): print(f"Writing custom rule for {rule.rule_id} to include value {odv}") - + if not os.path.exists("../custom/rules"): os.makedirs("../custom/rules") if os.path.exists(f"../custom/rules/{rule.rule_id}.yaml"): @@ -329,11 +331,11 @@ def write_odv_custom_rule(rule, odv): else: rule_yaml = {} - # add odv to rule_yaml + # add odv to rule_yaml rule_yaml['odv'] = {"custom" : odv} with open(f"../custom/rules/{rule.rule_id}.yaml", 'w') as f: - yaml.dump(rule_yaml, f, explicit_start=True) - + yaml.dump(rule_yaml, f, explicit_start=True) + return def remove_odv_custom_rule(rule): @@ -351,7 +353,7 @@ def remove_odv_custom_rule(rule): else: if os.path.exists(f"../custom/rules/{rule.rule_id}.yaml"): os.remove(f"../custom/rules/{rule.rule_id}.yaml") - + def sanitised_input(prompt, type_=None, range_=None, default_=None): while True: ui = input(prompt) or default_ @@ -385,18 +387,18 @@ def sanitised_input(prompt, type_=None, range_=None, default_=None): def odv_query(rules, benchmark): print("The inclusion of any given rule is a risk-based-decision (RBD). While each rule is mapped to an 800-53 control, deploying it in your organization should be part of the decision-making process. \nYou will be prompted to include each rule, and for those with specific organizational defined values (ODV), you will be prompted for those as well.\n") - + if not benchmark == "recommended": print(f"WARNING: You are attempting to tailor an already established benchmark. Excluding rules or modifying ODVs may not meet the compliance of the established benchmark.\n") - + included_rules = [] queried_rule_ids = [] - + include_all = False for rule in rules: get_odv = False - + _always_include = ['inherent'] if any(tag in rule.rule_tags for tag in _always_include): #print(f"Including rule {rule.rule_id} by default") @@ -459,7 +461,7 @@ def main(): # switch to the scripts directory os.chdir(file_dir) - + all_rules = collect_rules() if args.list_tags: @@ -473,14 +475,14 @@ def main(): with open(baselines_file) as r: baselines = yaml.load(r, Loader=yaml.SafeLoader) - + included_controls = get_controls(all_rules) needed_controls = [] - + for control in baselines['low']: if control not in needed_controls: needed_controls.append(control) - + for n_control in needed_controls: if n_control not in included_controls: print(f'{n_control} missing from any rule, needs a rule, or included in supplemental') @@ -505,7 +507,7 @@ def main(): version_file = os.path.join(parent_dir, "VERSION.yaml") with open(version_file) as r: - version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) found_rules = [] for rule in all_rules: @@ -515,7 +517,7 @@ def main(): if "supplemental" in rule.rule_tags: if rule not in found_rules: found_rules.append(rule) - + if args.keyword == None: print("No rules found for the keyword provided, please verify from the following list:") available_tags(all_rules) @@ -525,19 +527,19 @@ def main(): benchmark = args.keyword else: benchmark = "recommended" - + if args.keyword in mscp_data_yaml['authors']: authors = parse_authors(mscp_data_yaml['authors'][args.keyword]) else: authors = "|===\n |Name|Organization\n |===\n" - + if args.keyword in mscp_data_yaml['titles'] and not args.tailor: full_title = f" {mscp_data_yaml['titles'][args.keyword]}" elif args.tailor: full_title = "" else: full_title = f" {args.keyword}" - + baseline_tailored_string = "" if args.tailor: # prompt for name of benchmark to be used for filename @@ -552,11 +554,11 @@ def main(): # prompt for inclusion, add ODV odv_baseline_rules = odv_query(found_rules, benchmark) baseline_output_file = open(f"{build_path}/{tailored_filename}.yaml", 'w') - baseline_output_file.write(output_baseline(odv_baseline_rules, version_yaml["os"], baseline_tailored_string, benchmark, authors, full_title)) + baseline_output_file.write(output_baseline(odv_baseline_rules, version_yaml, baseline_tailored_string, benchmark, authors, full_title)) else: baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') - baseline_output_file.write(output_baseline(found_rules, version_yaml["os"], baseline_tailored_string, benchmark, authors, full_title)) - + baseline_output_file.write(output_baseline(found_rules, version_yaml, baseline_tailored_string, benchmark, authors, full_title)) + # finally