From c396f18b24b44816900054222b1b1e5291ab3458 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 13 Jul 2023 22:17:34 -0400 Subject: [PATCH 01/62] feat[baseline] dev_sonoma dev_sonoma --- CHANGELOG.adoc | 191 +----------- README.adoc | 2 +- VERSION.yaml | 8 +- baselines/800-171.yaml | 180 ------------ baselines/800-53r5_high.yaml | 231 --------------- baselines/800-53r5_low.yaml | 180 ------------ baselines/800-53r5_moderate.yaml | 222 -------------- baselines/DISA-STIG.yaml | 165 ----------- baselines/all_rules.yaml | 4 +- baselines/cis_lvl1.yaml | 113 -------- baselines/cis_lvl2.yaml | 139 --------- baselines/cisv8.yaml | 204 ------------- baselines/cmmc_lvl1.yaml | 97 ------- baselines/cmmc_lvl2.yaml | 221 -------------- baselines/cnssi-1253_high.yaml | 273 ------------------ baselines/cnssi-1253_low.yaml | 254 ---------------- baselines/cnssi-1253_moderate.yaml | 267 ----------------- includes/mscp-data.yaml | 6 +- rules/audit/audit_acls_files_configure.yaml | 2 +- rules/audit/audit_acls_folders_configure.yaml | 2 +- rules/audit/audit_alert_processing_fail.yaml | 2 +- rules/audit/audit_auditd_enabled.yaml | 2 +- .../audit_configure_capacity_notify.yaml | 2 +- rules/audit/audit_control_acls_configure.yaml | 2 +- .../audit/audit_control_group_configure.yaml | 2 +- rules/audit/audit_control_mode_configure.yaml | 2 +- .../audit/audit_control_owner_configure.yaml | 2 +- rules/audit/audit_enforce_dual_auth.yaml | 2 +- rules/audit/audit_failure_halt.yaml | 2 +- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 2 +- rules/audit/audit_flags_aa_configure.yaml | 2 +- rules/audit/audit_flags_ad_configure.yaml | 2 +- rules/audit/audit_flags_ex_configure.yaml | 2 +- rules/audit/audit_flags_fd_configure.yaml | 2 +- rules/audit/audit_flags_fm_configure.yaml | 2 +- .../audit_flags_fm_failed_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 2 +- rules/audit/audit_flags_fw_configure.yaml | 2 +- rules/audit/audit_flags_lo_configure.yaml | 2 +- rules/audit/audit_folder_group_configure.yaml | 2 +- rules/audit/audit_folder_owner_configure.yaml | 2 +- rules/audit/audit_folders_mode_configure.yaml | 2 +- rules/audit/audit_off_load_records.yaml | 2 +- ...it_record_reduction_report_generation.yaml | 2 +- rules/audit/audit_records_processing.yaml | 2 +- rules/audit/audit_retention_configure.yaml | 2 +- .../audit/audit_settings_failure_notify.yaml | 2 +- .../auth_pam_login_smartcard_enforce.yaml | 2 +- rules/auth/auth_pam_su_smartcard_enforce.yaml | 2 +- .../auth/auth_pam_sudo_smartcard_enforce.yaml | 2 +- rules/auth/auth_smartcard_allow.yaml | 2 +- ...rtcard_certificate_trust_enforce_high.yaml | 2 +- ...rd_certificate_trust_enforce_moderate.yaml | 2 +- rules/auth/auth_smartcard_enforce.yaml | 2 +- ...h_ssh_password_authentication_disable.yaml | 2 +- rules/icloud/icloud_addressbook_disable.yaml | 2 +- ...cloud_appleid_preference_pane_disable.yaml | 2 +- ...cloud_appleid_system_settings_disable.yaml | 2 +- rules/icloud/icloud_bookmarks_disable.yaml | 2 +- rules/icloud/icloud_calendar_disable.yaml | 2 +- rules/icloud/icloud_drive_disable.yaml | 2 +- rules/icloud/icloud_game_center_disable.yaml | 2 +- rules/icloud/icloud_keychain_disable.yaml | 2 +- rules/icloud/icloud_mail_disable.yaml | 2 +- rules/icloud/icloud_notes_disable.yaml | 2 +- rules/icloud/icloud_photos_disable.yaml | 2 +- .../icloud/icloud_private_relay_disable.yaml | 2 +- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/icloud/icloud_sync_disable.yaml | 2 +- .../os/os_access_control_mobile_devices.yaml | 2 +- rules/os/os_airdrop_disable.yaml | 2 +- rules/os/os_allow_info_passed.yaml | 2 +- rules/os/os_anti_virus_installed.yaml | 2 +- rules/os/os_appleid_prompt_disable.yaml | 2 +- rules/os/os_application_sandboxing.yaml | 2 +- ...s_asl_log_files_owner_group_configure.yaml | 2 +- ...s_asl_log_files_permissions_configure.yaml | 2 +- rules/os/os_auth_peripherals.yaml | 2 +- rules/os/os_authenticated_root_enable.yaml | 2 +- rules/os/os_blank_bluray_disable.yaml | 2 +- rules/os/os_blank_cd_disable.yaml | 2 +- rules/os/os_blank_dvd_disable.yaml | 2 +- rules/os/os_bluray_read_only_enforce.yaml | 2 +- rules/os/os_bonjour_disable.yaml | 2 +- rules/os/os_burn_support_disable.yaml | 2 +- rules/os/os_calendar_app_disable.yaml | 2 +- rules/os/os_camera_disable.yaml | 2 +- rules/os/os_cd_read_only_enforce.yaml | 2 +- rules/os/os_certificate_authority_trust.yaml | 2 +- rules/os/os_change_security_attributes.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 2 +- .../os_config_profile_ui_install_disable.yaml | 2 +- rules/os/os_continuous_monitoring.yaml | 2 +- rules/os/os_crypto_audit.yaml | 2 +- .../os/os_directory_services_configured.yaml | 2 +- rules/os/os_disk_image_disable.yaml | 2 +- rules/os/os_dvdram_disable.yaml | 2 +- rules/os/os_efi_integrity_validated.yaml | 2 +- rules/os/os_enforce_access_restrictions.yaml | 2 +- ...os_erase_content_and_settings_disable.yaml | 2 +- rules/os/os_error_message.yaml | 2 +- rules/os/os_ess_installed.yaml | 2 +- rules/os/os_facetime_app_disable.yaml | 2 +- rules/os/os_fail_secure_state.yaml | 2 +- rules/os/os_filevault_authorized_users.yaml | 2 +- rules/os/os_filevault_autologin_disable.yaml | 2 +- .../os/os_firewall_default_deny_require.yaml | 2 +- rules/os/os_firewall_log_enable.yaml | 2 +- rules/os/os_firmware_password_require.yaml | 2 +- rules/os/os_gatekeeper_enable.yaml | 2 +- rules/os/os_gatekeeper_rearm.yaml | 2 +- rules/os/os_grant_privs.yaml | 2 +- rules/os/os_guest_folder_removed.yaml | 2 +- rules/os/os_handoff_disable.yaml | 2 +- ...ate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_enable.yaml | 2 +- rules/os/os_home_folders_default.yaml | 2 +- rules/os/os_home_folders_secure.yaml | 2 +- rules/os/os_httpd_disable.yaml | 2 +- .../os/os_icloud_storage_prompt_disable.yaml | 2 +- rules/os/os_identify_non-org_users.yaml | 2 +- rules/os/os_implement_cryptography.yaml | 4 +- rules/os/os_implement_memory_protection.yaml | 2 +- rules/os/os_information_validation.yaml | 2 +- .../os_install_log_retention_configure.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 2 +- rules/os/os_isolate_security_functions.yaml | 2 +- rules/os/os_library_validation_enabled.yaml | 2 +- rules/os/os_limit_auditable_events.yaml | 2 +- rules/os/os_limit_dos_attacks.yaml | 2 +- rules/os/os_limit_gui_sessions.yaml | 2 +- rules/os/os_logical_access.yaml | 2 +- .../os/os_logoff_capability_and_message.yaml | 2 +- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_malicious_code_prevention.yaml | 2 +- .../os/os_managed_access_control_points.yaml | 2 +- rules/os/os_map_pki_identity.yaml | 2 +- rules/os/os_mdm_require.yaml | 2 +- rules/os/os_messages_app_disable.yaml | 2 +- rules/os/os_mfa_network_access.yaml | 2 +- rules/os/os_mfa_network_non-priv.yaml | 2 +- rules/os/os_mobile_file_integrity_enable.yaml | 2 +- ...newsyslog_files_owner_group_configure.yaml | 2 +- ...newsyslog_files_permissions_configure.yaml | 2 +- rules/os/os_nfsd_disable.yaml | 2 +- rules/os/os_non_repudiation.yaml | 2 +- rules/os/os_nonlocal_maintenance.yaml | 2 +- rules/os/os_notify_account_created.yaml | 2 +- rules/os/os_notify_account_disabled.yaml | 2 +- rules/os/os_notify_account_enable.yaml | 2 +- rules/os/os_notify_account_modified.yaml | 2 +- rules/os/os_notify_account_removal.yaml | 2 +- ...s_notify_unauthorized_baseline_change.yaml | 2 +- rules/os/os_obscure_password.yaml | 2 +- rules/os/os_parental_controls_enable.yaml | 2 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 2 +- rules/os/os_password_proximity_disable.yaml | 2 +- rules/os/os_password_sharing_disable.yaml | 2 +- rules/os/os_peripherals_identify.yaml | 2 +- rules/os/os_pii_deidentification.yaml | 2 +- rules/os/os_pii_quality_control.yaml | 2 +- .../os_policy_banner_loginwindow_enforce.yaml | 2 +- rules/os/os_policy_banner_ssh_configure.yaml | 2 +- rules/os/os_policy_banner_ssh_enforce.yaml | 2 +- rules/os/os_power_nap_disable.yaml | 2 +- rules/os/os_power_nap_enable.yaml | 2 +- rules/os/os_predictable_behavior.yaml | 2 +- rules/os/os_prevent_priv_execution.yaml | 2 +- rules/os/os_prevent_priv_functions.yaml | 2 +- .../os_prevent_unauthorized_disclosure.yaml | 2 +- .../os/os_privacy_principle_minimization.yaml | 2 +- rules/os/os_privacy_setup_prompt_disable.yaml | 2 +- ...ibit_remote_activation_collab_devices.yaml | 2 +- rules/os/os_protect_dos_attacks.yaml | 2 +- ..._provide_automated_account_management.yaml | 2 +- .../os_provide_disconnect_remote_access.yaml | 2 +- .../os/os_rapid_security_response_allow.yaml | 2 +- ...pid_security_response_removal_disable.yaml | 2 +- ..._reauth_devices_change_authenticators.yaml | 2 +- rules/os/os_reauth_privilege.yaml | 2 +- ...os_reauth_users_change_authenticators.yaml | 2 +- rules/os/os_recovery_lock_enable.yaml | 2 +- rules/os/os_remote_access_methods.yaml | 2 +- rules/os/os_removable_media_disable.yaml | 2 +- ...ove_software_components_after_updates.yaml | 2 +- rules/os/os_required_crypto_module.yaml | 2 +- rules/os/os_root_disable.yaml | 2 +- ...advertising_privacy_protection_enable.yaml | 2 +- ...os_safari_open_safe_downloads_disable.yaml | 2 +- ...ri_prevent_cross-site_tracking_enable.yaml | 2 +- ...fari_show_full_website_address_enable.yaml | 2 +- ...safari_warn_fraudulent_website_enable.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 2 +- ...reensaver_timeout_loginwindow_enforce.yaml | 2 +- rules/os/os_secure_boot_verify.yaml | 2 +- rules/os/os_secure_enclave.yaml | 2 +- rules/os/os_secure_name_resolution.yaml | 2 +- rules/os/os_separate_functionality.yaml | 2 +- .../os_show_filename_extensions_enable.yaml | 2 +- rules/os/os_sip_enable.yaml | 2 +- rules/os/os_siri_prompt_disable.yaml | 2 +- .../os/os_skip_screen_time_prompt_enable.yaml | 2 +- .../os/os_skip_unlock_with_watch_enable.yaml | 2 +- rules/os/os_software_update_deferral.yaml | 2 +- rules/os/os_ssh_fips_compliant.yaml | 2 +- ..._ssh_server_alive_count_max_configure.yaml | 2 +- ...s_ssh_server_alive_interval_configure.yaml | 2 +- ...sshd_client_alive_count_max_configure.yaml | 2 +- ..._sshd_client_alive_interval_configure.yaml | 2 +- rules/os/os_sshd_fips_140_ciphers.yaml | 2 +- rules/os/os_sshd_fips_140_macs.yaml | 2 +- rules/os/os_sshd_fips_compliant.yaml | 2 +- ...sshd_key_exchange_algorithm_configure.yaml | 2 +- .../os_sshd_login_grace_time_configure.yaml | 2 +- .../os_sshd_permit_root_login_configure.yaml | 2 +- rules/os/os_store_encrypted_passwords.yaml | 2 +- rules/os/os_sudo_timeout_configure.yaml | 2 +- .../os_sudoers_timestamp_type_configure.yaml | 2 +- rules/os/os_system_read_only.yaml | 2 +- ...os_system_wide_applications_configure.yaml | 2 +- .../os_terminal_secure_keyboard_enable.yaml | 2 +- rules/os/os_terminate_session.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_time_offset_limit_configure.yaml | 2 +- rules/os/os_time_server_enabled.yaml | 2 +- rules/os/os_touchid_prompt_disable.yaml | 2 +- rules/os/os_unique_identification.yaml | 2 +- ...os_unlock_active_user_session_disable.yaml | 2 +- .../os/os_user_app_installation_prohibit.yaml | 2 +- rules/os/os_uucp_disable.yaml | 2 +- rules/os/os_verify_remote_disconnection.yaml | 2 +- ...rld_writable_library_folder_configure.yaml | 2 +- ...orld_writable_system_folder_configure.yaml | 2 +- rules/pwpolicy/pwpolicy_50_percent.yaml | 2 +- .../pwpolicy_account_inactivity_enforce.yaml | 2 +- .../pwpolicy_account_lockout_enforce.yaml | 2 +- ...olicy_account_lockout_timeout_enforce.yaml | 2 +- .../pwpolicy_alpha_numeric_enforce.yaml | 2 +- .../pwpolicy_emergency_accounts_disable.yaml | 2 +- .../pwpolicy_force_password_change.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 2 +- ...pwpolicy_lower_case_character_enforce.yaml | 2 +- .../pwpolicy_max_lifetime_enforce.yaml | 2 +- .../pwpolicy_minimum_length_enforce.yaml | 2 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 2 +- .../pwpolicy_prevent_dictionary_words.yaml | 2 +- .../pwpolicy_simple_sequence_disable.yaml | 2 +- .../pwpolicy_special_character_enforce.yaml | 2 +- .../pwpolicy_temporary_accounts_disable.yaml | 2 +- ...mporary_or_emergency_accounts_disable.yaml | 2 +- ...pwpolicy_upper_case_character_enforce.yaml | 2 +- .../supplemental/supplemental_cis_manual.yaml | 2 +- rules/supplemental/supplemental_controls.yaml | 2 +- .../supplemental/supplemental_filevault.yaml | 2 +- .../supplemental_firewall_pf.yaml | 2 +- .../supplemental_password_policy.yaml | 2 +- .../supplemental/supplemental_smartcard.yaml | 2 +- rules/supplemental/supplemental_stig.yaml | 6 +- ...tem_settings_airplay_receiver_disable.yaml | 2 +- ...m_settings_apple_watch_unlock_disable.yaml | 2 +- .../system_settings_assistant_disable.yaml | 2 +- ...stem_settings_automatic_login_disable.yaml | 2 +- ...tem_settings_automatic_logout_enforce.yaml | 2 +- .../system_settings_bluetooth_disable.yaml | 2 +- ...system_settings_bluetooth_menu_enable.yaml | 2 +- ...em_settings_bluetooth_sharing_disable.yaml | 2 +- ...ystem_settings_cd_dvd_sharing_disable.yaml | 2 +- ...stem_settings_content_caching_disable.yaml | 2 +- ...tings_critical_update_install_enforce.yaml | 2 +- ..._settings_diagnostics_reports_disable.yaml | 2 +- .../system_settings_filevault_enforce.yaml | 2 +- .../system_settings_find_my_disable.yaml | 2 +- .../system_settings_firewall_enable.yaml | 2 +- ...settings_firewall_stealth_mode_enable.yaml | 2 +- ...ekeeper_identified_developers_allowed.yaml | 2 +- ...settings_gatekeeper_override_disallow.yaml | 2 +- ...tem_settings_guest_access_smb_disable.yaml | 2 +- ...system_settings_guest_account_disable.yaml | 2 +- .../system_settings_hot_corners_disable.yaml | 2 +- .../system_settings_hot_corners_secure.yaml | 2 +- ...ttings_improve_siri_dictation_disable.yaml | 2 +- ...ettings_install_macos_updates_enforce.yaml | 2 +- ...em_settings_internet_accounts_disable.yaml | 2 +- ...rnet_accounts_preference_pane_disable.yaml | 2 +- ...tem_settings_internet_sharing_disable.yaml | 2 +- ...em_settings_location_services_disable.yaml | 2 +- ...tem_settings_location_services_enable.yaml | 2 +- ...ttings_location_services_menu_enforce.yaml | 2 +- ...gs_loginwindow_loginwindowtext_enable.yaml | 2 +- ...ndow_prompt_username_password_enforce.yaml | 2 +- ...ystem_settings_media_sharing_disabled.yaml | 2 +- ...ystem_settings_password_hints_disable.yaml | 2 +- ...ings_personalized_advertising_disable.yaml | 2 +- ...stem_settings_printer_sharing_disable.yaml | 2 +- .../system_settings_rae_disable.yaml | 2 +- ...em_settings_remote_management_disable.yaml | 2 +- ...ystem_settings_screen_sharing_disable.yaml | 2 +- ...nsaver_ask_for_password_delay_enforce.yaml | 2 +- ...settings_screensaver_password_enforce.yaml | 2 +- ..._settings_screensaver_timeout_enforce.yaml | 2 +- .../system_settings_siri_disable.yaml | 2 +- ...system_settings_siri_prefpane_disable.yaml | 2 +- .../system_settings_smbd_disable.yaml | 2 +- ...gs_software_update_app_update_enforce.yaml | 2 +- ...ings_software_update_download_enforce.yaml | 2 +- ...stem_settings_software_update_enforce.yaml | 2 +- ...ystem_settings_softwareupdate_current.yaml | 2 +- .../system_settings_ssh_disable.yaml | 2 +- .../system_settings_ssh_enable.yaml | 2 +- ...ngs_system_wide_preferences_configure.yaml | 2 +- ...tings_time_machine_auto_backup_enable.yaml | 2 +- ...ings_time_machine_encrypted_configure.yaml | 2 +- ...system_settings_time_server_configure.yaml | 2 +- .../system_settings_time_server_enforce.yaml | 2 +- ...system_settings_token_removal_enforce.yaml | 2 +- ...system_settings_touch_id_pane_disable.yaml | 2 +- ...ystem_settings_touchid_unlock_disable.yaml | 2 +- .../system_settings_usb_restricted_mode.yaml | 2 +- ..._settings_wake_network_access_disable.yaml | 2 +- ...ings_wallet_applepay_prefpane_disable.yaml | 2 +- ...ettings_wallet_applepay_prefpane_hide.yaml | 2 +- .../system_settings_wifi_disable.yaml | 2 +- ...fi_disable_when_connected_to_ethernet.yaml | 2 +- .../system_settings_wifi_menu_enable.yaml | 2 +- 327 files changed, 323 insertions(+), 3058 deletions(-) delete mode 100644 baselines/800-171.yaml delete mode 100644 baselines/800-53r5_high.yaml delete mode 100644 baselines/800-53r5_low.yaml delete mode 100644 baselines/800-53r5_moderate.yaml delete mode 100644 baselines/DISA-STIG.yaml delete mode 100644 baselines/cis_lvl1.yaml delete mode 100644 baselines/cis_lvl2.yaml delete mode 100644 baselines/cisv8.yaml delete mode 100644 baselines/cmmc_lvl1.yaml delete mode 100644 baselines/cmmc_lvl2.yaml delete mode 100644 baselines/cnssi-1253_high.yaml delete mode 100644 baselines/cnssi-1253_low.yaml delete mode 100644 baselines/cnssi-1253_moderate.yaml diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 704c620e..574b6d41 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,193 +2,4 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Ventura, Revision 2.0] - 2023-06-26 - -* Rules -** Added Rules -*** os_home_folders_default -*** supplemental_stig -** Modified Rules -*** audit_acls_files_configure -*** audit_acls_folders_configure -*** audit_auditd_enabled -*** audit_control_mode_configure -*** audit_files_group_configure -*** audit_files_mode_configure -*** audit_files_owner_configure -*** audit_folder_group_configure -*** audit_folder_group_configure -*** audit_folders_mode_configure -*** auth_ssh_password_authentication_disable -*** icloud_appleid_preference_pane_disable -*** icloud_appleid_system_settings_disable -*** os_anti_virus_installed -*** os_home_folders_secure -*** os_policy_banner_loginwindow_enforce -*** os_policy_banner_ssh_configure -*** os_policy_banner_ssh_enforce -*** os_screensaver_timeout_loginwindow_enforce -*** os_sshd_client_alive_count_max_configure -*** os_sshd_client_alive_interval_configure -*** os_sshd_fips_140_ciphers -*** os_sshd_fips_140_macs -*** os_sshd_fips_compliant -*** os_sshd_key_exchange_algorithm_configure -*** os_sshd_login_grace_time_configure -*** os_sshd_permit_root_login_configure -*** pwpolicy_account_lockout_timeout_enforce -*** pwpolicy_minimum_length_enforce -*** pwpolicy_special_character_enforce -*** system_settings_assistant_disable -*** system_settings_bluetooth_prefpane_disable -*** system_settings_firewall_enable -*** system_settings_firewall_stealth_mode_enable -*** system_settings_guest_account_disable -*** system_settings_internet_accounts_preference_pane_disable -*** system_settings_siri_prefpane_disable -*** system_settings_touch_id_pane_disable -*** system_settings_usb_restricted_mode -*** system_settings_wallet_applepay_prefpane_disable -*** system_settings_wallet_applepay_prefpane_hide - -* Baselines -** Added Baselines -*** cmmc_lvl1 -*** cmmc_lvl2 -*** cnssi-1253_high -*** cnssi-1253_moderate -*** cnssi-1253_low -*** DISA-STIG -** Modified Baselines -*** all_rules -*** Removed Baselines -** cnssi-1253 - -* Scripts -** generate_guidance -*** Added base64 support for documentation logo -*** Added support for CMMC references -*** Added ssh key generation to compliance script -*** Added cfc argument to compliance script -*** Bug Fixes -** generate_baseline -*** Bug Fixes -** generate_scap -*** Bug Fixes - -* Includes -** mscp-data -*** Added CMMC data -*** Updated CNSSI-1253 data -** supported_payloads -*** Added com.apple.sharingd -*** Removed com.apple.locationmenu - -== [Ventura, Revision 1.1] - 2022-12-08 - -* Rules -** Added Rules -*** icloud_game_center_disable -*** os_safari_advertising_privacy_protection_enable -*** os_safari_prevent_cross-site_tracking_enable -*** os_safari_show_full_website_address_enable -*** os_safari_warn_fraudulent_website_enable -** Modified Rules -*** os_dvdram_disable -*** os_hibernate_mode_enable -*** os_rapid_security_response_removal_disable -*** os_tftpd_disable -*** system_settings_automatic_logout_enforce -*** system_settings_internet_accounts_disable -*** system_settings_ssh_enable -*** system_settings_system_wide_preferences_configure -*** system_settings_time_server_configure -*** system_settings_time_server_enforce -*** supplemental_cis_manual -** Bug fixes - -* Baselines -** Updated all baselines - -* Scripts -** generate_guidance -*** Added custom references to compliance check script -*** Added debug option -*** Bug Fixes -** generate_baseline -*** Added author function -*** Bug Fixes -** generate_mapping -*** Bug Fixes - -== [Ventura, Revision 1] - 2022-10-20 - -* Rules -** Added ODV support -** Added Rules -*** icloud_appleid_system_settings_disable -*** os_config_profile_ui_install_disable -*** os_firewall_ui_disable -*** os_power_nap_enable -*** os_rapid_security_response_allow -*** os_rapid_security_response_removal_disable -*** os_software_update_deferral -*** system_settings_USB_restricted_mode -*** system_settings_internet_accounts_disable -** Modified Rules -*** os_power_nap_disable -*** os_ssh_fips_compliant -*** os_ssh_server_alive_count_max_configure -*** os_ssh_server_alive_interval_configure -*** os_sshd_client_alive_count_max_configure -*** os_sshd_client_alive_interval_configure -*** os_sshd_fips_140_ciphers -*** os_sshd_fips_140_macs -*** os_sshd_fips_compliant -*** os_sshd_key_exchange_algorithm_configure -*** os_sshd_login_grace_time_configure -*** os_sshd_permit_root_login_configure -*** os_sudo_timeout_configure -*** os_sudoers_timestamp_type_configure -*** pwpolicy_account_inactivity_enforce.yaml -*** pwpolicy_account_lockout_enforce.yaml -*** pwpolicy_account_lockout_timeout_enforce.yaml -*** pwpolicy_alpha_numeric_enforce.yaml -*** pwpolicy_history_enforce.yaml -*** pwpolicy_lower_case_character_enforce.yaml -*** pwpolicy_max_lifetime_enforce.yaml -*** pwpolicy_minimum_length_enforce.yaml -*** pwpolicy_minimum_lifetime_enforce.yaml -*** pwpolicy_simple_sequence_disable.yaml -*** pwpolicy_special_character_enforce.yaml -*** pwpolicy_upper_case_character_enforce.yaml -*** system_settings_system_wide_preferences_configure -*** System Preferences -> System Settings -** Deleted Rules -*** os_sudoers_tty_configure -** Bug Fixes - -* Baselines -** Modified existing baselines -** Added parent_values - -* Scripts -** generate_guidance -*** Added ODV support -*** Added Ruby gem generation -*** Added support for fix/check in compliance script -*** Added unified log support to compliance script -*** Bug Fixes -** generate_baseline -*** Added ODV support -*** Added tailoring support -*** Bug Fixes -** generate_mappings -*** Bug Fixes -** generate_scap -*** Added support for ODV -*** Added support for new checks -*** Generate scap, xccdf, or oval -*** Bug Fixes - - +== [Sonoma, Revision 1.0] - 2023-XX-XX \ No newline at end of file diff --git a/README.adoc b/README.adoc index 8bc5f2e0..a3e77152 100644 --- a/README.adoc +++ b/README.adoc @@ -18,7 +18,7 @@ endif::[] ifdef::status[] image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"] -image:https://badgen.net/badge/icon/13.0?icon=apple&label[link="https://www.apple.com/macos"] +image:https://badgen.net/badge/icon/14.0?icon=apple&label[link="https://www.apple.com/macos"] endif::[] IMPORTANT: We recommend working off of one of the OS branches, rather than the `main` branch. diff --git a/VERSION.yaml b/VERSION.yaml index 8e74529c..ef908160 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,4 +1,4 @@ -os: "13.0" -version: "Ventura Guidance, Revision 2.0" -cpe: o:apple:macos:13.0 -date: "2023-06-26" +os: "14.0" +version: "Sonoma Guidance, Revision 1.0" +cpe: o:apple:macos:14.0 +date: "2023-XX-XX" diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml deleted file mode 100644 index 2b44c8c8..00000000 --- a/baselines/800-171.yaml +++ /dev/null @@ -1,180 +0,0 @@ -title: "macOS 13.0: Security Configuration - NIST 800-171 Rev 2" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST 800-171 Rev 2 security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_authenticated_root_enable - - os_bonjour_disable - - os_calendar_app_disable - - os_config_profile_ui_install_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_ir_support_disable - - os_mdm_require - - os_nfsd_disable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_sip_enable - - os_siri_prompt_disable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_content_caching_disable - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_rae_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - section: "Inherent" - rules: - - os_implement_cryptography - - os_logical_access - - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_separate_functionality - - os_store_encrypted_passwords - - pwpolicy_force_password_change - - section: "Permanent" - rules: - - pwpolicy_50_percent - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml deleted file mode 100644 index 61727568..00000000 --- a/baselines/800-53r5_high.yaml +++ /dev/null @@ -1,231 +0,0 @@ -title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_high - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_authenticated_root_enable - - os_bonjour_disable - - os_calendar_app_disable - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_filevault_authorized_users - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_ir_support_disable - - os_mdm_require - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_secure_boot_verify - - os_sip_enable - - os_siri_prompt_disable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sshd_permit_root_login_configure - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_system_read_only - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - audit_record_reduction_report_generation - - os_application_sandboxing - - os_crypto_audit - - os_enforce_access_restrictions - - os_fail_secure_state - - os_implement_cryptography - - os_implement_memory_protection - - os_isolate_security_functions - - os_limit_gui_sessions - - os_logical_access - - os_malicious_code_prevention - - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_prohibit_remote_activation_collab_devices - - os_reauth_users_change_authenticators - - os_required_crypto_module - - os_separate_functionality - - os_store_encrypted_passwords - - os_unique_identification - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change - - pwpolicy_temporary_accounts_disable - - section: "Permanent" - rules: - - audit_records_processing - - os_auth_peripherals - - os_continuous_monitoring - - os_protect_dos_attacks - - os_provide_automated_account_management - - os_reauth_devices_change_authenticators - - os_secure_name_resolution - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_identify_non-org_users - - os_information_validation - - os_managed_access_control_points - - os_non_repudiation - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml deleted file mode 100644 index 36e7420d..00000000 --- a/baselines/800-53r5_low.yaml +++ /dev/null @@ -1,180 +0,0 @@ -title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_authenticated_root_enable - - os_bonjour_disable - - os_calendar_app_disable - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_filevault_autologin_disable - - os_firewall_log_enable - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_ir_support_disable - - os_mdm_require - - os_nfsd_disable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_root_disable - - os_sip_enable - - os_siri_prompt_disable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_sshd_fips_compliant - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_automatic_login_disable - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_enable - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - os_application_sandboxing - - os_implement_cryptography - - os_logical_access - - os_malicious_code_prevention - - os_obscure_password - - os_prohibit_remote_activation_collab_devices - - os_reauth_users_change_authenticators - - os_required_crypto_module - - os_store_encrypted_passwords - - os_unique_identification - - pwpolicy_force_password_change - - section: "Permanent" - rules: - - os_protect_dos_attacks - - os_reauth_devices_change_authenticators - - os_secure_name_resolution - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_identify_non-org_users - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml deleted file mode 100644 index 13df87a8..00000000 --- a/baselines/800-53r5_moderate.yaml +++ /dev/null @@ -1,222 +0,0 @@ -title: "macOS 13.