revert back to the prior directory os.chdir(original_working_directory) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index b676f35f..53edb0de 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -146,14 +146,32 @@ def format_mobileconfig_fix(mobileconfig): elif type(item[1]) == dict: rulefix = rulefix + "\n" for k,v in item[1].items(): - rulefix = rulefix + \ - (f" {k}\n") - rulefix = rulefix + " \n" - for setting in v: + if type(v) == dict: rulefix = rulefix + \ - (f" {setting}\n") - rulefix = rulefix + " \n" + (f" {k}\n") + rulefix = rulefix + \ + (f" \n") + for x,y in v.items(): + rulefix = rulefix + \ + (f" {x}\n") + rulefix = rulefix + \ + (f" {y}\n") + rulefix = rulefix + \ + (f" \n") + break + if isinstance(v, list): + rulefix = rulefix + " \n" + for setting in v: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + " \n" + else: + rulefix = rulefix + \ + (f" {k}\n") + rulefix = rulefix + \ + (f" {v}\n") rulefix = rulefix + "\n" + rulefix = rulefix + "----\n\n" @@ -606,7 +624,7 @@ if [[ $EUID -ne 0 ]]; then fi ssh_key_check=0 -if /usr/sbin/sshd -T &> /dev/null; then +if /usr/sbin/sshd -T &> /dev/null || /usr/sbin/sshd -G &>/dev/null; then ssh_key_check=0 else /usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key @@ -717,17 +735,28 @@ reset_plist(){{ compliance_count(){{ compliant=0 non_compliant=0 - - results=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.{baseline_name}.audit.plist) - - while IFS= read -r line; do - if [[ "$line" =~ "finding = false" ]]; then + exempt_count=0 + audit_plist="/Library/Preferences/org.{baseline_name}.audit.plist" + + rule_names=($(/usr/libexec/PlistBuddy -c "Print" $audit_plist | awk '/= Dict/ {{print $1}}')) + + for rule in ${{rule_names[@]}}; do + finding=$(/usr/libexec/PlistBuddy -c "Print $rule:finding" $audit_plist) + if [[ $finding == "false" ]];then compliant=$((compliant+1)) + elif [[ $finding == "true" ]];then + is_exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null +ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.{baseline_name}.audit').objectForKey("$rule"))["exempt"] +EOS +) + if [[ $is_exempt == "1" ]]; then + exempt_count=$((exempt_count+1)) + non_compliant=$((non_compliant+1)) + else + non_compliant=$((non_compliant+1)) + fi fi - if [[ "$line" =~ "finding = true" ]]; then - non_compliant=$((non_compliant+1)) - fi - done <<< "$results" + done # Enable output of just the compliant or non-compliant numbers. if [[ $1 = "compliant" ]] @@ -737,40 +766,19 @@ compliance_count(){{ then echo $non_compliant else # no matching args output the array - array=($compliant $non_compliant) + array=($compliant $non_compliant $exempt_count) echo ${{array[@]}} fi }} -exempt_count(){{ - exempt=0 - - if [[ -e "/Library/Managed Preferences/org.{baseline_name}.audit.plist" ]];then - mscp_prefs="/Library/Managed Preferences/org.{baseline_name}.audit.plist" - else - mscp_prefs="/Library/Preferences/org.{baseline_name}.audit.plist" - fi - - results=$(/usr/libexec/PlistBuddy -c "Print" "$mscp_prefs") - - while IFS= read -r line; do - if [[ "$line" =~ "exempt = true" ]]; then - exempt=$((exempt+1)) - fi - done <<< "$results" - - echo $exempt -}} - - generate_report(){{ count=($(compliance_count)) - exempt_rules=$(exempt_count) compliant=${{count[1]}} non_compliant=${{count[2]}} + exempt_rules=${{count[3]}} - total=$((non_compliant + compliant - exempt_rules)) - percentage=$(printf %.2f $(( compliant * 100. / total )) ) + total=$((non_compliant + compliant)) + percentage=$(printf %.2f $(( (compliant + exempt_rules) * 100. / total )) ) echo echo "Number of tests passed: ${{GREEN}}$compliant${{STD}}" echo "Number of test FAILED: ${{RED}}$non_compliant${{STD}}" @@ -1082,7 +1090,7 @@ fi if [[ "$ssh_key_check" -ne 0 ]]; then /bin/rm /etc/ssh/ssh_host_rsa_key - /bin/rm /etc/ssh/ssh_host_rsa_key.public + /bin/rm /etc/ssh/ssh_host_rsa_key.pub ssh_key_check=0 fi """ @@ -1133,16 +1141,22 @@ def fill_in_odv(resulting_yaml, parent_values): if "$ODV" in resulting_yaml[field]: resulting_yaml[field]=resulting_yaml[field].replace("$ODV", str(odv)) - for result_value in resulting_yaml['result']: - if "$ODV" in str(resulting_yaml['result'][result_value]): - resulting_yaml['result'][result_value] = odv + if 'result' in resulting_yaml: + for result_value in resulting_yaml['result']: + if "$ODV" in str(resulting_yaml['result'][result_value]): + resulting_yaml['result'][result_value] = odv if resulting_yaml['mobileconfig_info']: for mobileconfig_type in resulting_yaml['mobileconfig_info']: if isinstance(resulting_yaml['mobileconfig_info'][mobileconfig_type], dict): for mobileconfig_value in resulting_yaml['mobileconfig_info'][mobileconfig_type]: if "$ODV" in str(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]): - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv + if type(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]) == dict: + for k,v in resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].items(): + if v == "$ODV": + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value][k] = odv + else: + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv @@ -1582,7 +1596,7 @@ def parse_cis_references(reference): string += "!CIS " + str(item).title() + "\n!\n" string += "* " for i in reference[item]: - string += str(i) + ", " + string += str(i) + "\n * " string = string[:-2] + "\n" else: string += "!" + str(item) + "!* " + str(reference[item]) + "\n" @@ -1655,7 +1669,8 @@ def main(): with open(version_file) as r: version_yaml = yaml.load(r, Loader=yaml.SafeLoader) - adoc_templates = [ "adoc_rule", + adoc_templates = [ "adoc_rule_ios", + "adoc_rule", "adoc_supplemental", "adoc_rule_no_setting", "adoc_rule_custom_refs", @@ -1690,6 +1705,9 @@ def main(): # Setup AsciiDoc templates + with open(adoc_templates_dict['adoc_rule_ios']) as adoc_rule_ios_file: + adoc_rule_ios_template = Template(adoc_rule_ios_file.read()) + with open(adoc_templates_dict['adoc_rule']) as adoc_rule_file: adoc_rule_template = Template(adoc_rule_file.read()) @@ -2013,23 +2031,42 @@ def main(): rule_srg=srg ) else: - rule_adoc = adoc_rule_template.substitute( - rule_title=rule_yaml['title'].replace('|', '\|'), - rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), - rule_check=rule_yaml['check'], # .replace('|', '\|'), - rule_fix=rulefix, - rule_cci=cci, - rule_80053r5=nist_controls, - rule_800171=nist_800171, - rule_disa_stig=disa_stig, - rule_cis=cis, - rule_cmmc=cmmc, - rule_cce=cce, - rule_tags=tags, - rule_srg=srg, - rule_result=result_value - ) + if version_yaml['platform'] == "iOS/iPadOS": + rule_adoc = adoc_rule_ios_template.substitute( + rule_title=rule_yaml['title'].replace('|', '\|'), + rule_id=rule_yaml['id'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_fix=rulefix, + rule_cci=cci, + rule_80053r5=nist_controls, + rule_800171=nist_800171, + rule_disa_stig=disa_stig, + rule_cis=cis, + rule_cmmc=cmmc, + rule_cce=cce, + rule_tags=tags, + rule_srg=srg, + rule_result=result_value + ) + else: + rule_adoc = adoc_rule_template.substitute( + rule_title=rule_yaml['title'].replace('|', '\|'), + rule_id=rule_yaml['id'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_fix=rulefix, + rule_cci=cci, + rule_80053r5=nist_controls, + rule_800171=nist_800171, + rule_disa_stig=disa_stig, + rule_cis=cis, + rule_cmmc=cmmc, + rule_cce=cce, + rule_tags=tags, + rule_srg=srg, + rule_result=result_value + ) adoc_output_file.write(rule_adoc) diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index 8fb04ad8..a0ed910d 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -106,8 +106,8 @@ def sort_nicely( l ): def main(): file_dir = os.path.dirname(os.path.abspath(__file__)) - - os.chdir(file_dir) + + os.chdir(file_dir) nist_header = "" other_header = "" @@ -123,7 +123,7 @@ def main(): parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) parser.add_argument("-f", "--framework", default="800-53r5", help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", action="store") - + try: results = parser.parse_args() print("Mapping CSV: " + results.CSV.name) @@ -131,9 +131,9 @@ def main(): except IOError as msg: - + parser.error(str(msg)) - + version_file = "../VERSION.yaml" with open(version_file) as r: @@ -142,14 +142,14 @@ def main(): for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): sub_directory = rule.split(".yaml")[0].split("/")[2] - + if "supplemental" in rule or "srg" in rule: continue - + # with open(rule) as r: # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) rule_yaml = get_rule_yaml(rule, custom=False) - + control_array = [] # print("----------------------") # print(rule_yaml) @@ -159,21 +159,21 @@ def main(): modded_reader = csv_reader dict_from_csv = dict(list(modded_reader)[0]) - + list_of_column_names = list(dict_from_csv.keys()) nist_header = list_of_column_names[1] other_header = list_of_column_names[0] - - - + + + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: reader = csv.DictReader(csvfile,dialect='excel') - + for row in reader: - + if results.framework != nist_header: sys.exit(str(results.framework) + " not found in CSV") @@ -185,33 +185,33 @@ def main(): duplicate = "" csv_duplicate = "" for control in controls: - + try: - + rule_yaml['references'] - + if "/" in str(results.framework): - + framework_main = results.framework.split("/")[0] framework_sub = results.framework.split("/")[1] - + references = [] if "custom" not in rule_yaml['references']: references = rule_yaml['references'][framework_main][framework_sub] else: references = rule_yaml['references']['custom'][framework_main][framework_sub] - + for yaml_control in references: if duplicate == str(yaml_control).split("(")[0]: continue if csv_duplicate == str(row[other_header]): - + continue if control.replace(" ",'') == str(yaml_control): - + duplicate = str(yaml_control).split("(")[0] csv_duplicate = str(row[other_header]) - + row_array = str(row[other_header]).split(",") for item in row_array: control_array.append(item) @@ -219,7 +219,7 @@ def main(): else: - + references = [] if "custom" not in rule_yaml['references']: references = rule_yaml['references'][results.framework] @@ -239,33 +239,33 @@ def main(): for item in row_array: control_array.append(item) print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) - + except: continue - + if len(control_array) == 0: continue - + custom_rule = '''references: custom: {}:'''.format(other_header) - + for control in control_array: custom_rule = custom_rule + ''' - {}'''.format(control) - + custom_rule = custom_rule + ''' tags: - {}'''.format(other_header) - + if os.path.isdir("../build/" + other_header) == False: os.mkdir("../build/" + other_header) if os.path.isdir("../build/" + other_header + "/rules/") == False: os.mkdir("../build/" + other_header + "/rules/") if os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) == False: os.mkdir("../build/" + other_header + "/rules/" + sub_directory) - - try: + + try: with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as r: custom_yaml = r.read() @@ -276,23 +276,23 @@ tags: with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: fw.write(custom_rule) - + for rule in glob.glob("../build/" + other_header + "/rules/*/*"): if "supplemental" in rule or "srg" in rule: continue - + with open(rule) as r: custom_rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) othercontrols = [] - + if other_header in custom_rule_yaml['references']['custom']: - + for control in custom_rule_yaml['references']['custom'][other_header]: - + if str(control) in othercontrols: continue else: - + othercontrols.append(str(control)) sort_nicely(othercontrols) @@ -302,18 +302,18 @@ tags: custom_rule = '''references: custom: {}:'''.format(other_header) - + for control in othercontrols: custom_rule = custom_rule + ''' - {}'''.format(control) - + custom_rule = custom_rule + ''' tags: - {}'''.format(other_header) - + with open(rule, 'w') as rite: - rite.write(custom_rule) - + rite.write(custom_rule) + audit = [] auth = [] @@ -333,8 +333,8 @@ tags: with open(rule) as r: custom_rule = yaml.load(r, Loader=yaml.SafeLoader) rule_id = rule.split(".yaml")[0].split("/")[5] - - + + if other_header in custom_rule['tags']: if "inherent" in rule_yaml['tags']: inherent.append(rule_id) @@ -345,10 +345,10 @@ tags: if "n_a" in custom_rule['tags']: na.append(rule_id) continue - + if "/audit/" in rule: audit.append(rule_id) - + continue if "/auth/" in rule: auth.append(rule_id) @@ -368,20 +368,20 @@ tags: if "/sysprefs/" in rule: sysprefs.append(rule_id) continue - - - full_baseline = '''title: "macOS {2} ({3}): Security Configuration - {0}" + + + full_baseline = '''title: "{4} {2} ({3}): Security Configuration - {0}" description: | - This guide describes the