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_authenticated_root_enable - - os_bonjour_disable - - os_calendar_app_disable - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_ir_support_disable - - os_mdm_require - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_secure_boot_verify - - os_sip_enable - - os_siri_prompt_disable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_system_read_only - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - audit_record_reduction_report_generation - - os_application_sandboxing - - os_implement_cryptography - - os_implement_memory_protection - - os_logical_access - - os_malicious_code_prevention - - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_prohibit_remote_activation_collab_devices - - os_reauth_users_change_authenticators - - os_required_crypto_module - - os_separate_functionality - - os_store_encrypted_passwords - - os_unique_identification - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change - - pwpolicy_temporary_accounts_disable - - section: "Permanent" - rules: - - audit_records_processing - - os_auth_peripherals - - os_continuous_monitoring - - os_protect_dos_attacks - - os_provide_automated_account_management - - os_reauth_devices_change_authenticators - - os_secure_name_resolution - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_identify_non-org_users - - os_information_validation - - os_managed_access_control_points - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml deleted file mode 100644 index 03dc8508..00000000 --- a/baselines/DISA-STIG.yaml +++ /dev/null @@ -1,165 +0,0 @@ -title: "macOS 13.0: Security Configuration - Apple macOS 13 (Ventura) DISA STIG - Ver 1, Rel 1" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Apple macOS 13 (Ventura) STIG - Ver 1, Rel 1 security baseline. -authors: | - *macOS Security Compliance Project* - - |=== - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |Bob Gendler|National Institute of Standards and Technology - |=== -parent_values: "stig" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_preference_pane_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_reminders_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_anti_virus_installed - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_blank_bluray_disable - - os_blank_cd_disable - - os_blank_dvd_disable - - os_bluray_read_only_enforce - - os_bonjour_disable - - os_burn_support_disable - - os_camera_disable - - os_cd_read_only_enforce - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_directory_services_configured - - os_disk_image_disable - - os_dvdram_disable - - os_erase_content_and_settings_disable - - os_filevault_authorized_users - - os_filevault_autologin_disable - - os_firmware_password_require - - os_gatekeeper_enable - - os_handoff_disable - - os_home_folders_default - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_password_proximity_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_privacy_setup_prompt_disable - - os_removable_media_disable - - os_screensaver_loginwindow_enforce - - os_screensaver_timeout_loginwindow_enforce - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - - os_sshd_fips_140_macs - - os_sshd_key_exchange_algorithm_configure - - os_sshd_login_grace_time_configure - - os_sshd_permit_root_login_configure - - os_sudo_timeout_configure - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - section: "systemsettings" - rules: - - system_settings_apple_watch_unlock_disable - - system_settings_assistant_disable - - system_settings_automatic_login_disable - - system_settings_bluetooth_disable - - system_settings_bluetooth_prefpane_disable - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_preference_pane_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_password_hints_disable - - system_settings_rae_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_siri_prefpane_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touch_id_pane_disable - - system_settings_wallet_applepay_prefpane_disable - - system_settings_wallet_applepay_prefpane_hide - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard - - supplemental_stig diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 2333e8f4..0d136322 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - All Rules" +title: "macOS 14.0: Security Configuration - All Rules" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the All Rules security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the All Rules security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml deleted file mode 100644 index b677cf73..00000000 --- a/baselines/cis_lvl1.yaml +++ /dev/null @@ -1,113 +0,0 @@ -title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) security baseline. -authors: | - *macOS Security Compliance Project* - - The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) - |=== - |Edward Byrd|Center for Internet Security - |Ron Colvin|Center for Internet Security - |Allen Golbig|Jamf - |=== -parent_values: "cis_lvl1" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - section: "macos" - rules: - - os_airdrop_disable - - os_authenticated_root_enable - - os_config_data_install_enforce - - os_efi_integrity_validated - - os_firewall_log_enable - - os_gatekeeper_enable - - os_guest_folder_removed - - os_home_folders_secure - - os_httpd_disable - - os_install_log_retention_configure - - os_mobile_file_integrity_enable - - os_nfsd_disable - - os_password_hint_remove - - os_power_nap_disable - - os_root_disable - - os_safari_advertising_privacy_protection_enable - - os_safari_open_safe_downloads_disable - - os_safari_prevent_cross-site_tracking_enable - - os_safari_show_full_website_address_enable - - os_safari_warn_fraudulent_website_enable - - os_show_filename_extensions_enable - - os_sip_enable - - os_software_update_deferral - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_system_wide_applications_configure - - os_terminal_secure_keyboard_enable - - os_time_offset_limit_configure - - os_unlock_active_user_session_disable - - os_world_writable_system_folder_configure - - section: "passwordpolicy" - rules: - - pwpolicy_account_lockout_enforce - - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_automatic_login_disable - - system_settings_bluetooth_menu_enable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_critical_update_install_enforce - - system_settings_filevault_enforce - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_install_macos_updates_enforce - - system_settings_internet_sharing_disable - - system_settings_loginwindow_loginwindowtext_enable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - - system_settings_softwareupdate_current - - system_settings_ssh_disable - - system_settings_system_wide_preferences_configure - - system_settings_time_machine_encrypted_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_wake_network_access_disable - - system_settings_wifi_menu_enable - - section: "Supplemental" - rules: - - supplemental_cis_manual - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml deleted file mode 100644 index 8ce92cd2..00000000 --- a/baselines/cis_lvl2.yaml +++ /dev/null @@ -1,139 +0,0 @@ -title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) security baseline. -authors: | - *macOS Security Compliance Project* - - The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) - |=== - |Edward Byrd|Center for Internet Security - |Ron Colvin|Center for Internet Security - |Allen Golbig|Jamf - |=== -parent_values: "cis_lvl2" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - section: "icloud" - rules: - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_authenticated_root_enable - - os_bonjour_disable - - os_config_data_install_enforce - - os_efi_integrity_validated - - os_firewall_log_enable - - os_gatekeeper_enable - - os_guest_folder_removed - - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable - - os_home_folders_secure - - os_httpd_disable - - os_install_log_retention_configure - - os_mobile_file_integrity_enable - - os_nfsd_disable - - os_password_hint_remove - - os_policy_banner_loginwindow_enforce - - os_power_nap_disable - - os_root_disable - - os_safari_advertising_privacy_protection_enable - - os_safari_open_safe_downloads_disable - - os_safari_prevent_cross-site_tracking_enable - - os_safari_show_full_website_address_enable - - os_safari_warn_fraudulent_website_enable - - os_show_filename_extensions_enable - - os_sip_enable - - os_software_update_deferral - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_system_wide_applications_configure - - os_terminal_secure_keyboard_enable - - os_time_offset_limit_configure - - os_unlock_active_user_session_disable - - os_world_writable_library_folder_configure - - os_world_writable_system_folder_configure - - section: "passwordpolicy" - rules: - - pwpolicy_account_lockout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_automatic_login_disable - - system_settings_bluetooth_menu_enable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_secure - - system_settings_install_macos_updates_enforce - - system_settings_internet_sharing_disable - - system_settings_location_services_enable - - system_settings_location_services_menu_enforce - - system_settings_loginwindow_loginwindowtext_enable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - - system_settings_softwareupdate_current - - system_settings_ssh_disable - - system_settings_system_wide_preferences_configure - - system_settings_time_machine_auto_backup_enable - - system_settings_time_machine_encrypted_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_wake_network_access_disable - - system_settings_wifi_menu_enable - - section: "Supplemental" - rules: - - supplemental_cis_manual - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml deleted file mode 100644 index 4f2b39fb..00000000 --- a/baselines/cisv8.yaml +++ /dev/null @@ -1,204 +0,0 @@ -title: "macOS 13.0: Security Configuration - CIS Controls Version 8" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Controls Version 8 security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - CIS Critical Security Controls® (CIS Controls®) are referenced with the permission and support of the Center for Internet Security® (CIS®) - |=== - |Edward Byrd|Center for Internet Security - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_authenticated_root_enable - - os_bonjour_disable - - os_calendar_app_disable - - os_config_data_install_enforce - - os_directory_services_configured - - os_efi_integrity_validated - - os_ess_installed - - os_filevault_autologin_disable - - os_firewall_log_enable - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_install_log_retention_configure - - os_ir_support_disable - - os_library_validation_enabled - - os_mdm_require - - os_mobile_file_integrity_enable - - os_nfsd_disable - - os_password_autofill_disable - - os_password_hint_remove - - os_password_proximity_disable - - os_password_sharing_disable - - os_power_nap_disable - - os_privacy_setup_prompt_disable - - os_root_disable - - os_safari_advertising_privacy_protection_enable - - os_safari_open_safe_downloads_disable - - os_safari_prevent_cross-site_tracking_enable - - os_safari_show_full_website_address_enable - - os_safari_warn_fraudulent_website_enable - - os_show_filename_extensions_enable - - os_sip_enable - - os_siri_prompt_disable - - os_skip_unlock_with_watch_enable - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_system_wide_applications_configure - - os_terminal_secure_keyboard_enable - - os_tftpd_disable - - os_time_offset_limit_configure - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - os_world_writable_library_folder_configure - - os_world_writable_system_folder_configure - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_automatic_login_disable - - system_settings_bluetooth_disable - - system_settings_bluetooth_menu_enable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_secure - - system_settings_improve_siri_dictation_disable - - system_settings_install_macos_updates_enforce - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_enable - - system_settings_loginwindow_loginwindowtext_enable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - - system_settings_softwareupdate_current - - system_settings_ssh_disable - - system_settings_system_wide_preferences_configure - - system_settings_time_machine_auto_backup_enable - - system_settings_time_machine_encrypted_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_wake_network_access_disable - - system_settings_wifi_disable - - system_settings_wifi_menu_enable - - section: "Inherent" - rules: - - os_logical_access - - os_malicious_code_prevention - - os_mfa_network_access - - os_obscure_password - - os_store_encrypted_passwords - - os_unique_identification - - pwpolicy_force_password_change - - section: "Permanent" - rules: - - audit_off_load_records - - os_auth_peripherals - - os_secure_name_resolution - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml deleted file mode 100644 index bf5f4204..00000000 --- a/baselines/cmmc_lvl1.yaml +++ /dev/null @@ -1,97 +0,0 @@ -title: "macOS 13.0: Security Configuration - US CMMC 2.0 Level 1" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the US CMMC 2.0 Level 1 security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |John Mahlman|Leidos - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "authentication" - rules: - - auth_smartcard_allow - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_authenticated_root_enable - - os_config_data_install_enforce - - os_filevault_autologin_disable - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_nfsd_disable - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_root_disable - - os_sip_enable - - os_siri_prompt_disable - - os_skip_unlock_with_watch_enable - - os_tftpd_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "systemsettings" - rules: - - system_settings_automatic_login_disable - - system_settings_bluetooth_sharing_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_personalized_advertising_disable - - system_settings_rae_disable - - system_settings_screen_sharing_disable - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - section: "Inherent" - rules: - - os_logical_access - - os_malicious_code_prevention - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml deleted file mode 100644 index 08b66fa2..00000000 --- a/baselines/cmmc_lvl2.yaml +++ /dev/null @@ -1,221 +0,0 @@ -title: "macOS 13.0: Security Configuration - US CMMC 2.0 Level 2" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the US CMMC 2.0 Level 2 security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |John Mahlman|Leidos - |Bob Gendler|National Institute of Standards and Technology - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_authenticated_root_enable - - os_blank_bluray_disable - - os_blank_cd_disable - - os_blank_dvd_disable - - os_bluray_read_only_enforce - - os_bonjour_disable - - os_burn_support_disable - - os_cd_read_only_enforce - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_disk_image_disable - - os_dvdram_disable - - os_erase_content_and_settings_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_install_log_retention_configure - - os_ir_support_disable - - os_mdm_require - - os_nfsd_disable - - os_password_autofill_disable - - os_password_hint_remove - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_privacy_setup_prompt_disable - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_removable_media_disable - - os_root_disable - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - - os_sshd_login_grace_time_configure - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_user_app_installation_prohibit - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - audit_record_reduction_report_generation - - os_implement_cryptography - - os_logical_access - - os_malicious_code_prevention - - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_prohibit_remote_activation_collab_devices - - os_separate_functionality - - os_store_encrypted_passwords - - os_unique_identification - - pwpolicy_force_password_change - - section: "Permanent" - rules: - - audit_records_processing - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_managed_access_control_points - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml deleted file mode 100644 index c0ad8357..00000000 --- a/baselines/cnssi-1253_high.yaml +++ /dev/null @@ -1,273 +0,0 @@ -title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Rob Lamb|Los Alamos National Laboratory - |Ekkehard Koch| - |Bob Gendler|National Institute of Standards and Technology - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_high - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_authenticated_root_enable - - os_blank_bluray_disable - - os_blank_cd_disable - - os_blank_dvd_disable - - os_bluray_read_only_enforce - - os_bonjour_disable - - os_burn_support_disable - - os_cd_read_only_enforce - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_disk_image_disable - - os_dvdram_disable - - os_erase_content_and_settings_disable - - os_facetime_app_disable - - os_filevault_authorized_users - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_install_log_retention_configure - - os_ir_support_disable - - os_mail_app_disable - - os_mdm_require - - os_messages_app_disable - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_hint_remove - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_privacy_setup_prompt_disable - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_removable_media_disable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_secure_boot_verify - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - - os_sshd_login_grace_time_configure - - os_sshd_permit_root_login_configure - - os_sudoers_timestamp_type_configure - - os_system_read_only - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_user_app_installation_prohibit - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_hot_corners_secure - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - audit_record_reduction_report_generation - - os_allow_info_passed - - os_application_sandboxing - - os_change_security_attributes - - os_crypto_audit - - os_enforce_access_restrictions - - os_fail_secure_state - - os_grant_privs - - os_implement_cryptography - - os_implement_memory_protection - - os_isolate_security_functions - - os_limit_gui_sessions - - os_logical_access - - os_logoff_capability_and_message - - os_malicious_code_prevention - - os_obscure_password - - os_predictable_behavior - - os_prevent_priv_execution - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_prohibit_remote_activation_collab_devices - - os_provide_disconnect_remote_access - - os_reauth_privilege - - os_reauth_users_change_authenticators - - os_remove_software_components_after_updates - - os_required_crypto_module - - os_secure_enclave - - os_separate_functionality - - os_store_encrypted_passwords - - os_unique_identification - - os_verify_remote_disconnection - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change - - pwpolicy_temporary_accounts_disable - - section: "Permanent" - rules: - - audit_enforce_dual_auth - - audit_off_load_records - - audit_records_processing - - os_auth_peripherals - - os_continuous_monitoring - - os_limit_dos_attacks - - os_notify_unauthorized_baseline_change - - os_protect_dos_attacks - - os_provide_automated_account_management - - os_reauth_devices_change_authenticators - - os_secure_name_resolution - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_identify_non-org_users - - os_information_validation - - os_managed_access_control_points - - os_non_repudiation - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml deleted file mode 100644 index 890a0317..00000000 --- a/baselines/cnssi-1253_low.yaml +++ /dev/null @@ -1,254 +0,0 @@ -title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Rob Lamb|Los Alamos National Laboratory - |Ekkehard Koch| - |Bob Gendler|National Institute of Standards and Technology - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_authenticated_root_enable - - os_blank_bluray_disable - - os_blank_cd_disable - - os_blank_dvd_disable - - os_bluray_read_only_enforce - - os_bonjour_disable - - os_burn_support_disable - - os_cd_read_only_enforce - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_disk_image_disable - - os_dvdram_disable - - os_erase_content_and_settings_disable - - os_facetime_app_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_install_log_retention_configure - - os_ir_support_disable - - os_mail_app_disable - - os_mdm_require - - os_messages_app_disable - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_hint_remove - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_privacy_setup_prompt_disable - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_removable_media_disable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - - os_sshd_login_grace_time_configure - - os_sshd_permit_root_login_configure - - os_sudoers_timestamp_type_configure - - os_system_read_only - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_user_app_installation_prohibit - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_hot_corners_secure - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - os_allow_info_passed - - os_application_sandboxing - - os_change_security_attributes - - os_grant_privs - - os_implement_cryptography - - os_logical_access - - os_logoff_capability_and_message - - os_malicious_code_prevention - - os_obscure_password - - os_predictable_behavior - - os_prevent_priv_execution - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_prohibit_remote_activation_collab_devices - - os_provide_disconnect_remote_access - - os_reauth_privilege - - os_reauth_users_change_authenticators - - os_remove_software_components_after_updates - - os_required_crypto_module - - os_secure_enclave - - os_separate_functionality - - os_store_encrypted_passwords - - os_unique_identification - - os_verify_remote_disconnection - - pwpolicy_force_password_change - - section: "Permanent" - rules: - - audit_off_load_records - - os_auth_peripherals - - os_continuous_monitoring - - os_protect_dos_attacks - - os_reauth_devices_change_authenticators - - os_secure_name_resolution - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_identify_non-org_users - - os_information_validation - - os_managed_access_control_points - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml deleted file mode 100644 index a41774e7..00000000 --- a/baselines/cnssi-1253_moderate.yaml +++ /dev/null @@ -1,267 +0,0 @@ -title: "macOS 13.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)" -description: | - This guide describes the actions to take when securing a macOS 13.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline. - - Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. -authors: | - *macOS Security Compliance Project* - - |=== - |Rob Lamb|Los Alamos National Laboratory - |Ekkehard Koch| - |Bob Gendler|National Institute of Standards and Technology - |=== -parent_values: "recommended" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fm_failed_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_appleid_system_settings_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_authenticated_root_enable - - os_blank_bluray_disable - - os_blank_cd_disable - - os_blank_dvd_disable - - os_bluray_read_only_enforce - - os_bonjour_disable - - os_burn_support_disable - - os_cd_read_only_enforce - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_config_profile_ui_install_disable - - os_disk_image_disable - - os_dvdram_disable - - os_erase_content_and_settings_disable - - os_facetime_app_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_install_log_retention_configure - - os_ir_support_disable - - os_mail_app_disable - - os_mdm_require - - os_messages_app_disable - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_hint_remove - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_privacy_setup_prompt_disable - - os_rapid_security_response_allow - - os_rapid_security_response_removal_disable - - os_recovery_lock_enable - - os_removable_media_disable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_secure_boot_verify - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - - os_sshd_login_grace_time_configure - - os_sshd_permit_root_login_configure - - os_sudoers_timestamp_type_configure - - os_system_read_only - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_user_app_installation_prohibit - - os_uucp_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - pwpolicy_upper_case_character_enforce - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - - system_settings_content_caching_disable - - system_settings_critical_update_install_enforce - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_hot_corners_secure - - system_settings_improve_siri_dictation_disable - - system_settings_internet_accounts_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_smbd_disable - - system_settings_ssh_disable - - system_settings_ssh_enable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wifi_disable - - section: "Inherent" - rules: - - audit_record_reduction_report_generation - - os_allow_info_passed - - os_application_sandboxing - - os_change_security_attributes - - os_enforce_access_restrictions - - os_grant_privs - - os_implement_cryptography - - os_implement_memory_protection - - os_limit_gui_sessions - - os_logical_access - - os_logoff_capability_and_message - - os_malicious_code_prevention - - os_obscure_password - - os_predictable_behavior - - os_prevent_priv_execution - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_prohibit_remote_activation_collab_devices - - os_provide_disconnect_remote_access - - os_reauth_privilege - - os_reauth_users_change_authenticators - - os_remove_software_components_after_updates - - os_required_crypto_module - - os_secure_enclave - - os_separate_functionality - - os_store_encrypted_passwords - - os_unique_identification - - os_verify_remote_disconnection - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change - - pwpolicy_temporary_accounts_disable - - section: "Permanent" - rules: - - audit_off_load_records - - audit_records_processing - - os_auth_peripherals - - os_continuous_monitoring - - os_limit_dos_attacks - - os_protect_dos_attacks - - os_provide_automated_account_management - - os_reauth_devices_change_authenticators - - os_secure_name_resolution - - system_settings_wifi_disable_when_connected_to_ethernet - - section: "not_applicable" - rules: - - os_access_control_mobile_devices - - os_identify_non-org_users - - os_information_validation - - os_managed_access_control_points - - os_non_repudiation - - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 70772490..3f636b50 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -82,12 +82,12 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 2 - cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low) cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate) cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High) - stig: Apple macOS 13 (Ventura) STIG - Ver 1, Rel 1 + stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1 diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index e3dc37b6..ad2043d6 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 78f6fff8..df57144b 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -36,7 +36,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index 747b4c27..a160e43c 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent mobileconfig: false diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index e5995880..53336c96 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -99,7 +99,7 @@ references: - AU.L2-3.3.2 - AU.L2-3.3.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index a1510bfa..5d5d3044 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -27,7 +27,7 @@ references: disa_stig: - APPL-13-001030 macOS: - - "13.0" + - "14.0" odv: hint: "Percentage of free space." recommended: 25 diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index bdabe586..87698ecc 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index 1f0b4271..5d4764fc 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index ae04af47..d345991a 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index f75172d1..1ba3e7ab 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index cc64ff06..edf1c8f5 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent - cnssi-1253_high diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index cdd10d54..2375da64 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -31,7 +31,7 @@ references: cmmc: - AU.L2-3.3.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index d67e0060..91f6441a 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index f82d67a9..c78610d5 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 2e8ad15f..beec7040 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 16063eb9..a1935d7c 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -52,7 +52,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 5d48b4b7..84cc2da1 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -73,7 +73,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index a89025e0..98ac94cc 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -49,7 +49,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 035bcd7e..713ba435 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -57,7 +57,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r5_low diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index a18995e6..baf8d391 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -57,7 +57,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index d5184315..954de099 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -56,7 +56,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r5_low diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 35ac96e2..9869dce3 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -66,7 +66,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index f03d553d..2541ec1e 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -66,7 +66,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index c570974f..c1100e59 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -54,7 +54,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index bae04a6c..8636d9fe 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index f92bb848..64c8a448 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -38,7 +38,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 6c229398..8e720d16 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -40,7 +40,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 604b8d65..65ba5d5a 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -29,7 +29,7 @@ references: controls v8: - 8.9 macOS: - - "13.0" + - "14.0" tags: - permanent - cisv8 diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index e1f11e99..ff043981 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -28,7 +28,7 @@ references: cmmc: - AU.L2-3.3.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index a50cadb1..df46daac 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -26,7 +26,7 @@ references: cmmc: - AU.L2-3.3.