actions to take when securing a macOS {2} system against the {1}. + This guide describes the actions to take when securing a {4} {2} system against the {1}. authors: | |=== |Name|Organization |=== -parent_values: recommended -profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['version'].split(" ")[0]) - +parent_values: recommended +profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['version'].split(" ")[0],version_yaml['platform']) + if len(audit) != 0: - + full_baseline = full_baseline + ''' - section: "Auditing" rules:''' @@ -395,7 +395,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve - section: "Authentication" rules:''' auth.sort() - + for rule in auth: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -405,7 +405,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve - section: "SystemPreferences" rules:''' sysprefs.sort() - + for rule in sysprefs: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -415,7 +415,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve - section: "SystemSettings" rules:''' system_settings.sort() - + for rule in system_settings: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -431,6 +431,15 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve if len(os_section) != 0: full_baseline = full_baseline + ''' + - section: "ios" + rules:''' + os_section.sort() + for rule in os_section: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(os_section) != 0 and version_yaml['platform'] == "macOS": + full_baseline = full_baseline + ''' - section: "macOS" rules:''' os_section.sort() @@ -474,24 +483,26 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve full_baseline = full_baseline + ''' - {}'''.format(rule) + listofsupplementals = str() + for supp_rule in glob.glob('../rules/supplemental/*.yaml',recursive=True): + listofsupplementals = listofsupplementals + '''- {} + '''.format(os.path.basename(supp_rule).split(".")[0]) full_baseline = full_baseline + ''' - section: "Supplemental" rules: - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard - ''' + {} + '''.format(listofsupplementals) + - try: if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: os.mkdir("../build/" + other_header.lower() + "/baseline") - with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower() + ".yaml",'w') as fw: + with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw: fw.write(full_baseline) - print(other_header.lower() + ".yaml baseline file created in build/" + other_header + "/baseline/") - + print(other_header.lower().replace(" ","_") + ".yaml baseline file created in build/" + other_header + "/baseline/") + print("Move all of the folders in rules into the custom folder.") except: print("No controls mapped were found in rule files.") diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index ec8a3497..21e5ed37 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# filename: generate_guidance.py -# description: Process a given keyword, and output a baseline file +# filename: generate_scap.py +# description: Input a keyword for the baseline, output the scap/oval/xccdf import sys import os @@ -14,8 +14,74 @@ from datetime import datetime import shutil from time import sleep import argparse +from xml.sax.saxutils import escape warnings.filterwarnings("ignore", category=DeprecationWarning) + +def format_mobileconfig_fix(mobileconfig): + """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide. + """ + rulefix = "" + for domain, settings in mobileconfig.items(): + if domain == "com.apple.ManagedClient.preferences": + rulefix = rulefix + \ + (f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types.