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index d2a0d184..2b4f8749 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -37,7 +37,7 @@ references: cmmc: - AU.L2-3.3.1 macOS: - - "13.0" + - "14.0" odv: hint: "See man audit_control for possible values." recommended: 7d diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 924b2ecf..13266f20 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -33,7 +33,7 @@ references: cmmc: - AU.L2-3.3.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 07d0ecf1..ef0da149 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -65,7 +65,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 7fa36032..33af991d 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -60,7 +60,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 5d665fdb..83764fde 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -59,7 +59,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 8a5223e8..65b7ef7d 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -47,7 +47,7 @@ references: - IA.L1-3.5.2 - IA.L2-3.5.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 883355a1..14366bff 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -35,7 +35,7 @@ references: cmmc: - SC.L2-3.13.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r4_high - 800-53r5_high diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 85b8747a..35652d31 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -43,7 +43,7 @@ references: cmmc: - SC.L2-3.13.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r5_moderate diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 81e109d7..d57bc58d 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -67,7 +67,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index fdc2a3d7..3df23e3d 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -77,7 +77,7 @@ references: - IA.L2-3.5.4 - MA.L2-3.7.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index c94d33be..78ac3ffd 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index f3d19d72..d4032edc 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -33,7 +33,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "high" diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml index afac4260..275251b7 100644 --- a/rules/icloud/icloud_appleid_system_settings_disable.yaml +++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml @@ -43,7 +43,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 08e26f47..92a7ebdd 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 802c1732..311e0005 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 3af8bcd3..02914ed9 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 85ddb2a9..335cfefb 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index ffd2cd3d..fb33d6f6 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index d3dc3fc9..1d634c4a 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index c9f30d4a..e7129a89 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index e8600d6d..7f4dced0 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index b395b879..e6095de0 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -48,7 +48,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index f4a5793e..e344077a 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -50,7 +50,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 2c04eefa..893bb934 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -48,7 +48,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index dc732260..10ce4626 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -31,7 +31,7 @@ references: cmmc: - AC.L2-3.1.18 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 6f4b7481..498b97f7 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -51,7 +51,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index 1f92305a..b9fa2928 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 9c5ccf2f..852aa481 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -28,7 +28,7 @@ references: disa_stig: - APPL-13-002070 macOS: - - "13.0" + - "14.0" tags: - stig severity: "high" diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index fe1a500a..dbc38b65 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -37,7 +37,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 5a8cd6d2..78c84e12 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -22,7 +22,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 5706a7f4..21bc8e20 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -29,7 +29,7 @@ references: 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index a43b16ab..72c7e119 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -27,7 +27,7 @@ references: 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 30ebd9e2..27fb66b4 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -28,7 +28,7 @@ references: controls v8: - 13.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 08c17266..201bc118 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -55,7 +55,7 @@ references: - CM.L2-3.4.5 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 1b53057c..f1476c5d 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 87145f13..2f140c2c 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index e1a431ce..8844e93d 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 15d05cee..65ea78b7 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 771a02ab..657d7213 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 65e160f7..06acd0e5 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -30,7 +30,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 869799bc..83933bf2 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -57,7 +57,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 380d3739..12714c69 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -27,7 +27,7 @@ references: disa_stig: - APPL-13-002017 macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 2ee54186..276f8e42 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index 99b41f05..e52df3f8 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -26,7 +26,7 @@ references: - SC.L2-3.13.10 - APPL-13-003001 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index 5ff8a041..5bdf9ac2 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 08e20fa2..452e722c 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -47,7 +47,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index 3a77985a..29a874d0 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -28,7 +28,7 @@ references: cmmc: - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index 3afd277f..fd7cb3cf 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -20,7 +20,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 5a90dffc..a8886a86 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -26,7 +26,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 38a4b9c5..7ddf3529 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -29,7 +29,7 @@ references: controls v8: - 6.7 macOS: - - "13.0" + - "14.0" tags: - cisv8 - stig diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 69e1fda3..a59dd7df 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index a420f4ff..effa321a 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml index 6136f9e7..de7bac3b 100644 --- a/rules/os/os_efi_integrity_validated.yaml +++ b/rules/os/os_efi_integrity_validated.yaml @@ -25,7 +25,7 @@ references: controls v8: - 2.2 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 3a8ae231..5eb74b27 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 4475c550..954efaf7 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -30,7 +30,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index 4684e9b6..f7ffcd4e 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml index 7617fb10..edba3ac3 100644 --- a/rules/os/os_ess_installed.yaml +++ b/rules/os/os_ess_installed.yaml @@ -23,7 +23,7 @@ references: disa_stig: - APPL-13-000015 macOS: - - "13.0" + - "14.0" tags: - manual - cisv8 diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index d7cb0a6f..115bb06a 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -54,7 +54,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index f4d6ca9c..dc8e6aa2 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -26,7 +26,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index aae4a2a7..29099874 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -27,7 +27,7 @@ references: disa_stig: - APPL-13-000032 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - manual diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 17d99cfc..7738f7fa 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -44,7 +44,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 2cd25142..9eed5c86 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -41,7 +41,7 @@ references: - AC.L2-3.1.3 - SC.L2-3.13.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index a0ddcac9..5b8723bf 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -56,7 +56,7 @@ references: - AU.L2-3.3.6 - SC.L1-3.13.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 0af4c037..17ee0bb4 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -41,7 +41,7 @@ references: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 984c0dc6..d3609cd7 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -50,7 +50,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 04b84d75..6f11ecce 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -38,7 +38,7 @@ references: - SI.L1-3.14.4 - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index e69881e9..6a152811 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 9265daee..c734ae58 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -32,7 +32,7 @@ references: controls v8: - 4.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 7edf10b3..bab11995 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index dfc19e8e..8a1a25c3 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -32,7 +32,7 @@ references: controls v8: - 4.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index dfef4553..b40f7887 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -67,7 +67,7 @@ references: controls v8: - 4.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 9bd36df6..1ee02639 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -52,7 +52,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - manual - stig diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 95ec564a..01d74f6a 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -41,7 +41,7 @@ references: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 26de9b59..efc7580a 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -39,7 +39,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 6ebb2663..cb6f788c 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -37,7 +37,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 4dbb2b25..c1d02c67 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 61b3938b..08c684cb 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,7 +5,7 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] @@ -33,7 +33,7 @@ references: - MP.L2-3.8.6 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index c4893dc3..b0a43155 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -31,7 +31,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index 290923f9..ebaea7cb 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 034ec389..b2ed146d 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.1 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 365 diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 0b8b497c..54f6723c 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 386ecfb5..eaa0b99c 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -24,7 +24,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index b53059d9..42a17434 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -33,7 +33,7 @@ references: - 2.3 - 2.6 macOS: - - "13.0" + - "14.0" tags: - cisv8 mobileconfig: true diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index 67b165c4..b3c03ecd 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 4be54640..668f6bfa 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent - cnssi-1253_moderate diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index fa60c38b..59697a3d 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -22,7 +22,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 20d951a1..d14bd177 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -35,7 +35,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index a8f1fefc..2b5e3c98 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -23,7 +23,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 0310bba5..0c13dcc0 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -59,7 +59,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index c6834843..3acb4b33 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -57,7 +57,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index f460790f..d3aa6511 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -26,7 +26,7 @@ references: cmmc: - AC.L2-3.1.14 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index d20c450f..d8ff5946 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 45260dcf..61b85b39 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -51,7 +51,7 @@ references: cmmc: - CM.L2-3.4.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index def7ebb8..fb880373 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -54,7 +54,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 3389680d..b89f106e 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -26,7 +26,7 @@ references: controls v8: - 5.6 macOS: - - "13.0" + - "14.0" tags: - inherent - cisv8 diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index 25506923..f3b17663 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -21,7 +21,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index fa096c5a..833e8321 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -33,7 +33,7 @@ references: - 2.3 - 2.6 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index fab972fc..08bf8636 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -29,7 +29,7 @@ references: 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 3f3f954b..caffc20e 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -28,7 +28,7 @@ references: 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index ec7c29e3..39e57dfd 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -38,7 +38,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index ff1fb886..3063c5b8 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - n_a diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 2b810773..085fd400 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -24,7 +24,7 @@ references: cmmc: - MA.L2-3.7.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 2aee2f06..6065468b 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 4e7142d9..99503b35 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index bfd92f59..64bae74a 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index a82ce151..b0712961 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 9ca853d3..8da4dc09 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index f094dc8f..ce09b229 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -26,7 +26,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent - cnssi-1253_high diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index cf63f644..80d1d877 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -39,7 +39,7 @@ references: - IA.L2-3.5.9 - IA.L2-3.5.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index abd07e17..d0becc81 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -36,7 +36,7 @@ references: controls v8: - 4.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index a2d0c98c..a83995c3 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -50,7 +50,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 1d270c92..988ae71b 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -32,7 +32,7 @@ references: cmmc: - IA.L2-3.5.11 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 8576e5ec..571474d9 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -39,7 +39,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 93027962..b4e67093 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -37,7 +37,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index fb02ee8a..c7f6d0a0 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -24,7 +24,7 @@ references: 800-171r2: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml index 63bea8ad..e0dc1f90 100644 --- a/rules/os/os_pii_deidentification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml index f0682077..8642e4e7 100644 --- a/rules/os/os_pii_quality_control.yaml +++ b/rules/os/os_pii_quality_control.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 0582a0b6..c2beaa06 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -57,7 +57,7 @@ references: cmmc: - AC.L2-3.1.9 macOS: - - "13.0" + - "14.0" odv: hint: "Organization's Policy Text" recommended: |- diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 3b336c35..78aa43b9 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -35,7 +35,7 @@ references: cmmc: - AC.L2-3.1.9 macOS: - - "13.0" + - "14.0" odv: hint: "Organization's Policy Text" recommended: |- diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 0f2eb55b..6ead4e8c 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -53,7 +53,7 @@ references: cmmc: - AC.L2-3.1.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index ad5f082a..2b637acb 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index 25ba06a0..c45f52fb 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -43,7 +43,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - none mobileconfig: false diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index c1237ecb..96262d1a 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 11c72fcd..6ed21a0d 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -26,7 +26,7 @@ references: 800-171r2: - 3.1.7 macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 18fdef20..7a7f366b 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -30,7 +30,7 @@ references: cmmc: - AC.L2-3.1.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 66a68df9..3b493277 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -28,7 +28,7 @@ references: cmmc: - SC.L2-3.13.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml index 5f8ac977..1676b937 100644 --- a/rules/os/os_privacy_principle_minimization.yaml +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index e5e7dfd4..04e175e4 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cisv8 - cnssi-1253_moderate diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index 7390501d..74da1e78 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -30,7 +30,7 @@ references: cmmc: - SC.L2-3.13.12 macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 5d98c2a7..c854d0a4 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 45cd2489..4b87259f 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index 508a9e6d..7103f188 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index e927a524..713e6569 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -38,7 +38,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index 6d5aca45..9094d7c7 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -38,7 +38,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index 6fa8421a..d3682e4b 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -22,7 +22,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index 452e47da..96de3e98 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index 2a204800..6231c67f 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - 800-53r5_low diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index 2a23a6af..7650c0ef 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -31,7 +31,7 @@ references: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index e1fe10e5..b61afd1a 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index ac3c46b5..ffb682d7 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -42,7 +42,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 09f02823..552ad7bd 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 1c4523e7..6c867bba 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -28,7 +28,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index c23ef123..3eaec795 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -36,7 +36,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index 419e8171..e81e9133 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index ff169c6d..ec73113f 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -28,7 +28,7 @@ references: - 9.1 - 9.6 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml index c09b812e..e6cc9675 100644 --- a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml +++ b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml @@ -28,7 +28,7 @@ references: - 9.1 - 9.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index c1356e22..ec02ddab 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index 94e02e7b..e6d5742d 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -28,7 +28,7 @@ references: - 9.1 - 9.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index e7b421d9..c5ffaadb 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -27,7 +27,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 4f9c11eb..ce218145 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -40,7 +40,7 @@ references: controls v8: - 4.3 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 1200 diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 1cacd670..ea0f40c8 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -29,7 +29,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r5_moderate diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 73aec76c..6c9f7a46 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -28,7 +28,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 67e1f31b..816394ab 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -27,7 +27,7 @@ references: controls v8: - 4.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 30d8b6f0..8121be51 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -31,7 +31,7 @@ references: cmmc: - SC.L2-3.13.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 38c0c5c9..8104ff84 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -41,7 +41,7 @@ references: controls v8: - 2.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index f1d93eb2..5f1bfe13 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -95,7 +95,7 @@ references: - SI.L1-3.14.1 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 4a091119..4c954e91 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -46,7 +46,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index b67af2d0..b7e18d8e 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -30,7 +30,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index 7d69813b..ce94dd8f 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -36,7 +36,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index b227de62..98e3f57f 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -40,7 +40,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 30 diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index cce4c254..e38f4693 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -62,7 +62,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index dcc361b7..69da88d4 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -45,7 +45,7 @@ references: cmmc: - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 0 diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index ef4478ee..a1d05551 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -49,7 +49,7 @@ references: - AC.L2-3.1.11 - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 900 diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index e808a6e1..964aedfa 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -51,7 +51,7 @@ references: cmmc: - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 0 diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 6555a002..093826ce 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -55,7 +55,7 @@ references: - AC.L2-3.1.11 - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 900 diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index d2a31aa3..2812b35a 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -63,7 +63,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - stig severity: "high" diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index ce639928..c3c5e097 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -63,7 +63,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - stig severity: "high" diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index a3f13a16..d608d92c 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -73,7 +73,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index b957d9bb..525f1667 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -55,7 +55,7 @@ references: cmmc: - AC.L2-3.1.13 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 69d82dff..89b6c7a0 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -47,7 +47,7 @@ references: cmmc: - SC.L2-3.13.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 30 diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index e4c5e125..7f46bf59 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -45,7 +45,7 @@ references: disa_stig: - APPL-13-001100 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 68965f56..7f03a165 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -40,7 +40,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 58657ed1..b3bda815 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -31,7 +31,7 @@ references: controls v8: - 4.3 macOS: - - "13.0" + - "14.0" odv: hint: "Number of minutes." recommended: 0 diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index 7d35309d..39ce8f81 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -33,7 +33,7 @@ references: controls v8: - 4.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 9886d234..7eaf9775 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -27,7 +27,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index 865a6da5..ffc3f6b5 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -35,7 +35,7 @@ references: controls v8: - 3.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 952110f3..924ee182 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -32,7 +32,7 @@ references: controls v8: - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 45dc2994..250b40f4 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent mobileconfig: false diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 5d93b7aa..74568564 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -48,7 +48,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 9279d760..721e51c2 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -32,7 +32,7 @@ references: controls v8: - 8.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 1cda91c9..921caf85 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r5_low diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 4b288f8a..00c71af3 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -37,7 +37,7 @@ references: cmmc: - CM.L2-3.4.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index de06a3c1..fdacb282 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -28,7 +28,7 @@ references: cmmc: - IA.L2-3.5.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 053d02b9..b681f860 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -40,7 +40,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 4abd1cd3..e7109fa3 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -39,7 +39,7 @@ references: cmmc: - CM.L2-3.4.9 macOS: - - "13.0" + - "14.0" tags: - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index b135d65b..6d681836 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -43,7 +43,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index 1834869f..e5c7a81f 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - inherent - cnssi-1253_moderate diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 0a84c0c0..59035b68 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -37,7 +37,7 @@ references: controls v8: - 3.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 6dfe4d4a..c8d0de60 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -35,7 +35,7 @@ references: controls v8: - 3.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index 4e5954e7..06dc4c08 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -33,7 +33,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index a14ded87..8ef7fccf 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -58,7 +58,7 @@ references: cmmc: - IA.L2-3.5.6 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 35 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index cbe1032e..98427943 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -33,7 +33,7 @@ references: cmmc: - AC.L2-3.1.8 macOS: - - "13.0" + - "14.0" odv: hint: "Number of failed attempts." recommended: 3 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 331815a6..f0851ecf 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -33,7 +33,7 @@ references: cmmc: - AC.L2-3.1.8 macOS: - - "13.0" + - "14.0" odv: hint: "Number of minutes." recommended: 15 diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 07c15682..6d436120 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -44,7 +44,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 53ef1d2b..120674c1 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -28,7 +28,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index a3bc9672..b8bfe70e 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -46,7 +46,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 65c88dd2..4b5d60c2 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -42,7 +42,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of previous passwords." recommended: 5 diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 44cbd51f..18f3bab7 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -67,7 +67,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of lowercase characters." recommended: 1 diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index 94abb915..f5f91882 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -42,7 +42,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of days." recommended: 60 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index e3b1b0fd..dfc3ec6c 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -43,7 +43,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Minimum password length." recommended: 15 diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index b40ba467..79130273 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -63,7 +63,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of hours." recommended: 24 diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 64934275..09b57279 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - "13.0" + - "14.0" tags: - permanent mobileconfig: false diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 71d03351..ad8c0043 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -43,7 +43,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 4b68717e..892b6b98 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -45,7 +45,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of special characters." recommended: 1 diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 7aa43c9c..ecfda453 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -26,7 +26,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 8fdc5eeb..fd101354 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -70,7 +70,7 @@ references: disa_stig: - APPL-13-000012 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index d156efff..269f9170 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -67,7 +67,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "13.0" + - "14.0" odv: hint: "Number of special characters." recommended: 1 diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 52ffd548..9cd3d897 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -70,7 +70,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 6fc2bbff..31c2854c 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -192,7 +192,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 7ed5b438..ba6c40fd 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -68,7 +68,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 0374f340..8a84ecc6 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -117,7 +117,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index ab9a7f52..d0d30e6a 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -49,7 +49,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index 709d33d2..c70a1950 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -302,7 +302,7 @@ references: cmmc: - N/A macOS: - - "13.0" + - "14.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_stig.yaml b/rules/supplemental/supplemental_stig.yaml index 273b729b..12d4459f 100644 --- a/rules/supplemental/supplemental_stig.yaml +++ b/rules/supplemental/supplemental_stig.yaml @@ -45,7 +45,7 @@ discussion: | APPL-13-002053 APPL-13-002062| DISA STIG requires `com.apple.preferences.AppleIDPrefPane`, `com.apple.preferences.internetaccounts`, `com.apple.preference.speech`,`com.apple.preferences.Bluetooth`, `com.apple.preferences.password`, `com.apple.preferences.wallet` to be set within the key `DisabledPreferencePanes`. - Apple has deprecated the `com.apple.systempreferences` preference domain, however in macOS Ventura it is recommended to use the key `DisabledSystemSettings` with the values `com.apple.systempreferences.AppleIDSettings`, `com.apple.Internet-Accounts-Settings.extension`, `com.apple.Siri-Settings.extension`, `com.apple.BluetoothSettings`, `com.apple.Touch-ID-Settings.extension`, `com.apple.WalletSettingsExtension`. + + Apple has deprecated the `com.apple.systempreferences` preference domain, however in macOS Sonoma it is recommended to use the key `DisabledSystemSettings` with the values `com.apple.systempreferences.AppleIDSettings`, `com.apple.Internet-Accounts-Settings.extension`, `com.apple.Siri-Settings.extension`, `com.apple.BluetoothSettings`, `com.apple.Touch-ID-Settings.extension`, `com.apple.WalletSettingsExtension`. + |APPL-13-000004| DISA STIG requires the screen saver after 15 minutes of inactivity. The keys required are `loginWindowIdleTime` and `IdleTime` in the `com.apple.screensaver` prefernece domain. + @@ -54,7 +54,7 @@ discussion: | The key `Assistant Allowed` does not exist in the preference domain `com.apple.ironwood.support`. + |APPL-13-002052| DISA STIG requires hiding the Wallet and Apple Pay System Setting Pane. - In macOS Ventura, hiding preference panes is not possible. + + In macOS Sonoma, hiding preference panes is not possible. + |=== check: | fix: | @@ -70,7 +70,7 @@ references: disa_stig: - N/A macOS: - - "13.0" + - "14.0" tags: - stig - supplemental diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 75f328f7..8a1a2e63 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -41,7 +41,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 45431c7c..173887bc 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -31,7 +31,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml index 06c204c0..9d559412 100644 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ b/rules/system_settings/system_settings_assistant_disable.yaml @@ -38,7 +38,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index bfe23adf..36db9fb0 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -40,7 +40,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index b794bb42..946711bc 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -38,7 +38,7 @@ references: - AC.L2-3.1.10 - AC.L2-3.1.11 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds" recommended: 86400 diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index 52e3afd4..4804af54 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -46,7 +46,7 @@ references: cmmc: - AC.L2-3.1.16 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_moderate diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index fcd3120a..6f659d43 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -33,7 +33,7 @@ references: - 4.8 - 13.9 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 703d353f..2309bbd0 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -57,7 +57,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml index 1224db4c..28005757 100644 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index 85ae4f91..10efb422 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index fef8649d..2dde8a6a 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -37,7 +37,7 @@ references: - SI.L1-3.14.1 - SI.L1-3.14.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index ee2da1be..958b3ac0 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -49,7 +49,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index df1c8ad4..d5fe04c5 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -50,7 +50,7 @@ references: cmmc: - SC.L2-3.13.16 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index f6cf8cee..5c8c4a02 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -58,7 +58,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 506cf4ea..4369d360 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -69,7 +69,7 @@ references: - CM.L2-3.4.7 - SC.L1-3.13.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index a0800a09..033fb7eb 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -66,7 +66,7 @@ references: - CM.L2-3.4.7 - SC.L1-3.13.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index c21ca710..d68cb993 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -36,7 +36,7 @@ references: cmmc: - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index 09b3b989..d280950e 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -33,7 +33,7 @@ references: cmmc: - CM.L2-3.4.5 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index dc64e32f..3cc8e2eb 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -39,7 +39,7 @@ references: cmmc: - AC.L1-3.1.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index ba90f50f..097beac6 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -50,7 +50,7 @@ references: cmmc: - AC.L1-3.1.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index f7a648f9..6b16e7a4 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -26,7 +26,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 60499bd8..c396e5eb 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -44,7 +44,7 @@ references: controls v8: - 4.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index 791f2746..151480c5 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -46,7 +46,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index dbf2eeeb..10f1c279 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -33,7 +33,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml index de6fd3e2..0536af09 100644 --- a/rules/system_settings/system_settings_internet_accounts_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml @@ -40,7 +40,7 @@ references: - AC.L1-3.1.20 - CM.L2-3.4.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml index 98c7fdec..5510e189 100644 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml @@ -38,7 +38,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index 9d159a82..21183699 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -41,7 +41,7 @@ references: - AC.L1-3.1.20 - AC.L2-3.1.3 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index c195dcba..50fa062d 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index b034c28b..6db8ca5a 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -36,7 +36,7 @@ references: - 4.1 - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 6f65c927..35fbc0e5 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -33,7 +33,7 @@ references: - 4.1 - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 mobileconfig: true diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index 7f5aa665..d72ccaf9 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -32,7 +32,7 @@ references: controls v8: - 4.1 macOS: - - "13.0" + - "14.0" odv: hint: "Organization's approved message." recommended: Center for Internet Security Test Message diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index e249f1aa..9750f2ca 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -38,7 +38,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index 6ce78559..72eded3c 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -54,7 +54,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index df00047f..c97d71e5 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -36,7 +36,7 @@ references: cmmc: - IA.L2-3.5.11 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 85dcd16b..ff9302b7 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -44,7 +44,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index 42104bf0..78fc4d48 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index f033a159..cd8c2326 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 59fcdf61..422069c3 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index ced2f122..5d05e3a8 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index 8e1e61be..de29c353 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -43,7 +43,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 5 diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 9e87054e..083a18ec 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -31,7 +31,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index 86e0f291..4a661e34 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -44,7 +44,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" odv: hint: "Number of seconds." recommended: 1200 diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index f5f9b8a7..552ac468 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index 499e4e95..5936238b 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -35,7 +35,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index 89336647..162bcdcb 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml index af749603..5bbd2d95 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml @@ -33,7 +33,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index d8fc89e0..2bd75d85 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -33,7 +33,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml index ac7e7248..70cb1189 100644 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_enforce.yaml @@ -35,7 +35,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 98f467fe..f6ff94cc 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -42,7 +42,7 @@ references: - 7.3 - 7.4 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 41e1d3c6..aadb619d 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -65,7 +65,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index 33a34b9e..928d9bfd 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -43,7 +43,7 @@ references: - CM.L2-3.4.7 - IA.L2-3.5.4 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index f5f3b218..ae2b9701 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -61,7 +61,7 @@ references: - AC.L2-3.1.5 - AC.L2-3.1.6 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index 71a41595..42df7fcc 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -32,7 +32,7 @@ references: controls v8: - 11.2 macOS: - - "13.0" + - "14.0" tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 3e97ac88..1968feb5 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -43,7 +43,7 @@ references: - 3.11 - 11.3 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index 3b04d915..aa07e38d 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - "13.0" + - "14.0" odv: hint: "Name of timeserver(s) separated by commas." recommended: "time-a.nist.gov,time-b.nist.gov" diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index 63c184d3..27141c44 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - "13.0" + - "14.0" tags: - 800-171 - 800-53r5_low diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 6ae1b34a..966dd5ec 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -36,7 +36,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index 3c0b368c..33801300 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -35,7 +35,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml index 3d05b6b0..871dd063 100644 --- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml +++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml @@ -33,7 +33,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index b5e7a439..8ec4ada0 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -42,7 +42,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index adf73132..822b00ad 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -32,7 +32,7 @@ references: controls v8: - 4.8 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 39567f16..41959a84 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -35,7 +35,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml index 7e69776e..11780fc2 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml @@ -35,7 +35,7 @@ references: controls v8: - N/A macOS: - - "13.0" + - "14.0" tags: - stig severity: "medium" diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index c7859f02..1efb6aa4 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -47,7 +47,7 @@ references: - AC.L2-3.1.16 - AC.L2-3.1.17 macOS: - - "13.0" + - "14.0" tags: - manual - 800-53r4_low diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index b07d6226..9bcd56fb 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -34,7 +34,7 @@ references: - AC.L2-3.1.3 - AC.L2-3.1.17 macOS: - - "13.0" + - "14.0" tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index ec47199e..c13fe62d 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -33,7 +33,7 @@ references: - 4.8 - 12.6 macOS: - - "13.0" + - "14.0" tags: - cis_lvl1 - cis_lvl2 From 1e58ca2ebcd20eb1d1dfe5d72e76a750767dc8dd Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 13 Jul 2023 22:27:41 -0400 Subject: [PATCH 02/62] refactor[rule] removed stiff supplemental removed stig supplemental --- rules/supplemental/supplemental_stig.yaml | 78 ----------------------- 1 file changed, 78 deletions(-) delete mode 100644 rules/supplemental/supplemental_stig.yaml diff --git a/rules/supplemental/supplemental_stig.yaml b/rules/supplemental/supplemental_stig.yaml deleted file mode 100644 index 12d4459f..00000000 --- a/rules/supplemental/supplemental_stig.yaml +++ /dev/null @@ -1,78 +0,0 @@ - -id: supplemental_stig -title: "DISA STIG Supplemental" -discussion: | - This supplemental contains DISA STIG controls that may not produce intended results when applied. Where discrepancies exist between the DISA STIG and macOS Security Compliance Project guidelines, the appropriate recommendations are outlined below. - - [cols="20%h, 80%a"] - |=== - |STIG ID - |Notes - - |APPL-13-000011| DISA STIG requires SSHD must be disabled due to the implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 validated cryptographic module. - - Apple has provided methods to configure SSHD for FIPS compliance, the man page `apple_ssh_and_fips` and https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[macOS security certifications] both provide information on configuring SSHD for FIPS compliance. + - |APPL-13-000054| DISA STIG requires the following setting within SSHD for FIPS compliance `ciphers aes256-ctr,aes192-ctr,aes128-ctr`. - - In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `ciphers \aes128-gcm@openssh.com`. + - |APPL-13-000055| DISA STIG requires the following setting within SSHD for FIPS compliance `macs hmac-sha2-512,hmac-sha2-256`. - - In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `macs hmac-sha2-nistp256` + - |APPL-13-000056| DISA STIG requires the following setting within SSHD for FIPS compliance `kexalgorithms diffie-hellman-group-exchange-sha256`. - - In order to configure SSHD to meet FIPS compliance, the man page from Apple `apple_ssh_and_fips` recommends using the setting `kexalgorithms ecdh-sha2-nistp256`. + - |APPL-13-000014| DISA STIG's expected results are `Network Time:On`. - - The output from the command `systemsetup -getusingnetworktime` is `Network Time: On`. + - |APPL-13-002063| DISA STIG recommends setting the configuration profile key DisableGuestAccount to true. - - In order to disable the Guest account, you must set DisableGuestAccount to true and EnableGuestAccount to false, https://github.com/apple/device-management/blob/5a8fb0deb23799aa77ff15f284c9b31208d39ad1/mdm/profiles/com.apple.MCX(Accounts).yaml#L16C1-L32[com.Apple.MCX documentation] + - |APPL-13-002069| DISA STIG states the macOS system must authenticate peripherals before establishing a connection. - - The check and fix for this are not related to peripherals. In order to potentially meet the requirement of the SRG, administrators may want to investigate into usage of USB Restricted mode on macOS. + - |APPL-13-002070| DISA STIG recommends the check `/bin/launchctl list \| /usr/bin/grep -cE "(com.apple.XprotectFramework.PluginService\|com.apple.Xprotect.daemon.scan)"` and `/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist \| /usr/bin/grep "ConfigDataInstall"` - - The regex provided to search for com.apple.XprotectFramework.PluginService and com.apple.Xprotect.daemon.scan is incorrect, the search should be `com.apple.XprotectFramework.PluginService$\|com.apple.XProtect.daemon.scan$`. The result will then be 2. - - The recommended method in the DISA STIG to enforce that the key `ConfigDataInstall` is set properly is to do it with a configuration profile, the DISA provided check will fail. - - These rules are handled within the project `os_anti_virus_installed` and `os_config_data_install_enforce`. + - |APPL-13-000051 - APPL-13-000052| This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.+ - |APPL-13-002031 - APPL-13-002051 - APPL-13-002032 - APPL-13-002053 - APPL-13-002062| DISA STIG requires `com.apple.preferences.AppleIDPrefPane`, `com.apple.preferences.internetaccounts`, `com.apple.preference.speech`,`com.apple.preferences.Bluetooth`, `com.apple.preferences.password`, `com.apple.preferences.wallet` to be set within the key `DisabledPreferencePanes`. - - Apple has deprecated the `com.apple.systempreferences` preference domain, however in macOS Sonoma it is recommended to use the key `DisabledSystemSettings` with the values `com.apple.systempreferences.AppleIDSettings`, `com.apple.Internet-Accounts-Settings.extension`, `com.apple.Siri-Settings.extension`, `com.apple.BluetoothSettings`, `com.apple.Touch-ID-Settings.extension`, `com.apple.WalletSettingsExtension`. + - |APPL-13-000004| DISA STIG requires the screen saver after 15 minutes of inactivity. - - The keys required are `loginWindowIdleTime` and `IdleTime` in the `com.apple.screensaver` prefernece domain. + - |APPL-13-002020| DISA STIG requires that siri and dictation must be disabled. The DISA STIG requires the keys `Assistant Allowed` and `Ironwood Allowed`. - - The key `Assistant Allowed` does not exist in the preference domain `com.apple.ironwood.support`. + - |APPL-13-002052| DISA STIG requires hiding the Wallet and Apple Pay System Setting Pane. - - In macOS Sonoma, hiding preference panes is not possible. + - |=== -check: | -fix: | -references: - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A -macOS: - - "14.0" -tags: - - stig - - supplemental -mobileconfig: false -mobileconfig_info: \ No newline at end of file From a3ce45a986a84600d5f560d19000cf2a8ca75f27 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 1 Aug 2023 13:50:01 -0400 Subject: [PATCH 03/62] refactor[rules] removed CCE and disa stig controls --- rules/audit/audit_acls_files_configure.yaml | 4 ++-- rules/audit/audit_acls_folders_configure.yaml | 4 ++-- rules/audit/audit_alert_processing_fail.yaml | 2 +- rules/audit/audit_auditd_enabled.yaml | 4 ++-- rules/audit/audit_configure_capacity_notify.yaml | 4 ++-- rules/audit/audit_control_acls_configure.yaml | 2 +- rules/audit/audit_control_group_configure.yaml | 2 +- rules/audit/audit_control_mode_configure.yaml | 2 +- rules/audit/audit_control_owner_configure.yaml | 2 +- rules/audit/audit_enforce_dual_auth.yaml | 2 +- rules/audit/audit_failure_halt.yaml | 4 ++-- rules/audit/audit_files_group_configure.yaml | 4 ++-- rules/audit/audit_files_mode_configure.yaml | 4 ++-- rules/audit/audit_files_owner_configure.yaml | 4 ++-- rules/audit/audit_flags_aa_configure.yaml | 4 ++-- rules/audit/audit_flags_ad_configure.yaml | 4 ++-- rules/audit/audit_flags_ex_configure.yaml | 2 +- rules/audit/audit_flags_fd_configure.yaml | 4 ++-- rules/audit/audit_flags_fm_configure.yaml | 4 ++-- rules/audit/audit_flags_fm_failed_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 4 ++-- rules/audit/audit_flags_fw_configure.yaml | 4 ++-- rules/audit/audit_flags_lo_configure.yaml | 4 ++-- rules/audit/audit_folder_group_configure.yaml | 4 ++-- rules/audit/audit_folder_owner_configure.yaml | 4 ++-- rules/audit/audit_folders_mode_configure.yaml | 4 ++-- rules/audit/audit_off_load_records.yaml | 2 +- rules/audit/audit_record_reduction_report_generation.yaml | 2 +- rules/audit/audit_records_processing.yaml | 2 +- rules/audit/audit_retention_configure.yaml | 4 ++-- rules/audit/audit_settings_failure_notify.yaml | 4 ++-- rules/auth/auth_pam_login_smartcard_enforce.yaml | 4 ++-- rules/auth/auth_pam_su_smartcard_enforce.yaml | 4 ++-- rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 4 ++-- rules/auth/auth_smartcard_allow.yaml | 4 ++-- rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml | 2 +- .../auth_smartcard_certificate_trust_enforce_moderate.yaml | 4 ++-- rules/auth/auth_smartcard_enforce.yaml | 4 ++-- rules/auth/auth_ssh_password_authentication_disable.yaml | 2 +- rules/icloud/icloud_addressbook_disable.yaml | 4 ++-- rules/icloud/icloud_appleid_preference_pane_disable.yaml | 4 ++-- rules/icloud/icloud_appleid_system_settings_disable.yaml | 2 +- rules/icloud/icloud_bookmarks_disable.yaml | 4 ++-- rules/icloud/icloud_calendar_disable.yaml | 4 ++-- rules/icloud/icloud_drive_disable.yaml | 4 ++-- rules/icloud/icloud_game_center_disable.yaml | 2 +- rules/icloud/icloud_keychain_disable.yaml | 4 ++-- rules/icloud/icloud_mail_disable.yaml | 4 ++-- rules/icloud/icloud_notes_disable.yaml | 4 ++-- rules/icloud/icloud_photos_disable.yaml | 4 ++-- rules/icloud/icloud_private_relay_disable.yaml | 2 +- rules/icloud/icloud_reminders_disable.yaml | 4 ++-- rules/icloud/icloud_sync_disable.yaml | 2 +- rules/os/os_access_control_mobile_devices.yaml | 2 +- rules/os/os_airdrop_disable.yaml | 4 ++-- rules/os/os_allow_info_passed.yaml | 2 +- rules/os/os_anti_virus_installed.yaml | 4 ++-- rules/os/os_appleid_prompt_disable.yaml | 4 ++-- rules/os/os_application_sandboxing.yaml | 2 +- rules/os/os_asl_log_files_owner_group_configure.yaml | 4 ++-- rules/os/os_asl_log_files_permissions_configure.yaml | 4 ++-- rules/os/os_auth_peripherals.yaml | 2 +- rules/os/os_authenticated_root_enable.yaml | 2 +- rules/os/os_blank_bluray_disable.yaml | 4 ++-- rules/os/os_blank_cd_disable.yaml | 4 ++-- rules/os/os_blank_dvd_disable.yaml | 4 ++-- rules/os/os_bluray_read_only_enforce.yaml | 4 ++-- rules/os/os_bonjour_disable.yaml | 4 ++-- rules/os/os_burn_support_disable.yaml | 4 ++-- rules/os/os_calendar_app_disable.yaml | 2 +- rules/os/os_camera_disable.yaml | 4 ++-- rules/os/os_cd_read_only_enforce.yaml | 4 ++-- rules/os/os_certificate_authority_trust.yaml | 2 +- rules/os/os_change_security_attributes.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 4 ++-- rules/os/os_config_profile_ui_install_disable.yaml | 2 +- rules/os/os_continuous_monitoring.yaml | 2 +- rules/os/os_crypto_audit.yaml | 2 +- rules/os/os_directory_services_configured.yaml | 4 ++-- rules/os/os_disk_image_disable.yaml | 4 ++-- rules/os/os_dvdram_disable.yaml | 4 ++-- rules/os/os_efi_integrity_validated.yaml | 2 +- rules/os/os_enforce_access_restrictions.yaml | 2 +- rules/os/os_erase_content_and_settings_disable.yaml | 4 ++-- rules/os/os_error_message.yaml | 2 +- rules/os/os_ess_installed.yaml | 4 ++-- rules/os/os_facetime_app_disable.yaml | 2 +- rules/os/os_fail_secure_state.yaml | 2 +- rules/os/os_filevault_authorized_users.yaml | 4 ++-- rules/os/os_filevault_autologin_disable.yaml | 4 ++-- rules/os/os_firewall_default_deny_require.yaml | 2 +- rules/os/os_firewall_log_enable.yaml | 2 +- rules/os/os_firmware_password_require.yaml | 4 ++-- rules/os/os_gatekeeper_enable.yaml | 4 ++-- rules/os/os_gatekeeper_rearm.yaml | 2 +- rules/os/os_grant_privs.yaml | 2 +- rules/os/os_guest_folder_removed.yaml | 2 +- rules/os/os_handoff_disable.yaml | 4 ++-- rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_enable.yaml | 2 +- rules/os/os_home_folders_default.yaml | 4 ++-- rules/os/os_home_folders_secure.yaml | 2 +- rules/os/os_httpd_disable.yaml | 4 ++-- rules/os/os_icloud_storage_prompt_disable.yaml | 4 ++-- rules/os/os_identify_non-org_users.yaml | 2 +- rules/os/os_implement_cryptography.yaml | 2 +- rules/os/os_implement_memory_protection.yaml | 2 +- rules/os/os_information_validation.yaml | 2 +- rules/os/os_install_log_retention_configure.