\n\n") + rulefix = rulefix + format_mobileconfig_fix(settings) + else: + rulefix = rulefix + ( + f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n") + rulefix = rulefix + "[source,xml]\n----\n" + for item in settings.items(): + rulefix = rulefix + (f"{item[0]}\n") + + if type(item[1]) == bool: + rulefix = rulefix + \ + (f"<{str(item[1]).lower()}/>\n") + elif type(item[1]) == list: + rulefix = rulefix + "\n" + for setting in item[1]: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + "\n" + elif type(item[1]) == int: + rulefix = rulefix + \ + (f"{item[1]}\n") + elif type(item[1]) == str: + rulefix = rulefix + \ + (f"{item[1]}\n") + elif type(item[1]) == dict: + rulefix = rulefix + "\n" + for k,v in item[1].items(): + if type(v) == dict: + rulefix = rulefix + \ + (f" {k}\n") + rulefix = rulefix + \ + (f" \n") + for x,y in v.items(): + rulefix = rulefix + \ + (f" {x}\n") + rulefix = rulefix + \ + (f" {y}\n") + rulefix = rulefix + \ + (f" \n") + break + if isinstance(v, list): + rulefix = rulefix + " \n" + for setting in v: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + " \n" + else: + rulefix = rulefix + \ + (f" {k}\n") + rulefix = rulefix + \ + (f" {v}\n") + rulefix = rulefix + "\n" + + rulefix = rulefix + "----\n\n" + + return rulefix + def replace_ocil(xccdf, x): regex = r'''([\r\n].*?)(?:=?\r|\n)(.*?(?:def:{}\").*)'''.format(x) substr = '''''' @@ -39,28 +105,37 @@ def create_args(): return parser.parse_args() def generate_scap(all_rules, all_baselines, args): - + export_as = "" + version_file = "../VERSION.yaml" + with open(version_file) as r: + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + if args.xccdf: export_as = "xccdf" if args.oval: export_as = "oval" + if "ios" in version_yaml['cpe']: + print("OVAL generation is not available on iOS") + exit() + if args.oval == None and args.xccdf == None: export_as = "scap" - - version_file = "../VERSION.yaml" - with open(version_file) as r: - version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + if "ios" in version_yaml['cpe']: + print("iOS will only export as XCCDF") + export_as = "xccdf" now = datetime.now() date_time_string = now.strftime("%Y-%m-%dT%H:%M:%S") filenameversion = version_yaml['version'].split(",")[1].replace(" ", "_")[1:] output = "../build/macOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) - + if "ios" in version_yaml['cpe']: + output = "../build/iOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) + if export_as == "xccdf": output = output + "_xccdf.xml" @@ -91,12 +166,15 @@ def generate_scap(all_rules, all_baselines, args): macOS Security Compliance Project '''.format(date_time_string) + ostype = "macOS" + if "ios" in version_yaml['cpe']: + ostype = "iOS/iPadOS" xccdfPrefix = ''' draft - macOS {1}: Security Configuration + {4} {1}: Security Configuration - macOS {1}: Security Configuration + {4} {1}: Security Configuration @@ -113,7 +191,7 @@ def generate_scap(all_rules, all_baselines, args): Dan Brodjieski - National Aeronautics and Space Administration Allen Golbig - Jamf - '''.format(date_time_string, version_yaml['os'], version_yaml['version'],date_time_string.split("T")[0] + "Z") + '''.format(date_time_string, version_yaml['os'], version_yaml['version'],date_time_string.split("T")[0] + "Z", ostype) scapPrefix = ''' @@ -190,7 +268,7 @@ def generate_scap(all_rules, all_baselines, args): for a in range(0, loop): rule_yaml = get_rule_yaml(rule_file, custom) - + try: # # odv_label = list(rule_yaml['odv'].keys())[a] @@ -218,20 +296,26 @@ def generate_scap(all_rules, all_baselines, args): rule_yaml['check'] = rule_yaml['check'].replace("$ODV",odv_value) rule_yaml['fix'] = rule_yaml['fix'].replace("$ODV",odv_value) - - - for result_value in rule_yaml['result']: - if "$ODV" == rule_yaml['result'][result_value]: - rule_yaml['result'][result_value] = rule_yaml['result'][result_value].replace("$ODV",odv_value) - + + if "result" in rule_yaml: + for result_value in rule_yaml['result']: + if "$ODV" == rule_yaml['result'][result_value]: + rule_yaml['result'][result_value] = rule_yaml['result'][result_value].replace("$ODV",odv_value) if rule_yaml['mobileconfig_info']: for mobileconfig_type in rule_yaml['mobileconfig_info']: if isinstance(rule_yaml['mobileconfig_info'][mobileconfig_type], dict): for mobileconfig_value in rule_yaml['mobileconfig_info'][mobileconfig_type]: + if "$ODV" in str(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]): - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = rule_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].replace("$ODV",odv_value) - + if type(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]) == dict: + for k,v in resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].items(): + if v == "$ODV": + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value][k] = odv_value + else: + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv_value + + except: odv_label = "recommended" @@ -339,6 +423,9 @@ def generate_scap(all_rules, all_baselines, args): cce = rule_yaml['references']['cce'][0] if export_as == "scap": + mobileconfig_info = "" + if rule_yaml['mobileconfig']: + mobileconfig_info = escape(format_mobileconfig_fix(rule_yaml['mobileconfig_info'])) xccdf_rules = xccdf_rules + ''' {2} @@ -351,9 +438,13 @@ def generate_scap(all_rules, all_baselines, args): {7} {8} - '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&"), check_rule, references) + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, check_rule, references) if export_as == "xccdf": + mobileconfig_info = "" + if rule_yaml['mobileconfig']: + mobileconfig_info = escape(format_mobileconfig_fix(rule_yaml['mobileconfig_info'])) + xccdf_rules = xccdf_rules + ''' {2} @@ -366,10 +457,11 @@ def generate_scap(all_rules, all_baselines, args): {7} - '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&"), references) + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, references) + continue - + if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 @@ -526,6 +618,7 @@ def generate_scap(all_rules, all_baselines, args): continue for payload_type, info in rule_yaml['mobileconfig_info'].items(): + if payload_type == "com.apple.systempolicy.control": continue if payload_type == "com.apple.ManagedClient.preferences": @@ -604,7 +697,6 @@ def generate_scap(all_rules, all_baselines, args): oval_definition = oval_definition + ''' ''' continue for key, value in info.items(): - if key == "familyControlsEnabled": xpath_search = "" if len(info) > 1: @@ -630,7 +722,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + "" oval_object = oval_object + ''' /Library/Managed Preferences/com.apple.applicationaccess.new.plist @@ -668,7 +760,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) @@ -947,8 +1039,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 continue - - + state_kind = "" if type(value) == bool: state_kind = "boolean" @@ -956,6 +1047,14 @@ def generate_scap(all_rules, all_baselines, args): state_kind = "int" elif type(value) == str: state_kind = "string" + try: + int(value) + state_kind = "int" + except: + pass + + elif type(value) == dict: + state_kind = "string" else: continue @@ -980,21 +1079,32 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - + if state_kind == "boolean": oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) else: - oval_object = oval_object + ''' + if payload_type == "com.apple.mobiledevice.passwordpolicy" and "customRegex" in info: + oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - + '''.format("passwordContentRegex") + oval_state = oval_state + ''' + + {} + + '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value['passwordContentRegex']) + x += 1 + continue + else: + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) + oval_state = oval_state + ''' {} @@ -1529,7 +1639,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+999) x = x + 1 continue - if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check']: + if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check'] or "sshd -G" in rule_yaml['check'] and "fips" in rule_yaml['check']: fipslist = rule_yaml['check'].split("\n")[0].split("(")[1].replace(")","").replace('" "',"\n").replace('"',"") @@ -1580,7 +1690,7 @@ def generate_scap(all_rules, all_baselines, args): x = x + 1 continue - if "sshd -T" in rule_yaml['check']: + if "sshd -T" in rule_yaml['check'] or "sshd -G" in rule_yaml['check']: oval_definition = oval_definition + ''' @@ -2876,7 +2986,7 @@ def generate_scap(all_rules, all_baselines, args): - '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain) + '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain.replace('(','').replace(')','')) status = "" if "enable" in rule_yaml["fix"]: @@ -2919,7 +3029,7 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' - '''.format(x, rule_yaml['id'] + "_" + odv_label,domain) + '''.format(x, rule_yaml['id'] + "_" + odv_label,domain.replace('(','').replace(')','')) @@ -3140,11 +3250,16 @@ def generate_scap(all_rules, all_baselines, args): domain = command[5].split()[2] domain = domain.replace('"','').replace("'",'') - + ########### + label_obj = '