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 4 ++-- rules/os/os_isolate_security_functions.yaml | 2 +- rules/os/os_library_validation_enabled.yaml | 2 +- rules/os/os_limit_auditable_events.yaml | 2 +- rules/os/os_limit_dos_attacks.yaml | 2 +- rules/os/os_limit_gui_sessions.yaml | 2 +- rules/os/os_logical_access.yaml | 2 +- rules/os/os_logoff_capability_and_message.yaml | 2 +- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_malicious_code_prevention.yaml | 2 +- rules/os/os_managed_access_control_points.yaml | 2 +- rules/os/os_map_pki_identity.yaml | 2 +- rules/os/os_mdm_require.yaml | 2 +- rules/os/os_messages_app_disable.yaml | 2 +- rules/os/os_mfa_network_access.yaml | 2 +- rules/os/os_mfa_network_non-priv.yaml | 2 +- rules/os/os_mobile_file_integrity_enable.yaml | 2 +- rules/os/os_newsyslog_files_owner_group_configure.yaml | 4 ++-- rules/os/os_newsyslog_files_permissions_configure.yaml | 4 ++-- rules/os/os_nfsd_disable.yaml | 4 ++-- rules/os/os_non_repudiation.yaml | 2 +- rules/os/os_nonlocal_maintenance.yaml | 2 +- rules/os/os_notify_account_created.yaml | 2 +- rules/os/os_notify_account_disabled.yaml | 2 +- rules/os/os_notify_account_enable.yaml | 2 +- rules/os/os_notify_account_modified.yaml | 2 +- rules/os/os_notify_account_removal.yaml | 2 +- rules/os/os_notify_unauthorized_baseline_change.yaml | 2 +- rules/os/os_obscure_password.yaml | 2 +- rules/os/os_parental_controls_enable.yaml | 2 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 2 +- rules/os/os_password_proximity_disable.yaml | 4 ++-- rules/os/os_password_sharing_disable.yaml | 2 +- rules/os/os_peripherals_identify.yaml | 2 +- rules/os/os_pii_deidentification.yaml | 2 +- rules/os/os_pii_quality_control.yaml | 2 +- rules/os/os_policy_banner_loginwindow_enforce.yaml | 4 ++-- rules/os/os_policy_banner_ssh_configure.yaml | 4 ++-- rules/os/os_policy_banner_ssh_enforce.yaml | 4 ++-- rules/os/os_power_nap_disable.yaml | 2 +- rules/os/os_power_nap_enable.yaml | 2 +- rules/os/os_predictable_behavior.yaml | 2 +- rules/os/os_prevent_priv_execution.yaml | 2 +- rules/os/os_prevent_priv_functions.yaml | 2 +- rules/os/os_prevent_unauthorized_disclosure.yaml | 2 +- rules/os/os_privacy_principle_minimization.yaml | 2 +- rules/os/os_privacy_setup_prompt_disable.yaml | 4 ++-- rules/os/os_prohibit_remote_activation_collab_devices.yaml | 2 +- rules/os/os_protect_dos_attacks.yaml | 2 +- rules/os/os_provide_automated_account_management.yaml | 2 +- rules/os/os_provide_disconnect_remote_access.yaml | 2 +- rules/os/os_rapid_security_response_allow.yaml | 2 +- rules/os/os_rapid_security_response_removal_disable.yaml | 2 +- rules/os/os_reauth_devices_change_authenticators.yaml | 2 +- rules/os/os_reauth_privilege.yaml | 2 +- rules/os/os_reauth_users_change_authenticators.yaml | 2 +- rules/os/os_recovery_lock_enable.yaml | 2 +- rules/os/os_remote_access_methods.yaml | 2 +- rules/os/os_removable_media_disable.yaml | 4 ++-- rules/os/os_remove_software_components_after_updates.yaml | 2 +- rules/os/os_required_crypto_module.yaml | 2 +- rules/os/os_root_disable.yaml | 2 +- rules/os/os_safari_advertising_privacy_protection_enable.yaml | 2 +- rules/os/os_safari_open_safe_downloads_disable.yaml | 2 +- rules/os/os_safari_prevent_cross-site_tracking_enable.yaml | 2 +- rules/os/os_safari_show_full_website_address_enable.yaml | 2 +- rules/os/os_safari_warn_fraudulent_website_enable.yaml | 2 +- rules/os/os_screensaver_loginwindow_enforce.yaml | 4 ++-- rules/os/os_screensaver_timeout_loginwindow_enforce.yaml | 4 ++-- rules/os/os_secure_boot_verify.yaml | 2 +- rules/os/os_secure_enclave.yaml | 2 +- rules/os/os_secure_name_resolution.yaml | 2 +- rules/os/os_separate_functionality.yaml | 2 +- rules/os/os_show_filename_extensions_enable.yaml | 2 +- rules/os/os_sip_enable.yaml | 4 ++-- rules/os/os_siri_prompt_disable.yaml | 4 ++-- rules/os/os_skip_screen_time_prompt_enable.yaml | 4 ++-- rules/os/os_skip_unlock_with_watch_enable.yaml | 4 ++-- rules/os/os_software_update_deferral.yaml | 2 +- rules/os/os_ssh_fips_compliant.yaml | 2 +- rules/os/os_ssh_server_alive_count_max_configure.yaml | 2 +- rules/os/os_ssh_server_alive_interval_configure.yaml | 2 +- rules/os/os_sshd_client_alive_count_max_configure.yaml | 4 ++-- rules/os/os_sshd_client_alive_interval_configure.yaml | 4 ++-- rules/os/os_sshd_fips_140_ciphers.yaml | 4 ++-- rules/os/os_sshd_fips_140_macs.yaml | 4 ++-- rules/os/os_sshd_fips_compliant.yaml | 2 +- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 4 ++-- rules/os/os_sshd_login_grace_time_configure.yaml | 4 ++-- rules/os/os_sshd_permit_root_login_configure.yaml | 4 ++-- rules/os/os_store_encrypted_passwords.yaml | 2 +- rules/os/os_sudo_timeout_configure.yaml | 4 ++-- rules/os/os_sudoers_timestamp_type_configure.yaml | 2 +- rules/os/os_system_read_only.yaml | 2 +- rules/os/os_system_wide_applications_configure.yaml | 2 +- rules/os/os_terminal_secure_keyboard_enable.yaml | 2 +- rules/os/os_terminate_session.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 4 ++-- rules/os/os_time_offset_limit_configure.yaml | 2 +- rules/os/os_time_server_enabled.yaml | 4 ++-- rules/os/os_touchid_prompt_disable.yaml | 4 ++-- rules/os/os_unique_identification.yaml | 2 +- rules/os/os_unlock_active_user_session_disable.yaml | 2 +- rules/os/os_user_app_installation_prohibit.yaml | 2 +- rules/os/os_uucp_disable.yaml | 4 ++-- rules/os/os_verify_remote_disconnection.yaml | 2 +- rules/os/os_world_writable_library_folder_configure.yaml | 2 +- rules/os/os_world_writable_system_folder_configure.yaml | 2 +- rules/pwpolicy/pwpolicy_50_percent.yaml | 2 +- rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_force_password_change.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml | 2 +- rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 4 ++-- rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 4 ++-- rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml | 2 +- .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 4 ++-- rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 2 +- .../system_settings_airplay_receiver_disable.yaml | 2 +- .../system_settings_apple_watch_unlock_disable.yaml | 4 ++-- rules/system_settings/system_settings_assistant_disable.yaml | 4 ++-- .../system_settings_automatic_login_disable.yaml | 4 ++-- .../system_settings_automatic_logout_enforce.yaml | 2 +- rules/system_settings/system_settings_bluetooth_disable.yaml | 4 ++-- .../system_settings_bluetooth_menu_enable.yaml | 2 +- .../system_settings_bluetooth_prefpane_disable.yaml | 4 ++-- .../system_settings_bluetooth_sharing_disable.yaml | 2 +- .../system_settings_cd_dvd_sharing_disable.yaml | 2 +- .../system_settings_content_caching_disable.yaml | 2 +- .../system_settings_critical_update_install_enforce.yaml | 2 +- .../system_settings_diagnostics_reports_disable.yaml | 4 ++-- rules/system_settings/system_settings_filevault_enforce.yaml | 4 ++-- rules/system_settings/system_settings_find_my_disable.yaml | 2 +- rules/system_settings/system_settings_firewall_enable.yaml | 4 ++-- .../system_settings_firewall_stealth_mode_enable.yaml | 4 ++-- ...tem_settings_gatekeeper_identified_developers_allowed.yaml | 4 ++-- .../system_settings_gatekeeper_override_disallow.yaml | 2 +- .../system_settings_guest_access_smb_disable.yaml | 2 +- .../system_settings_guest_account_disable.yaml | 4 ++-- .../system_settings/system_settings_hot_corners_disable.yaml | 4 ++-- rules/system_settings/system_settings_hot_corners_secure.yaml | 2 +- .../system_settings_improve_siri_dictation_disable.yaml | 4 ++-- .../system_settings_install_macos_updates_enforce.yaml | 2 +- .../system_settings_internet_accounts_disable.yaml | 2 +- ...em_settings_internet_accounts_preference_pane_disable.yaml | 4 ++-- .../system_settings_internet_sharing_disable.yaml | 4 ++-- .../system_settings_location_services_disable.yaml | 4 ++-- .../system_settings_location_services_enable.yaml | 2 +- .../system_settings_location_services_menu_enforce.yaml | 2 +- .../system_settings_loginwindow_loginwindowtext_enable.yaml | 2 +- ...settings_loginwindow_prompt_username_password_enforce.yaml | 4 ++-- .../system_settings_media_sharing_disabled.yaml | 2 +- .../system_settings_password_hints_disable.yaml | 4 ++-- .../system_settings_personalized_advertising_disable.yaml | 2 +- .../system_settings_printer_sharing_disable.yaml | 2 +- rules/system_settings/system_settings_rae_disable.yaml | 4 ++-- .../system_settings_remote_management_disable.yaml | 2 +- .../system_settings_screen_sharing_disable.yaml | 4 ++-- ...m_settings_screensaver_ask_for_password_delay_enforce.yaml | 4 ++-- .../system_settings_screensaver_password_enforce.yaml | 4 ++-- .../system_settings_screensaver_timeout_enforce.yaml | 4 ++-- rules/system_settings/system_settings_siri_disable.yaml | 4 ++-- .../system_settings_siri_prefpane_disable.yaml | 4 ++-- rules/system_settings/system_settings_smbd_disable.yaml | 4 ++-- .../system_settings_software_update_app_update_enforce.yaml | 2 +- .../system_settings_software_update_download_enforce.yaml | 2 +- .../system_settings_software_update_enforce.yaml | 2 +- .../system_settings_softwareupdate_current.yaml | 2 +- rules/system_settings/system_settings_ssh_disable.yaml | 4 ++-- rules/system_settings/system_settings_ssh_enable.yaml | 2 +- .../system_settings_system_wide_preferences_configure.yaml | 4 ++-- .../system_settings_time_machine_auto_backup_enable.yaml | 2 +- .../system_settings_time_machine_encrypted_configure.yaml | 2 +- .../system_settings_time_server_configure.yaml | 4 ++-- .../system_settings/system_settings_time_server_enforce.yaml | 2 +- .../system_settings_token_removal_enforce.yaml | 4 ++-- .../system_settings_touch_id_pane_disable.yaml | 4 ++-- .../system_settings_touchid_unlock_disable.yaml | 2 +- .../system_settings/system_settings_usb_restricted_mode.yaml | 2 +- .../system_settings_wake_network_access_disable.yaml | 2 +- .../system_settings_wallet_applepay_prefpane_disable.yaml | 4 ++-- .../system_settings_wallet_applepay_prefpane_hide.yaml | 4 ++-- rules/system_settings/system_settings_wifi_disable.yaml | 2 +- ...stem_settings_wifi_disable_when_connected_to_ethernet.yaml | 2 +- rules/system_settings/system_settings_wifi_menu_enable.yaml | 2 +- 303 files changed, 436 insertions(+), 436 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index ad2043d6..0e6d001c 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91701-3 + - N/A cci: - CCI-000162 - CCI-001314 @@ -27,7 +27,7 @@ references: - SRG-OS-000057-GPOS-00027 - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-000030 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index df57144b..7234c29a 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91702-1 + - N/A cci: - CCI-000162 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-000031 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index a160e43c..9547234d 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91703-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 53336c96..82541e41 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -36,7 +36,7 @@ fix: | ---- references: cce: - - CCE-91704-7 + - N/A cci: - CCI-000130 - CCI-000131 @@ -84,7 +84,7 @@ references: - SRG-OS-000358-GPOS-00145 - SRG-OS-000359-GPOS-00146 disa_stig: - - APPL-13-001003 + - N/A 800-171r2: - 3.3.1 - 3.3.2 diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 5d5d3044..086a9b62 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91705-4 + - N/A cci: - CCI-001855 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000343-GPOS-00134 disa_stig: - - APPL-13-001030 + - N/A macOS: - "14.0" odv: diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index 87698ecc..32d20222 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91706-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index 5d4764fc..d5fa124e 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91707-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index d345991a..3943a7b4 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91708-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index 1ba3e7ab..75dff5f9 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91709-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index edf1c8f5..cb43b92b 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91710-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 2375da64..0ee8bb64 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91711-2 + - N/A cci: - CCI-000140 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000047-GPOS-00023 disa_stig: - - APPL-13-001010 + - N/A 800-171r2: - 3.3.4 cmmc: diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 91f6441a..924de326 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91712-0 + - N/A cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001014 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index c78610d5..e7800470 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91713-8 + - N/A cci: - CCI-000162 800-53r5: @@ -23,7 +23,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001016 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index beec7040..c34e1105 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91714-6 + - N/A cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001012 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index a1935d7c..afd2f4c3 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91715-3 + - N/A cci: - CCI-000172 800-53r5: @@ -36,7 +36,7 @@ references: - SRG-OS-000473-GPOS-00218 - SRG-OS-000475-GPOS-00220 disa_stig: - - APPL-13-001044 + - N/A 800-171r2: - 3.3.1 - 3.3.2 diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 84cc2da1..9b810c43 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -21,7 +21,7 @@ fix: | ---- references: cce: - - CCE-91716-1 + - N/A cci: - CCI-000018 - CCI-000172 @@ -56,7 +56,7 @@ references: - SRG-OS-000476-GPOS-00221 - SRG-OS-000477-GPOS-00222 disa_stig: - - APPL-13-001001 + - N/A 800-171r2: - 3.1.7 - 3.3.1 diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 98ac94cc..53f3fa22 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91718-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 713ba435..1d5d215a 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91719-5 + - N/A cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - N/A cmmc: diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index baf8d391..8f25b7b4 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91720-3 + - N/A cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - N/A cmmc: diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index 954de099..2b8927e4 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91721-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 9869dce3..c2535fa8 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91722-9 + - N/A cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - 3.3.1 - 3.3.2 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 2541ec1e..b60b7888 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91723-7 + - N/A cci: - CCI-000172 - CCI-001814 @@ -48,7 +48,7 @@ references: - SRG-OS-000468-GPOS-00212 - SRG-OS-000474-GPOS-00219 disa_stig: - - APPL-13-001020 + - N/A 800-171r2: - 3.3.1 - 3.3.2 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index c1100e59..ee9dcd48 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91724-5 + - N/A cci: - CCI-000067 - CCI-000172 @@ -36,7 +36,7 @@ references: - SRG-OS-000032-GPOS-00013 - SRG-OS-000462-GPOS-00206 disa_stig: - - APPL-13-001002 + - N/A 800-171r2: - 3.1.12 - 3.3.1 diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 8636d9fe..5d63c2c5 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91725-2 + - N/A cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001015 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 64c8a448..5081dbae 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91726-0 + - N/A cci: - CCI-000162 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000057-GPOS-00027 disa_stig: - - APPL-13-001013 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 8e720d16..965dbe60 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91727-8 + - N/A cci: - CCI-000162 - CCI-000163 @@ -29,7 +29,7 @@ references: - SRG-OS-000058-GPOS-00028 - SRG-OS-000059-GPOS-00029 disa_stig: - - APPL-13-001017 + - N/A 800-171r2: - 3.3.8 cis: diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 65ba5d5a..52de14ce 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91728-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index ff043981..eca837b0 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91729-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index df46daac..dc6a9afb 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91730-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 2b4f8749..06125642 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91731-0 + - N/A cci: - CCI-001849 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000341-GPOS-00132 disa_stig: - - APPL-13-001029 + - N/A cis: benchmark: - 3.4 (level 1) diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 13266f20..8026f9e1 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91732-8 + - N/A cci: - CCI-001858 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000344-GPOS-00135 disa_stig: - - APPL-13-001031 + - N/A 800-171r2: - 3.3.4 cmmc: diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index ef0da149..154d693c 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - CCE-91733-6 + - N/A cci: - CCI-000366 800-53r5: @@ -51,7 +51,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003050 + - N/A 800-171r2: - 3.5.3 cis: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 33af991d..c66145f4 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-91734-4 + - N/A cci: - CCI-000366 800-53r5: @@ -46,7 +46,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003051 + - N/A 800-171r2: - 3.5.3 cis: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 83764fde..6c1d9a91 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-91735-1 + - N/A cci: - CCI-000366 800-53r5: @@ -45,7 +45,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003052 + - N/A 800-171r2: - 3.5.3 cis: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 65b7ef7d..7b48686c 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91736-9 + - N/A cci: - CCI-000187 - CCI-000767 @@ -34,7 +34,7 @@ references: - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 disa_stig: - - APPL-13-003020 + - N/A cis: benchmark: - N/A diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 14366bff..cb0b84f2 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91737-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 35652d31..17b35a05 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91738-5 + - N/A cci: - CCI-000186 - CCI-001953 @@ -39,7 +39,7 @@ references: - SRG-OS-000384-GPOS-00167 - SRG-OS-000403-GPOS-00182 disa_stig: - - APPL-13-001060 + - N/A cmmc: - SC.L2-3.13.10 macOS: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index d57bc58d..8dd50e0d 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -21,7 +21,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91739-3 + - N/A cci: - CCI-000187 - CCI-000767 @@ -49,7 +49,7 @@ references: - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 disa_stig: - - APPL-13-003020 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index 3df23e3d..84905e04 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-91740-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 78ac3ffd..4ec11054 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91741-9 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002014 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index d4032edc..f03aa75b 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92006-6 + - N/A cci: - CCI-001774 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002031 + - N/A 800-171r2: - N/A cis: diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml index 275251b7..665c3a49 100644 --- a/rules/icloud/icloud_appleid_system_settings_disable.yaml +++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91939-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 92a7ebdd..9c79e4be 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91743-5 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002042 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 311e0005..eb714b27 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91744-3 + - N/A cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002012 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 02914ed9..bfc5e58f 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91745-0 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002041 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 335cfefb..58fb93ad 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92001-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index fb33d6f6..74feb722 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91746-8 + - N/A cci: - CCI-001774 - CCI-000381 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002040 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 1d634c4a..b702c661 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91747-6 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002015 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index e7129a89..56901fec 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91748-4 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002016 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 7f4dced0..253b214a 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91749-2 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002043 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index e6095de0..393cbae3 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91750-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index e344077a..5e26c64f 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91751-8 + - N/A cci: - CCI-000381 - CCI-001774 @@ -34,7 +34,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002013 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 893bb934..37fc463f 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91752-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 10ce4626..7884dc1f 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91753-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 498b97f7..9462dcbf 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91754-2 + - N/A cci: - CCI-000381 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002009 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index b9fa2928..609d05d1 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91755-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 852aa481..afda8d87 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-91756-7 + - N/A cci: - CCI-000366 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002070 + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index dbc38b65..ce088957 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91757-5 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002035 + - N/A 800-171r2: - 3.1.20 cis: diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 78c84e12..047bbe8c 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91758-3 + - N/A 800-53r5: - SC-39 800-53r4: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 21bc8e20..865b2894 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91759-1 + - N/A cci: - CCI-001314 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004001 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index 72c7e119..deaa3c35 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91760-9 + - N/A cci: - CCI-001314 800-53r5: @@ -23,7 +23,7 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004002 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 27fb66b4..9bf3bb03 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - - CCE-91761-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 201bc118..cb5e2a94 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -20,7 +20,7 @@ fix: | NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-91762-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index f1476c5d..304356b4 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91763-3 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 2f140c2c..187b3bcf 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91764-1 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 8844e93d..a07ed0ff 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91765-8 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 65ea78b7..c6a1aad7 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91766-6 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 657d7213..14ad9fc9 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91767-4 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002005 + - N/A 800-171r2: - 3.4.6 cis: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 06acd0e5..05de55c2 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91768-2 + - N/A cci: - CCI-000366 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005053 + - N/A cmmc: - MP.L2-3.8.7 - MP.L2-3.8.8 diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 83933bf2..d9b05420 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -28,7 +28,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91769-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 12714c69..7030aa2c 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91770-8 + - N/A cci: - CCI-000381 - CCI-001774 @@ -25,7 +25,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002017 + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 276f8e42..e1339f4a 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91771-6 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index e52df3f8..3520f231 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -10,7 +10,7 @@ fix: | Obtain the approved certificates from the appropriate authority and install them to the System Keychain. references: cce: - - CCE-91772-4 + - N/A cci: - CCI-000185 - CCI-002450 diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index 5bdf9ac2..b16f1506 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91773-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 452e722c..6a247f04 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91774-0 + - N/A cci: - CCI-000366 800-53r5: @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002070 + - N/A 800-171r2: - 3.14.1 - 3.14.2 diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index 29a874d0..7e3a7370 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91775-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index fd7cb3cf..7cb623bf 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91776-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index a8886a86..57c0626b 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91777-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 7ddf3529..a4d9fc77 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -12,7 +12,7 @@ fix: | Integrate the system into an existing directory services infrastructure. references: cce: - - CCE-91778-1 + - N/A cci: - CCI-000366 800-53r5: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-000016 + - N/A cis: benchmark: - N/A diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index a59dd7df..fdff5b9a 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91779-9 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index effa321a..a8d295fe 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91780-7 + - N/A cci: - CCI-000366 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-0022 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml index de7bac3b..21078d97 100644 --- a/rules/os/os_efi_integrity_validated.yaml +++ b/rules/os/os_efi_integrity_validated.yaml @@ -10,7 +10,7 @@ fix: | Install a known good version of macOS. references: cce: - - CCE-91781-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 5eb74b27..61961007 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91782-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 954efaf7..0958c053 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91783-1 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005061 + - N/A cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index f7ffcd4e..bd130217 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91784-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml index edba3ac3..9c6fbcc8 100644 --- a/rules/os/os_ess_installed.yaml +++ b/rules/os/os_ess_installed.yaml @@ -11,7 +11,7 @@ fix: | Install the approved ESS solution onto the system. references: cce: - - CCE-91785-6 + - N/A cci: - CCI-001233 800-53r5: @@ -21,7 +21,7 @@ references: srg: - SRG-OS-000191-GPOS-00080 disa_stig: - - APPL-13-000015 + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 115bb06a..5eb5a962 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91786-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index dc8e6aa2..55dacfc4 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91787-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index 29099874..ee40e3fe 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91788-0 + - N/A cci: - CCI-000366 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-000032 + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 7738f7fa..43d615fa 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91789-8 + - N/A cci: - CCI-000366 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-000033 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 9eed5c86..57c701b4 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -21,7 +21,7 @@ fix: | NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule. references: cce: - - CCE-91790-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 5b8723bf..6679d46b 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -26,7 +26,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91791-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 17ee0bb4..b683e522 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -24,7 +24,7 @@ fix: | NOTE: See discussion on remediation and how to enable firmware password. references: cce: - - CCE-91792-2 + - N/A cci: - CCI-000366 800-53r5: @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003013 + - N/A 800-171r2: - 3.1.5 cmmc: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index d3609cd7..65dec142 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-91793-0 + - N/A cci: - CCI-001749 800-53r5: @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000366-GPOS-00153 disa_stig: - - APPL-13-002064 + - N/A 800-171r2: - 3.4.5 cis: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 6f11ecce..5060aeb7 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91794-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 6a152811..2fd86b70 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91795-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index c734ae58..f8b320cc 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91796-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index bab11995..067d11f6 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91797-1 + - N/A cci: - CCI-000381 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005058 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 8a1a25c3..be2ff146 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91798-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index b40f7887..9667ea27 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -48,7 +48,7 @@ fix: | ---- references: cce: - - CCE-91799-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 1ee02639..1181fb29 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -33,7 +33,7 @@ fix: |- NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected. references: cce: - - CCE-92007-4 + - N/A cci: - CCI-000366 800-53r5: @@ -43,7 +43,7 @@ references: srg: - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-13-002068 + - N/A 800-171r2: - N/A cis: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 01d74f6a..3d9558ce 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91800-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index efc7580a..f865cb46 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91801-1 + - N/A cci: - CCI-000381 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002008 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index cb6f788c..d4ff9770 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91802-9 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002037 + - N/A 800-171r2: - 3.1.20 cis: diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index c1d02c67..b2b53c23 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91803-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 08c684cb..81ec52b6 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91804-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index b0a43155..ebe2b09c 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -19,7 +19,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91805-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index ebaea7cb..849cc087 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91806-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index b2ed146d..abf8e984 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: cce: - - CCE-91807-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 54f6723c..80c1d5bf 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91808-6 + - N/A cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: srg: - N/A disa_stig: - - AOSX-13-000075 + - N/A 800-171r2: - 3.1.16 - 3.4.6 diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index eaa0b99c..9dd05bc0 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91809-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 42a17434..4274a537 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91810-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index b3c03ecd..eecbf561 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91811-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 668f6bfa..ce70585a 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91812-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index 59697a3d..78acd75c 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91813-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index d14bd177..7bf55677 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91814-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index 2b5e3c98..0d56d72f 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91815-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 0c13dcc0..83e7d91f 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91816-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 3acb4b33..7fdc1494 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -34,7 +34,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91817-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index d3aa6511..5eb610b4 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91818-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index d8ff5946..b93a8da3 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -8,7 +8,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91819-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 61b85b39..9ea132d1 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -26,7 +26,7 @@ fix: | Ensure that system is enrolled via UAMDM. references: cce: - - CCE-91820-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index fb880373..8128cfcd 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91821-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index b89f106e..e5db1f6e 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91822-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index f3b17663..74a27b6d 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91823-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index 833e8321..4a41e549 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91824-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index 08bf8636..60952895 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91825-0 + - N/A cci: - CCI-001314 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004001 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index caffc20e..2746485f 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-91826-8 + - N/A cci: - CCI-001314 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000206-GPOS-00084 disa_stig: - - APPL-13-004002 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 39e57dfd..804775a6 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -14,7 +14,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91827-6 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002003 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index 3063c5b8..bb27ce97 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91828-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 085fd400..befbc261 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91829-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 6065468b..16f58769 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91830-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 99503b35..d5704727 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91831-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index 64bae74a..f33999c7 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91832-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index b0712961..59cb7c6b 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91833-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 8da4dc09..298609f2 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91834-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index ce09b229..a2637e7c 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91835-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 80d1d877..96d8d92e 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91836-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index d0becc81..52b2136c 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91837-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index a83995c3..4c8a4773 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91838-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 988ae71b..205afeb9 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91839-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 571474d9..42c3b5ad 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91840-9 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005060 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index b4e67093..22e17a2d 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91841-7 + - N/A 800-53r5: - IA-5 800-53r4: diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index c7f6d0a0..5cd599e3 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91842-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml index e0dc1f90..27dc8be4 100644 --- a/rules/os/os_pii_deidentification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91843-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml index 8642e4e7..2701e4bd 100644 --- a/rules/os/os_pii_quality_control.yaml +++ b/rules/os/os_pii_quality_control.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91844-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index c2beaa06..aeb38ed9 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -28,7 +28,7 @@ fix: | ---- references: cce: - - CCE-91845-8 + - N/A cci: - CCI-000048 - CCI-000050 @@ -46,7 +46,7 @@ references: - SRG-OS-000024-GPOS-00007 - SRG-OS-000228-GPOS-00088 disa_stig: - - APPL-13-000025 + - N/A 800-171r2: - 3.1.9 cis: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 78aa43b9..a343f4dd 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-91846-6 + - N/A cci: - CCI-000048 800-53r5: @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000023-GPOS-00006 disa_stig: - - APPL-13-000023 + - N/A 800-171r2: - 3.1.9 cmmc: diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 6ead4e8c..462cb3c5 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91847-4 + - N/A cci: - CCI-000048 - CCI-000050 @@ -47,7 +47,7 @@ references: - SRG-OS-000023-GPOS-00006 - SRG-OS-000024-GPOS-00007 disa_stig: - - APPL-13-000024 + - N/A 800-171r2: - 3.1.9 cmmc: diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index 2b637acb..83d88f24 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-91848-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index c45f52fb..0a300837 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-91849-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index 96262d1a..d0e101a8 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91850-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 6ed21a0d..bed1517f 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91851-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 7a7f366b..dc069749 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91852-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 3b493277..dbe82fc2 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91853-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml index 1676b937..0ede2a4c 100644 --- a/rules/os/os_privacy_principle_minimization.yaml +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-91854-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 04e175e4..2c11a01f 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91855-7 + - N/A cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002036 + - N/A cis: benchmark: - N/A diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index 74da1e78..a56c0348 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -18,7 +18,7 @@ fix: | The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. references: cce: - - CCE-91856-5 + - N/A 800-53r5: - SC-15 800-53r4: diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index c854d0a4..3a3031de 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91857-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 4b87259f..0105b1ea 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91858-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index 7103f188..aef4bb8d 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91859-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index 713e6569..2a4d25dc 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91860-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index 9094d7c7..e7e57218 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91861-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index d3682e4b..a89319d7 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91862-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index 96de3e98..8afb1d1a 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91863-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index 6231c67f..ef931da2 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91864-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index 7650c0ef..fdca30ce 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -14,7 +14,7 @@ fix: | NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. references: cce: - - CCE-91865-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index b61afd1a..5e24af95 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91866-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index ffb682d7..bb8fe84c 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91867-2 + - N/A cci: - CCI-000366 800-53r5: @@ -35,7 +35,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-005051 + - N/A 800-171r2: - 3.8.8 cmmc: diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 552ad7bd..ce0f625c 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91868-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 6c867bba..09fe92ce 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91869-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 3eaec795..7b3c8bb8 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91870-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index e81e9133..db3b946f 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92002-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index ec73113f..bcb02622 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91871-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml index e6cc9675..c0281b40 100644 --- a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml +++ b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92003-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index ec02ddab..b9d5df44 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92004-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index e6d5742d..a9f44c37 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92005-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index c5ffaadb..65b7de00 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91872-2 + - N/A cci: - CCI-000060 800-53r5: @@ -23,7 +23,7 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - APPL-13-000006 + - N/A 800-171r2: - 3.1.10 macOS: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index ce218145..e6dae0d8 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92010-8 + - N/A cci: - CCI-000057 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000029-GPOS-00010 disa_stig: - - APPL-13-000004 + - N/A 800-171r2: - 3.1.10 cis: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index ea0f40c8..d90a07ed 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -14,7 +14,7 @@ fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot references: cce: - - CCE-91873-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 6c9f7a46..976e0f49 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -16,7 +16,7 @@ fix: | The hardware does not support the requirement. references: cce: - - CCE-91874-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 816394ab..76476d6f 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91875-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 8121be51..7de44dff 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91876-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 8104ff84..48b6b0e4 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -22,7 +22,7 @@ fix: | ---- references: cce: - - CCE-91877-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 5f1bfe13..601b08f2 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -18,7 +18,7 @@ fix: | NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-91878-9 + - N/A cci: - CCI-000154 - CCI-000158 @@ -72,7 +72,7 @@ references: - SRG-OS-000353-GPOS-00141 - SRG-OS-000354-GPOS-00142 disa_stig: - - APPL-13-005001 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 4c954e91..51ba0d53 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91879-7 + - N/A cci: - CCI-000381 - CCI-001774 @@ -31,7 +31,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002039 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index b7e18d8e..d7bc3ec9 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91880-5 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005055 + - N/A cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index ce94dd8f..fc54e9ba 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91881-3 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005056 + - N/A 800-171r2: - 3.1.20 cis: diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index 98e3f57f..97dceca8 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91882-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index e38f4693..2162c6ae 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91883-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 69da88d4..25570b84 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -29,7 +29,7 @@ fix: | ---- references: cce: - - CCE-91884-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index a1d05551..5be1bc8a 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-91885-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 964aedfa..5db8fe8b 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91886-2 + - N/A cci: - CCI-001133 800-53r5: @@ -45,7 +45,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-13-000052 + - N/A 800-171r2: - 3.13.9 cmmc: diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 093826ce..8ecbaece 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - CCE-91887-0 + - N/A cci: - CCI-001133 800-53r5: @@ -48,7 +48,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-13-000051 + - N/A 800-171r2: - 3.13.9 cmmc: diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 2812b35a..cdd400ab 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91888-8 + - N/A cci: - N/A 800-53r5: @@ -52,7 +52,7 @@ references: srg: - N/A disa_stig: - - APPL-13-000054 + - N/A 800-171r2: - 3.1.13 - 3.13.8 diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index c3c5e097..63f309f8 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91889-6 + - N/A cci: - N/A 800-53r5: @@ -52,7 +52,7 @@ references: srg: - N/A disa_stig: - - APPL-13-000055 + - N/A 800-171r2: - 3.1.13 - 3.13.8 diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index d608d92c..9d945c64 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -45,7 +45,7 @@ fix: | ---- references: cce: - - CCE-91890-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 525f1667..0c3e5a85 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-91891-2 + - N/A cci: - N/A 800-53r5: @@ -49,7 +49,7 @@ references: srg: - N/A disa_stig: - - APPL-13-000056 + - N/A 800-171r2: - N/A cmmc: diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 89b6c7a0..b9c7ed11 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-91892-0 + - N/A cci: - CCI-001133 800-53r5: @@ -41,7 +41,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-13-000053 + - N/A 800-171r2: - 3.13.9 cmmc: diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 7f46bf59..395cc06b 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-91893-8 + - N/A cci: - CCI-000770 800-53r5: @@ -43,7 +43,7 @@ references: srg: - SRG-OS-000109-GPOS-00056 disa_stig: - - APPL-13-001100 + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 7f03a165..397cb866 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91894-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index b3bda815..20251dc9 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-91895-3 + - N/A cci: - CCI-002038 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000373-GPOS-00156 disa_stig: - - APPL-13-004022 + - N/A cis: benchmark: - 5.4 (level 1) diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index 39ce8f81..bec35b0f 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91896-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 7eaf9775..ee8d8ed9 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -12,7 +12,7 @@ fix: | NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - - CCE-91898-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index ffc3f6b5..343496f9 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-91899-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 924ee182..058aa744 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91900-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 250b40f4..0b004f60 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91901-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 74568564..7705d20f 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -18,7 +18,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91902-7 + - N/A cci: - CCI-000197 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000074-GPOS-00042 disa_stig: - - APPL-13-002038 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 721e51c2..b44e51f2 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91903-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 921caf85..b0856d57 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91904-3 + - N/A cci: - CCI-002046 - CCI-001891 @@ -28,7 +28,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - APPL-13-000014 + - N/A 800-171r2: - 3.3.7 cis: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 00c71af3..d1131b5c 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91905-0 + - N/A cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-005054 + - N/A 800-171r2: - 3.4.1 - 3.4.2 diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index fdacb282..94422cd4 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91906-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index b681f860..81f5d0d8 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91907-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index e7109fa3..ec13a424 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91908-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 6d681836..40ea16bf 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -18,7 +18,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91909-2 + - N/A cci: - CCI-000381 800-53r5: @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002006 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index e5c7a81f..92e5b585 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91910-0 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 59035b68..897f41c7 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91911-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index c8d0de60..22ee8e8d 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-91912-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index 06dc4c08..6bb5b3f3 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91913-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 8ef7fccf..db2d989f 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -36,7 +36,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91914-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 98427943..2aa48569 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91915-9 + - N/A cci: - CCI-002238 800-53r5: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000329-GPOS-00128 disa_stig: - - APPL-13-000022 + - N/A 800-171r2: - 3.1.8 cis: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index f0851ecf..3c3ac72c 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91916-7 + - N/A cci: - CCI-002238 800-53r5: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000329-GPOS-00128 disa_stig: - - APPL-13-000022 + - N/A 800-171r2: - 3.1.8 cis: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 6d436120..07c14abe 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91917-5 + - N/A cci: - CCI-000194 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000071-GPOS-00039 disa_stig: - - APPL-13-003007 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 120674c1..d19f2f0a 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91918-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index b8bfe70e..3a6860a9 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -17,7 +17,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91919-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 4b5d60c2..9a608d77 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91920-9 + - N/A cci: - CCI-000200 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000077-GPOS-00045 disa_stig: - - APPL-13-003009 + - N/A 800-171r2: - 3.5.7 - 3.5.8 diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 18f3bab7..acf230a3 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91921-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index f5f91882..e348b221 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91922-5 + - N/A cci: - CCI-000199 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000076-GPOS-00044 disa_stig: - - APPL-13-003008 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index dfc3ec6c..4a1bd0ab 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91923-3 + - N/A cci: - CCI-000205 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000078-GPOS-00046 disa_stig: - - APPL-13-003010 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 79130273..00c1eacc 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91924-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 09b57279..7d006111 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91925-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index ad8c0043..fcc343ac 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91926-6 + - N/A cci: - CCI-001619 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000266-GPOS-00101 disa_stig: - - APPL-13-003011 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 892b6b98..e4c55530 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91927-4 + - N/A cci: - CCI-001619 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000266-GPOS-00101 disa_stig: - - APPL-13-003011 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index ecfda453..e04d8836 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-91928-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index fd101354..d941c297 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -56,7 +56,7 @@ fix: | /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file references: cce: - - CCE-91929-0 + - N/A cci: - CCI-001682 - CCI-000016 @@ -68,7 +68,7 @@ references: - SRG-OS-000002-GPOS-00002 - SRG-OS-000123-GPOS-00064 disa_stig: - - APPL-13-000012 + - N/A macOS: - "14.0" tags: diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 269f9170..497d96c6 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-91930-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 8a1a2e63..e2c1ba61 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91932-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 173887bc..041ce3fe 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91933-2 + - N/A cci: - CCI-000056 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-13-000001 + - N/A 800-171r2: - 3.1.10 cmmc: diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml index 9d559412..8629f33f 100644 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ b/rules/system_settings/system_settings_assistant_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92008-2 + - N/A cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002020 + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index 36db9fb0..1dbc0788 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91934-0 + - N/A cci: - CCI-000366 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000480-GPOS-00229 disa_stig: - - APPL-13-002066 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index 946711bc..c679a67a 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91935-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index 4804af54..f7d9ed58 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91936-5 + - N/A cci: - CCI-001967 - CCI-002418 @@ -33,7 +33,7 @@ references: - SRG-OS-000379-GPOS-00164 - SRG-OS-000481-GPOS-00481 disa_stig: - - APPL-13-002062 + - N/A 800-171r2: - 3.13.8 cis: diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index 6f659d43..1237503d 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91937-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml index 8416e3ad..e1cbbc1a 100644 --- a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92012-4 + - N/A cci: - CCI-002418 - CCI-001967 @@ -26,7 +26,7 @@ references: - SRG-OS-000379-GPOS-00164 - SRG-OS-000481-GPOS-00481 disa_stig: - - APPL-13-002062 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 2309bbd0..66f404d5 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-91940-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml index 28005757..a0028d07 100644 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91942-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index 10efb422..7fa72252 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91943-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index 2dde8a6a..01344b2d 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91944-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index 958b3ac0..97912bf2 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91945-6 + - N/A cci: - CCI-000382 800-53r5: @@ -37,7 +37,7 @@ references: srg: - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-13-002021 + - N/A 800-171r2: - 3.1.20 cis: diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index d5fe04c5..58ed4692 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -22,7 +22,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - CCE-91946-4 + - N/A cci: - CCI-001199 - CCI-002475 @@ -38,7 +38,7 @@ references: - SRG-OS-000404-GPOS-00183 - SRG-OS-000405-GPOS-00184 disa_stig: - - APPL-13-005020 + - N/A 800-171r2: - 3.13.16 cis: diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index 5c8c4a02..ecc5cb37 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -28,7 +28,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91947-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 4369d360..52c6455a 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -27,7 +27,7 @@ fix: | ---- references: cce: - - CCE-91948-0 + - N/A cci: - CCI-000366 800-53r5: @@ -47,7 +47,7 @@ references: srg: - SRG-OS-000480-GPOS-00232 disa_stig: - - APPL-13-005050 + - N/A 800-171r2: - 3.1.3 - 3.1.5 diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index 033fb7eb..e8004040 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-91949-8 + - N/A cci: - CCI-000366 800-53r5: @@ -48,7 +48,7 @@ references: srg: - SRG-OS-000480-GPOS-00232 disa_stig: - - APPL-13-005050 + - N/A 800-171r2: - 3.4.6 - 3.13.1 diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index d68cb993..e9431a0c 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91950-6 + - N/A cci: - CCI-000366 800-53r5: @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002060 + - N/A 800-171r2: - 3.4.5 cmmc: diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index d280950e..b0496837 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91951-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 3cc8e2eb..740fb6ae 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-91952-2 + - N/A cci: - N/A 800-171r2: diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index 097beac6..102d48d7 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91953-0 + - N/A cci: - CCI-001813 800-53r5: @@ -36,7 +36,7 @@ references: srg: - SRG-OS-000364-GPOS-00151 disa_stig: - - APPL-13-002063 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 6b16e7a4..2a524268 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91954-8 + - N/A cci: - CCI-000060 800-53r5: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - APPL-13-000007 + - N/A 800-171r2: - 3.1.10 macOS: diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index c396e5eb..20cc42c9 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -25,7 +25,7 @@ fix: | ---- references: cce: - - CCE-91955-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index 151480c5..d209ae0c 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91956-3 + - N/A cci: - CCI-000382 800-53r5: @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-13-002021 + - N/A cis: benchmark: - N/A diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index 10f1c279..4fed6696 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91957-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml index 0536af09..a6eee978 100644 --- a/rules/system_settings/system_settings_internet_accounts_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91938-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml index 5510e189..c9f7c471 100644 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92009-0 + - N/A cci: - CCI-000381 800-53r5: @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002032 + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index 21183699..db9b0a7d 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91960-5 + - N/A cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002007 + - N/A 800-171r2: - 3.1.3 - 3.1.20 diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index 50fa062d..8b50dedd 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91962-1 + - N/A cci: - CCI-000381 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002004 + - N/A 800-171r2: - 3.4.6 cmmc: diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index 6db8ca5a..82046671 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-91963-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 35fbc0e5..9c8b71c7 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91963-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index d72ccaf9..f97e6eb7 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91964-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index 9750f2ca..52cf9379 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91965-4 + - N/A cci: - CCI-000366 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000480-GPOS-00229 disa_stig: - - APPL-13-005052 + - N/A 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index 72eded3c..17a72015 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91966-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index c97d71e5..a2c2925b 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91967-0 + - N/A cci: - CCI-000366 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-003012 + - N/A 800-171r2: - 3.5.11 cis: diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index ff9302b7..39cd2c72 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91968-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index 78fc4d48..7949be41 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-91969-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index cd8c2326..7c02af2c 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -17,7 +17,7 @@ fix: | NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. references: cce: - - CCE-91970-4 + - N/A cci: - CCI-000382 800-53r5: @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-13-002022 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 422069c3..0b9a5f1c 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91971-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index 5d05e3a8..7a2ded83 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -16,7 +16,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-91972-0 + - N/A cci: - CCI-000366 800-53r5: @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-13-002050 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index de29c353..11807b78 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91973-8 + - N/A cci: - CCI-000056 800-53r5: @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-13-000003 + - N/A 800-171r2: - 3.1.10 cis: diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 083a18ec..9d1fb046 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91974-6 + - N/A cci: - CCI-000056 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-13-000002 + - N/A 800-171r2: - 3.1.10 cmmc: diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index 4a661e34..bf434b5b 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91975-3 + - N/A cci: - CCI-000057 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000029-GPOS-00010 disa_stig: - - APPL-13-000004 + - N/A 800-171r2: - 3.1.10 cis: diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index 552ac468..2cd01753 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91976-1 + - N/A cci: - CCI-000381 - CCI-001774 @@ -32,7 +32,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002020 + - N/A 800-171r2: - 3.1.20 - 3.4.6 diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index 5936238b..145aed9c 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92011-6 + - N/A cci: - CCI-000381 - CCI-001774 @@ -26,7 +26,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002053 + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index 162bcdcb..bcef7413 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-91979-5 + - N/A cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-13-002001 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml index 5bbd2d95..a567c8ea 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91980-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index 2bd75d85..4c63fac3 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91981-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml index 70cb1189..621d3cca 100644 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91982-9 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index f6ff94cc..44ec24d8 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -22,7 +22,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-91983-7 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index aadb619d..40d44c88 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -15,7 +15,7 @@ fix: | NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. references: cce: - - CCE-91984-5 + - N/A cci: - CCI-000068 - CCI-001453 @@ -49,7 +49,7 @@ references: - SRG-OS-000425-GPOS-00189 - SRG-OS-000426-GPOS-00190 disa_stig: - - APPL-13-000011 + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index 928d9bfd..cb89a5f8 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91985-2 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index ae2b9701..f3edfe4e 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-91986-0 + - N/A cci: - CCI-001958 800-53r5: @@ -47,7 +47,7 @@ references: srg: - SRG-OS-000378-GPOS-00163 disa_stig: - - APPL-13-002069 + - N/A 800-171r2: - 3.1.5 - 3.1.6 diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index 42df7fcc..751720cd 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91987-8 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 1968feb5..14e5b4ef 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -22,7 +22,7 @@ fix: | . Click *Use Disk* references: cce: - - CCE-91988-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index aa07e38d..cb559b46 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91989-4 + - N/A cci: - CCI-001891 - CCI-002046 @@ -28,7 +28,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - APPL-13-000014 + - N/A 800-171r2: - 3.3.7 cis: diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index 27141c44..5620b3b7 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91990-2 + - N/A cci: - CCI-001891 - CCI-002046 diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 966dd5ec..7a26d634 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -20,7 +20,7 @@ fix: This is implemented by a Configuration Profile. references: cce: - - CCE-91991-0 + - N/A cci: - CCI-000058 800-53r5: @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000030-GPOS-00011 disa_stig: - - APPL-13-000005 + - N/A 800-171r2: - 3.1.10 cmmc: diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index 33801300..840b5e15 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92014-0 + - N/A cci: - CCI-000381 - CCI-001774 @@ -26,7 +26,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002051 + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml index 871dd063..6bdb8e76 100644 --- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml +++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91994-4 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index 8ec4ada0..6e332948 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-91931-6 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index 822b00ad..befba599 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-91995-1 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 41959a84..1633572f 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92029-8 + - N/A cci: - CCI-000381 - CCI-001774 @@ -26,7 +26,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002052 + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml index 11780fc2..62b99e98 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92013-2 + - N/A cci: - CCI-000381 - CCI-001774 @@ -26,7 +26,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - APPL-13-002052 + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index 1efb6aa4..c1749d74 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-91998-5 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index 9bcd56fb..d5281316 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-91999-3 + - N/A cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index c13fe62d..79e951ac 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92000-9 + - N/A cci: - N/A 800-53r5: From 6d76bc5de65141d68f8a88e53609f566badeb503 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 1 Aug 2023 14:19:00 -0400 Subject: [PATCH 04/62] refactor[rules] new and revised 14.0 rules Changed siri_disable to new key Added freefrom rule, on device dictation rule, and filevault setup assistant --- rules/icloud/icloud_freeform_disable.yaml | 72 +++++++++++++++++++ rules/os/os_on_device_dictation_enforce.yaml | 68 ++++++++++++++++++ .../os_setup_assistant_filevault_enforce.yaml | 51 +++++++++++++ .../system_settings_siri_disable.yaml | 8 +-- 4 files changed, 195 insertions(+), 4 deletions(-) create mode 100644 rules/icloud/icloud_freeform_disable.yaml create mode 100644 rules/os/os_on_device_dictation_enforce.yaml create mode 100644 rules/os/os_setup_assistant_filevault_enforce.yaml diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml new file mode 100644 index 00000000..ecac1970 --- /dev/null +++ b/rules/icloud/icloud_freeform_disable.yaml @@ -0,0 +1,72 @@ +id: icloud_freeform_disable +title: "Disable the iCloud Freeform Services" +discussion: | + The macOS built-in Freeform.app connection to Apple's iCloud service _MUST_ be disabled. + + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudFreeform').js + EOS +result: + string: "false" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000381 + - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + - AC-20(1) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + - 15.3 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 + - stig +severity: "low" +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowCloudFreeform: false diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml new file mode 100644 index 00000000..3628a1f1 --- /dev/null +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -0,0 +1,68 @@ +id: os_on_device_dictation_enforce +title: "Enforce On Device Dictation" +discussion: | + Dictation _MUST_ be restricted to on device only to prevent potential data exfiltration. + + The information system _MUST_ be configured to provide only essential capabilities. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('forceOnDeviceOnlyDictation').js + EOS +result: + string: "true" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + - SC-7(10) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + forceOnDeviceOnlyDictation: true \ No newline at end of file diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml new file mode 100644 index 00000000..11d5e817 --- /dev/null +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -0,0 +1,51 @@ +id: os_setup_assistant_filevault_enforce +title: "Enforce FileVault in Setup Assistant" +discussion: | + FileVault _MUST_ be enforced in Setup Assistant. + + The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX.FileVault2')\ + .objectForKey('ForceEnableInSetupAssistant').js + EOS +result: + integer: 1 +fix: | + NOTE: See the FileVault supplemental to implement this rule. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SC-28 + - SC-28(1) + 800-53r4: + - SC-28 + - SC-28(1) + srg: + - SRG-OS-000185-GPOS-00079 + - SRG-OS-000404-GPOS-00183 + - SRG-OS-000405-GPOS-00184 + disa_stig: + - N/A + 800-171r2: + - 3.13.16 + cis: + benchmark: + - 2.6.5 (level 1) + controls v8: + - 3.6 + - 3.11 + cmmc: + - SC.L2-3.13.16 +macOS: + - "14.0" +tags: + - none +severity: "high" +mobileconfig: true +mobileconfig_info: + com.apple.MCX.FileVault2: + ForceEnableInSetupAssistant: true \ No newline at end of file diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index 2cd01753..aaf9cdb4 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -6,8 +6,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ - .objectForKey('Ironwood Allowed').js + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAssistant').js EOS result: string: "false" @@ -66,5 +66,5 @@ tags: severity: "medium" mobileconfig: true mobileconfig_info: - com.apple.ironwood.support: - "Ironwood Allowed": false + com.apple.applicationaccess: + allowAssistant: false \ No newline at end of file From 206884b723e06e7c74a0adf52c640bad45d98d3d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 1 Aug 2023 14:21:15 -0400 Subject: [PATCH 05/62] removed stig tag --- rules/audit/audit_acls_files_configure.yaml | 1 - rules/audit/audit_acls_folders_configure.yaml | 1 - rules/audit/audit_auditd_enabled.yaml | 1 - rules/audit/audit_configure_capacity_notify.yaml | 1 - rules/audit/audit_failure_halt.yaml | 1 - rules/audit/audit_files_group_configure.yaml | 1 - rules/audit/audit_files_mode_configure.yaml | 1 - rules/audit/audit_files_owner_configure.yaml | 1 - rules/audit/audit_flags_aa_configure.yaml | 1 - rules/audit/audit_flags_ad_configure.yaml | 1 - rules/audit/audit_flags_fd_configure.yaml | 1 - rules/audit/audit_flags_fm_configure.yaml | 1 - rules/audit/audit_flags_fr_configure.yaml | 1 - rules/audit/audit_flags_fw_configure.yaml | 1 - rules/audit/audit_flags_lo_configure.yaml | 1 - rules/audit/audit_folder_group_configure.yaml | 1 - rules/audit/audit_folder_owner_configure.yaml | 1 - rules/audit/audit_folders_mode_configure.yaml | 1 - rules/audit/audit_settings_failure_notify.yaml | 1 - rules/auth/auth_pam_login_smartcard_enforce.yaml | 1 - rules/auth/auth_pam_su_smartcard_enforce.yaml | 1 - rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 1 - rules/auth/auth_smartcard_allow.yaml | 1 - .../auth/auth_smartcard_certificate_trust_enforce_moderate.yaml | 1 - rules/auth/auth_smartcard_enforce.yaml | 1 - rules/icloud/icloud_addressbook_disable.yaml | 1 - rules/icloud/icloud_appleid_preference_pane_disable.yaml | 1 - rules/icloud/icloud_bookmarks_disable.yaml | 1 - rules/icloud/icloud_calendar_disable.yaml | 1 - rules/icloud/icloud_drive_disable.yaml | 1 - rules/icloud/icloud_freeform_disable.yaml | 1 - rules/icloud/icloud_keychain_disable.yaml | 1 - rules/icloud/icloud_mail_disable.yaml | 1 - rules/icloud/icloud_notes_disable.yaml | 1 - rules/icloud/icloud_photos_disable.yaml | 1 - rules/icloud/icloud_reminders_disable.yaml | 1 - rules/os/os_airdrop_disable.yaml | 1 - rules/os/os_anti_virus_installed.yaml | 1 - rules/os/os_appleid_prompt_disable.yaml | 1 - rules/os/os_asl_log_files_owner_group_configure.yaml | 1 - rules/os/os_asl_log_files_permissions_configure.yaml | 1 - rules/os/os_blank_bluray_disable.yaml | 1 - rules/os/os_blank_cd_disable.yaml | 1 - rules/os/os_blank_dvd_disable.yaml | 1 - rules/os/os_bluray_read_only_enforce.yaml | 1 - rules/os/os_bonjour_disable.yaml | 1 - rules/os/os_burn_support_disable.yaml | 1 - rules/os/os_camera_disable.yaml | 1 - rules/os/os_cd_read_only_enforce.yaml | 1 - rules/os/os_certificate_authority_trust.yaml | 1 - rules/os/os_config_data_install_enforce.yaml | 1 - rules/os/os_directory_services_configured.yaml | 1 - rules/os/os_disk_image_disable.yaml | 1 - rules/os/os_dvdram_disable.yaml | 1 - rules/os/os_erase_content_and_settings_disable.yaml | 1 - rules/os/os_filevault_authorized_users.yaml | 1 - rules/os/os_filevault_autologin_disable.yaml | 1 - rules/os/os_firmware_password_require.yaml | 1 - rules/os/os_gatekeeper_enable.yaml | 1 - rules/os/os_handoff_disable.yaml | 1 - rules/os/os_home_folders_default.yaml | 1 - rules/os/os_httpd_disable.yaml | 1 - rules/os/os_icloud_storage_prompt_disable.yaml | 1 - rules/os/os_newsyslog_files_owner_group_configure.yaml | 1 - rules/os/os_newsyslog_files_permissions_configure.yaml | 1 - rules/os/os_nfsd_disable.yaml | 1 - rules/os/os_on_device_dictation_enforce.yaml | 1 - rules/os/os_password_proximity_disable.yaml | 1 - rules/os/os_policy_banner_loginwindow_enforce.yaml | 1 - rules/os/os_policy_banner_ssh_configure.yaml | 1 - rules/os/os_policy_banner_ssh_enforce.yaml | 1 - rules/os/os_privacy_setup_prompt_disable.yaml | 1 - rules/os/os_removable_media_disable.yaml | 1 - rules/os/os_screensaver_loginwindow_enforce.yaml | 1 - rules/os/os_screensaver_timeout_loginwindow_enforce.yaml | 1 - rules/os/os_sip_enable.yaml | 1 - rules/os/os_siri_prompt_disable.yaml | 1 - rules/os/os_skip_screen_time_prompt_enable.yaml | 1 - rules/os/os_skip_unlock_with_watch_enable.yaml | 1 - rules/os/os_sshd_client_alive_count_max_configure.yaml | 1 - rules/os/os_sshd_client_alive_interval_configure.yaml | 1 - rules/os/os_sshd_fips_140_ciphers.yaml | 1 - rules/os/os_sshd_fips_140_macs.yaml | 1 - rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 1 - rules/os/os_sshd_login_grace_time_configure.yaml | 1 - rules/os/os_sshd_permit_root_login_configure.yaml | 1 - rules/os/os_sudo_timeout_configure.yaml | 1 - rules/os/os_tftpd_disable.yaml | 1 - rules/os/os_time_server_enabled.yaml | 1 - rules/os/os_touchid_prompt_disable.yaml | 1 - rules/os/os_uucp_disable.yaml | 1 - rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 1 - rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 1 - rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 1 - rules/pwpolicy/pwpolicy_history_enforce.yaml | 1 - rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml | 1 - rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 1 - rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 1 - rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 1 - .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 1 - .../system_settings_apple_watch_unlock_disable.yaml | 1 - rules/system_settings/system_settings_assistant_disable.yaml | 1 - .../system_settings/system_settings_automatic_login_disable.yaml | 1 - rules/system_settings/system_settings_bluetooth_disable.yaml | 1 - .../system_settings_bluetooth_prefpane_disable.yaml | 1 - .../system_settings_diagnostics_reports_disable.yaml | 1 - rules/system_settings/system_settings_filevault_enforce.yaml | 1 - rules/system_settings/system_settings_firewall_enable.yaml | 1 - .../system_settings_firewall_stealth_mode_enable.yaml | 1 - ...system_settings_gatekeeper_identified_developers_allowed.yaml | 1 - rules/system_settings/system_settings_guest_account_disable.yaml | 1 - rules/system_settings/system_settings_hot_corners_disable.yaml | 1 - .../system_settings_improve_siri_dictation_disable.yaml | 1 - ...ystem_settings_internet_accounts_preference_pane_disable.yaml | 1 - .../system_settings_internet_sharing_disable.yaml | 1 - .../system_settings_location_services_disable.yaml | 1 - ...em_settings_loginwindow_prompt_username_password_enforce.yaml | 1 - .../system_settings/system_settings_password_hints_disable.yaml | 1 - rules/system_settings/system_settings_rae_disable.yaml | 1 - .../system_settings/system_settings_screen_sharing_disable.yaml | 1 - ...stem_settings_screensaver_ask_for_password_delay_enforce.yaml | 1 - .../system_settings_screensaver_password_enforce.yaml | 1 - .../system_settings_screensaver_timeout_enforce.yaml | 1 - rules/system_settings/system_settings_siri_disable.yaml | 1 - rules/system_settings/system_settings_siri_prefpane_disable.yaml | 1 - rules/system_settings/system_settings_smbd_disable.yaml | 1 - rules/system_settings/system_settings_ssh_disable.yaml | 1 - .../system_settings_system_wide_preferences_configure.yaml | 1 - rules/system_settings/system_settings_time_server_configure.yaml | 1 - rules/system_settings/system_settings_time_server_enforce.yaml | 1 - rules/system_settings/system_settings_token_removal_enforce.yaml | 1 - rules/system_settings/system_settings_touch_id_pane_disable.yaml | 1 - .../system_settings_wallet_applepay_prefpane_disable.yaml | 1 - .../system_settings_wallet_applepay_prefpane_hide.yaml | 1 - 134 files changed, 134 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 0e6d001c..98e24ddc 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 7234c29a..890cfe64 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -52,7 +52,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 82541e41..2f7c0f20 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -115,7 +115,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 086a9b62..02b1b6eb 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -38,7 +38,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" severity: "low" mobileconfig: false diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 0ee8bb64..95b7075d 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -44,7 +44,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 924de326..e2bc9d39 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index e7800470..3ee7b257 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -50,7 +50,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index c34e1105..e4bb5e77 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index afd2f4c3..16710be4 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -68,7 +68,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 9b810c43..c26f8df9 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -89,7 +89,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 1d5d215a..a4031b99 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -67,7 +67,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 8f25b7b4..b4c31e87 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -63,7 +63,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index c2535fa8..569ec1f7 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -82,7 +82,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index b60b7888..ed5f79b3 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -82,7 +82,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index ee9dcd48..090cf3d5 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -70,7 +70,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 5d63c2c5..6c8823aa 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 5081dbae..429843e4 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 965dbe60..ae3d7858 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -56,7 +56,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 8026f9e1..ec7b4c78 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -44,7 +44,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 154d693c..0b80c0bf 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -79,7 +79,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index c66145f4..5fef0bf0 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -74,7 +74,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 6c1d9a91..e29b8d69 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -73,7 +73,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 7b48686c..51f7bfaa 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -61,7 +61,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 17b35a05..eed008a7 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -50,7 +50,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 8dd50e0d..295756eb 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -82,7 +82,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 4ec11054..53f89ce2 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index f03aa75b..bbacdab4 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -35,7 +35,6 @@ references: macOS: - "14.0" tags: - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 9c79e4be..07db0225 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index eb714b27..d5bf29e6 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -64,7 +64,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index bfc5e58f..92394c3b 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml index ecac1970..f251239c 100644 --- a/rules/icloud/icloud_freeform_disable.yaml +++ b/rules/icloud/icloud_freeform_disable.yaml @@ -64,7 +64,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 74feb722..b29e267d 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index b702c661..dbb379cf 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 56901fec..ff74f067 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 253b214a..395671f5 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 5e26c64f..4cee2a0c 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 9462dcbf..70b1947b 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -68,7 +68,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index afda8d87..db2b18a5 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -30,7 +30,6 @@ references: macOS: - "14.0" tags: - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index ce088957..33a47c23 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -52,7 +52,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 865b2894..b978c2bf 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -36,7 +36,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index deaa3c35..0a5b2a5f 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -34,7 +34,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 304356b4..1f767e44 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 187b3bcf..301d59eb 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index a07ed0ff..79c935e4 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index c6a1aad7..3db89db0 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 14ad9fc9..752f3ae8 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -53,7 +53,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 05de55c2..8fa86ed8 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -36,7 +36,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 7030aa2c..827ad0b2 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -29,7 +29,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index e1339f4a..615e7018 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index 3520f231..4aca623f 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -37,7 +37,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 6a247f04..595b032e 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -60,7 +60,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index a4d9fc77..14402167 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -32,7 +32,6 @@ macOS: - "14.0" tags: - cisv8 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index fdff5b9a..4496f6db 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index a8d295fe..ad2c0566 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -46,7 +46,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 0958c053..7a3b15d3 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -36,7 +36,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index ee40e3fe..525bcb25 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -32,7 +32,6 @@ tags: - 800-53r5_high - manual - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 43d615fa..aaa508a5 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -59,7 +59,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index b683e522..752a0d25 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 65dec142..0121534d 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -66,7 +66,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 067d11f6..cb0ec2fc 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -64,7 +64,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 1181fb29..741788fe 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -55,7 +55,6 @@ macOS: - "14.0" tags: - manual - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index f865cb46..e35f3c8b 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -56,7 +56,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index d4ff9770..c6557035 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -52,7 +52,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index 60952895..c1a3871f 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -36,7 +36,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 2746485f..0f5f260c 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -35,7 +35,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 804775a6..35b113ab 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -55,7 +55,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index 3628a1f1..f958ef6d 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -60,7 +60,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 42c3b5ad..f9f55486 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -53,7 +53,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index aeb38ed9..a2e51a22 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -89,7 +89,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index a343f4dd..72462641 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -71,7 +71,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 462cb3c5..9705c1a9 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -66,7 +66,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 2c11a01f..dc0776a5 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -45,7 +45,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index bb8fe84c..5b3f3374 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -48,7 +48,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 65b7de00..9d3a05cc 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -37,7 +37,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index e6dae0d8..9ea62d77 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -46,7 +46,6 @@ odv: recommended: 1200 stig: 900 tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 601b08f2..e2a0f33c 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -112,7 +112,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 51ba0d53..550f3310 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -61,7 +61,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index d7bc3ec9..96083891 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -36,7 +36,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index fc54e9ba..db3ab78a 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -51,7 +51,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 5db8fe8b..19368b2b 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -66,7 +66,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 8ecbaece..1465a432 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -70,7 +70,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index cdd400ab..3d028769 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -65,7 +65,6 @@ references: macOS: - "14.0" tags: - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index 63f309f8..b535437b 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -65,7 +65,6 @@ references: macOS: - "14.0" tags: - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 0c3e5a85..b97665fd 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -61,7 +61,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index b9c7ed11..89aacd64 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -57,7 +57,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 395cc06b..9cbbafa0 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -52,7 +52,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 20251dc9..7645717c 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -45,6 +45,5 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - stig mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 7705d20f..2aff5934 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -63,7 +63,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index b0856d57..f974f9fe 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -52,7 +52,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index d1131b5c..372fffa6 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -51,7 +51,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 40ea16bf..4724a567 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 2aa48569..2ade03f4 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -55,7 +55,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 3c3ac72c..15528f41 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -51,7 +51,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 07c14abe..45fe1ef1 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -59,7 +59,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 9a608d77..6b1242ac 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -64,7 +64,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index e348b221..4ed8b40b 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -64,7 +64,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 4a1bd0ab..0a517bd1 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index fcc343ac..709b90f1 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -57,7 +57,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index e4c55530..fbfecb04 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index d941c297..e8c72a55 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -76,7 +76,6 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - stig - manual - cnssi-1253_moderate - cnssi-1253_high diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 041ce3fe..6e70cc81 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -42,7 +42,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml index 8629f33f..54f38daa 100644 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ b/rules/system_settings/system_settings_assistant_disable.yaml @@ -40,7 +40,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index 1dbc0788..6ed9e69f 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -57,7 +57,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index f7d9ed58..76e8e0a9 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -59,7 +59,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml index e1cbbc1a..11b1981f 100644 --- a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml @@ -32,7 +32,6 @@ references: macOS: - "12.0" tags: - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index 97912bf2..c426951e 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index 58ed4692..8589bdee 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -64,7 +64,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 52c6455a..ea51e7c5 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -86,7 +86,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index e8004040..821d1761 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -83,7 +83,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index e9431a0c..24c3b4f5 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -48,7 +48,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index 102d48d7..1fc5fbe1 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -67,7 +67,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 2a524268..08491124 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -36,7 +36,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index d209ae0c..63830e7f 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -61,7 +61,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig mobileconfig: true mobileconfig_info: com.apple.assistant.support: diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml index c9f7c471..d18b63c7 100644 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml @@ -40,7 +40,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index db9b0a7d..204242a4 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index 8b50dedd..72f6b3b6 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -51,7 +51,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index 52cf9379..c20d93ec 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -55,7 +55,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index a2c2925b..ed6de7bd 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -52,7 +52,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index 7c02af2c..da177a02 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index 7a2ded83..e9c7e085 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index 11807b78..0eaac33b 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -63,7 +63,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 9d1fb046..bafcdbea 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -42,7 +42,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index bf434b5b..b35ecd58 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index aaf9cdb4..06a1b165 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -62,7 +62,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index 145aed9c..5924029d 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -37,7 +37,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index bcef7413..e6b05807 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -58,7 +58,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 40d44c88..7af42cd0 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -75,7 +75,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index f3edfe4e..e0663152 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -76,7 +76,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index cb559b46..6586a06b 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -60,7 +60,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index 5620b3b7..7ee23cee 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -54,7 +54,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 7a26d634..b188359f 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -47,7 +47,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index 840b5e15..af0b8e00 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -37,7 +37,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 1633572f..823dd0a9 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -37,7 +37,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml index 62b99e98..19ba694b 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml @@ -37,7 +37,6 @@ references: macOS: - "14.0" tags: - - stig severity: "medium" mobileconfig: true mobileconfig_info: From 901d01dd331ee25706b8a1004777a94e458c8eaf Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 2 Aug 2023 10:10:14 -0400 Subject: [PATCH 06/62] refactor[rules] Updated sshd rules Updated sshd -T rules to use sshd -G available in OpenSSH 9.3p1 Issue #278 --- rules/auth/auth_ssh_password_authentication_disable.yaml | 2 +- rules/os/os_policy_banner_ssh_enforce.yaml | 2 +- rules/os/os_sshd_client_alive_count_max_configure.yaml | 2 +- rules/os/os_sshd_client_alive_interval_configure.yaml | 2 +- rules/os/os_sshd_fips_140_ciphers.yaml | 2 +- rules/os/os_sshd_fips_140_macs.yaml | 2 +- rules/os/os_sshd_fips_compliant.yaml | 2 +- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 2 +- rules/os/os_sshd_login_grace_time_configure.yaml | 2 +- rules/os/os_sshd_permit_root_login_configure.yaml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index 84905e04..091b3070 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)' + /usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)' result: integer: 2 fix: | diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 9705c1a9..de6c048f 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -c "^banner /etc/banner" + /usr/sbin/sshd -G | /usr/bin/grep -c "^banner /etc/banner" result: integer: 1 fix: | diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 19368b2b..ca740adb 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/clientalivecountmax/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}' result: integer: $ODV fix: | diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 1465a432..fb107f0e 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -11,7 +11,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/clientaliveinterval/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}' result: integer: $ODV fix: | diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 3d028769..cd3f0de6 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -ci "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" + /usr/sbin/sshd -G | /usr/bin/grep -ci "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" result: integer: 1 fix: | diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index b535437b..7a532181 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -ci "^MACs hmac-sha2-256,hmac-sha2-512" + /usr/sbin/sshd -G | /usr/bin/grep -ci "^MACs hmac-sha2-256,hmac-sha2-512" result: integer: 1 fix: | diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index 9d945c64..82bd2c12 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -12,7 +12,7 @@ check: | fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") total=0 for config in $fips_sshd_config; do - total=$(expr $(/usr/sbin/sshd -T | /usr/bin/grep -i -c "$config") + $total) + total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total) done echo $total diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index b97665fd..14c88d37 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/grep -ci "^KexAlgorithms diffie-hellman-group-exchange-sha256" + /usr/sbin/sshd -G | /usr/bin/grep -ci "^KexAlgorithms diffie-hellman-group-exchange-sha256" result: integer: 1 fix: | diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 89aacd64..052f8a80 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -5,7 +5,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/logingracetime/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}' result: integer: $ODV fix: | diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 9cbbafa0..e1b7a889 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}' result: string: "no" fix: | From 1eb52857d4b734b3a53b81d13394579ac37401a4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 2 Aug 2023 10:12:58 -0400 Subject: [PATCH 07/62] refactor[scripts] updated scripts with sshd -G - compliance script updated to check sshd -T or sshd -G - updated generate_scap where it checks for sshd -T --- scripts/generate_guidance.py | 2 +- scripts/generate_scap.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index b676f35f..ce18c3d7 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -606,7 +606,7 @@ if [[ $EUID -ne 0 ]]; then fi ssh_key_check=0 -if /usr/sbin/sshd -T &> /dev/null; then +if /usr/sbin/sshd -T &> /dev/null || /usr/sbin/sshd -G &>/dev/null; then ssh_key_check=0 else /usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index ec8a3497..bfb7a7ab 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -1529,7 +1529,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+999) x = x + 1 continue - if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check']: + if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check'] or "sshd -G" in rule_yaml['check'] and "fips" in rule_yaml['check']: fipslist = rule_yaml['check'].split("\n")[0].split("(")[1].replace(")","").replace('" "',"\n").replace('"',"") @@ -1580,7 +1580,7 @@ def generate_scap(all_rules, all_baselines, args): x = x + 1 continue - if "sshd -T" in rule_yaml['check']: + if "sshd -T" in rule_yaml['check'] or "sshd -G" in rule_yaml['check']: oval_definition = oval_definition + ''' From 2e76ebfbe48aed6b5cda2590973732ae1a75cb5f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 4 Aug 2023 09:48:26 -0400 Subject: [PATCH 08/62] refactor[rules] Added none tag to old stig rules Added none tag to STIG rules that had no other tag --- rules/icloud/icloud_appleid_preference_pane_disable.yaml | 1 + rules/os/os_anti_virus_installed.yaml | 1 + rules/os/os_camera_disable.yaml | 1 + rules/os/os_screensaver_timeout_loginwindow_enforce.yaml | 1 + rules/os/os_sshd_fips_140_ciphers.yaml | 1 + rules/os/os_sshd_fips_140_macs.yaml | 1 + rules/system_settings/system_settings_assistant_disable.yaml | 1 + .../system_settings_bluetooth_prefpane_disable.yaml | 1 + ...ystem_settings_internet_accounts_preference_pane_disable.yaml | 1 + rules/system_settings/system_settings_siri_prefpane_disable.yaml | 1 + rules/system_settings/system_settings_touch_id_pane_disable.yaml | 1 + .../system_settings_wallet_applepay_prefpane_disable.yaml | 1 + .../system_settings_wallet_applepay_prefpane_hide.yaml | 1 + 13 files changed, 13 insertions(+) diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index bbacdab4..a4260501 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -35,6 +35,7 @@ references: macOS: - "14.0" tags: + - none severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index db2b18a5..aace5590 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -30,6 +30,7 @@ references: macOS: - "14.0" tags: + - none severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 827ad0b2..872c448e 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -29,6 +29,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 9ea62d77..c82d601b 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -46,6 +46,7 @@ odv: recommended: 1200 stig: 900 tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index cd3f0de6..ae85b1fc 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -65,6 +65,7 @@ references: macOS: - "14.0" tags: + - none severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index 7a532181..f7232cc6 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -65,6 +65,7 @@ references: macOS: - "14.0" tags: + - none severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml index 54f38daa..cfd45ca3 100644 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ b/rules/system_settings/system_settings_assistant_disable.yaml @@ -40,6 +40,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml index 11b1981f..017e006f 100644 --- a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml @@ -32,6 +32,7 @@ references: macOS: - "12.0" tags: + - none severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml index d18b63c7..58c5c605 100644 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml @@ -40,6 +40,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index 5924029d..b32bc4e3 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -37,6 +37,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index af0b8e00..f7f8938e 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -37,6 +37,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 823dd0a9..304230b6 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -37,6 +37,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml index 19ba694b..9e85eb53 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml @@ -37,6 +37,7 @@ references: macOS: - "14.0" tags: + - none severity: "medium" mobileconfig: true mobileconfig_info: From 72cca760d4284637fdf9c547487f0b119d964e1f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 7 Aug 2023 14:21:39 -0400 Subject: [PATCH 09/62] refactor[rules] Added 2 rules Added rule to configure unusedconnectiontimeout and channeltimeout in sshd. These are new options in openssh 9.3 Issue #278 --- .../os/os_sshd_channel_timeout_configure.yaml | 67 +++++++++++++++++++ ...d_unused_connection_timeout_configure.yaml | 67 +++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 rules/os/os_sshd_channel_timeout_configure.yaml create mode 100644 rules/os/os_sshd_unused_connection_timeout_configure.yaml diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml new file mode 100644 index 00000000..661d0166 --- /dev/null +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -0,0 +1,67 @@ +id: os_sshd_channel_timeout_configure +title: "Configure SSHD Channel Timeout to $ODV" +discussion: | + If SSHD is enabled it _MUST_ be configured with session ChannelTime out set to $ODV. + + This will set the time out when the session is inactive. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/sbin/sshd -G | /usr/bin/awk -F "=" '/channeltimeout session:*/{print $2}' +result: + integer: $ODV +fix: | + [source,bash] + ---- + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') + + if [[ -z $include_dir ]]; then + /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config + fi + + /usr/bin/grep -qxF 'channeltimeout session:*=$ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout session:*=$ODV" >> "${include_dir}01-mscp-sshd.conf" + + for file in $(ls ${include_dir}); do + if [[ "$file" == "100-macos.conf" ]]; then + continue + fi + if [[ "$file" == "01-mscp-sshd.conf" ]]; then + break + fi + /bin/mv ${include_dir}${file} ${include_dir}20-${file} + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SC-10 + - AC-12 + 800-53r4: + - SC-10 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.13.9 + cmmc: + - AC.L2-3.1.11 + - SC.L2-3.13.9 +odv: + hint: "Number of seconds." + recommended: 900 +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml new file mode 100644 index 00000000..cd7258e0 --- /dev/null +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -0,0 +1,67 @@ +id: os_sshd_unused_connection_timeout_configure +title: "Configure SSHD Unused Connection Timeout to $ODV" +discussion: | + If SSHD is enabled it _MUST_ be configured with unused connectione timeout set to $ODV. + + This will set the time out when there are no open channels within an session. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectionetimeout/{print $2}' +result: + integer: $ODV +fix: | + [source,bash] + ---- + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') + + if [[ -z $include_dir ]]; then + /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config + fi + + /usr/bin/grep -qxF 'unusedconnectionetimeout $ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectionetimeout $ODV" >> "${include_dir}01-mscp-sshd.conf" + + for file in $(ls ${include_dir}); do + if [[ "$file" == "100-macos.conf" ]]; then + continue + fi + if [[ "$file" == "01-mscp-sshd.conf" ]]; then + break + fi + /bin/mv ${include_dir}${file} ${include_dir}20-${file} + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SC-10 + - AC-12 + 800-53r4: + - SC-10 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.13.9 + cmmc: + - AC.L2-3.1.11 + - SC.L2-3.13.9 +odv: + hint: "Number of seconds." + recommended: 900 +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From ea7f196369098ae105e4b98947b0883ff916188e Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Tue, 8 Aug 2023 15:14:30 -0400 Subject: [PATCH 10/62] Addressing issue #282 --- rules/supplemental/supplemental_cis_manual.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 9cd3d897..e66d5eda 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -51,6 +51,7 @@ discussion: | |Section |Applications + |Recommendations |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + From 351c94cf83fd1104996ad279b8c90fe257bd5dcf Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Aug 2023 14:45:35 -0400 Subject: [PATCH 11/62] refactor[rules/templates] Matched with Ventura Merged new commits that have been merged into Ventura since dev_sonoma was created. --- ...s_hibernate_mode_apple_silicon_enable.yaml | 66 ++++++++++++++++ ...ate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_enable.yaml | 75 ------------------- rules/os/os_hibernate_mode_intel_enable.yaml | 67 +++++++++++++++++ rules/os/os_power_nap_disable.yaml | 2 +- ...orld_writable_system_folder_configure.yaml | 4 +- .../supplemental/supplemental_cis_manual.yaml | 10 +-- ...ttings_location_services_menu_enforce.yaml | 2 +- ..._settings_wake_network_access_disable.yaml | 2 +- templates/adoc_additional_docs.adoc | 14 +++- 10 files changed, 155 insertions(+), 89 deletions(-) create mode 100644 rules/os/os_hibernate_mode_apple_silicon_enable.yaml delete mode 100644 rules/os/os_hibernate_mode_enable.yaml create mode 100644 rules/os/os_hibernate_mode_intel_enable.yaml diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml new file mode 100644 index 00000000..046b255c --- /dev/null +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -0,0 +1,66 @@ +id: os_hibernate_mode_apple_silicon_enable +title: "Enable Hibernate Mode (Apple Silicon)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + + Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. + This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time. + + NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a sleep 10 + /usr/bin/pmset -a displaysleep 15 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.2 (level 2) + controls v8: + - 4.1 +macOS: + - "14.0" +tags: + - cis_lvl2 + - cisv8 + - arm64 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index be2ff146..32b7ad4e 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 2.9.3 (level 2) + - 2.9.1.3 (level 2) controls v8: - 4.1 macOS: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml deleted file mode 100644 index 9667ea27..00000000 --- a/rules/os/os_hibernate_mode_enable.yaml +++ /dev/null @@ -1,75 +0,0 @@ -id: os_hibernate_mode_enable -title: "Enable Hibernate Mode" -discussion: | - Hibernate mode _MUST_ be enabled. - - NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. -check: | - error_count=0 - if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') - - if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then - ((error_count++)) - fi - else - if [[ "$(/usr/bin/pmset -g | /usr/bin/grep standbydelay 2>&1 | /usr/bin/awk '{print $2}')" -gt 900 ]]; then - ((error_count++)) - fi - fi - if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then - ((error_count++)) - fi - fi - echo "$error_count" -result: - integer: 0 -fix: | - [source,bash] - ---- - /usr/bin/pmset -a hibernatemode 25 - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - /usr/bin/pmset -a standbydelayhigh 600 - /usr/bin/pmset -a standbydelaylow 600 - /usr/bin/pmset -a highstandbythreshold 90 - else - /usr/bin/pmset -a standbydelay 900 - fi - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 2.9.3 (level 2) - controls v8: - - 4.1 -macOS: - - "14.0" -tags: - - cis_lvl2 - - cisv8 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml new file mode 100644 index 00000000..17fe02de --- /dev/null +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -0,0 +1,67 @@ +id: os_hibernate_mode_intel_enable +title: "Enable Hibernate Mode (Intel)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a standbydelaylow 900 + /usr/bin/pmset -a standbydelayhigh 900 + /usr/bin/pmset -a highstandbythreshold 90 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.1 (level 2) + controls v8: + - 4.1 +macOS: + - "14.0" +tags: + - cis_lvl2 + - cisv8 + - i386 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index 83d88f24..a6aad028 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -41,7 +41,7 @@ references: - N/A cis: benchmark: - - 2.9.1 (level 1) + - 2.9.2 (level 1) controls v8: - 4.1 - 4.8 diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 22ee8e8d..908ef381 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -3,14 +3,14 @@ title: "Ensure No World Writable Files Exist in the System Folder" discussion: | Folders in /System/Volumes/Data/System _MUST_ not be world-writable. check: | - /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "downloadDir" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do + for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "downloadDir" ); do /bin/chmod -R o-w "$sysPermissions" done ---- diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index e66d5eda..d4e7a1ef 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -11,15 +11,18 @@ discussion: | |Recommendations |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + + 2.1.1.4 Audit Security Keys Used With AppleIDs + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + 2.6.1.3 Audit Location Services Access + 2.6.6 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + - 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings + + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + - 2.14.1 Audit Notification & Focus Settings + + 2.14.1 Audit Game Center Settings + + 2.15.1 Audit Notification & Focus Settings + + 2.16.1 Audit Wallet & Apple Pay Settings + |=== [cols="15%h, 85%a"] @@ -43,7 +46,6 @@ discussion: | 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + - 5.5 Ensure Login Keychain is Locked when the Computer Sleeps + |=== [cols="15%h, 85%a"] @@ -51,11 +53,9 @@ discussion: | |Section |Applications - |Recommendations |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + - 6.3.7 Audit History and Remove History Items + |=== check: | fix: | diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 9c8b71c7..82fed1bb 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -1,5 +1,5 @@ id: system_settings_location_services_menu_enforce -title: "Enable Location Services" +title: "Ensure Location Services Is In the Menu Bar" discussion: | Location Services menu item _MUST_ be enabled. check: | diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index befba599..63d249cf 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 2.9.2 (level 1) + - 2.9.3 (level 1) controls v8: - 4.8 macOS: diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index aa4e59d0..ac466484 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -21,7 +21,7 @@ ASSOCIATED DOCUMENTS |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_ |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_ -|link:https://csrc.nist.gov/publications/detail/sp/800-219/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_ +|link:https://csrc.nist.gov/pubs/sp/800/219/r1/final[NIST Special Publication 800-219]|\_NIST Special Publication 800-219 Rev 1\_ |=== [%header, cols=2*a] @@ -29,7 +29,15 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 13 (Ventura) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 13 (Ventura) STIG_ +|=== + +[%header, cols=2*a] +.Cybersecurity Maturity Model Certification (CMMC) +|=== +|Document Number or Descriptor +|Document Title +|link:https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview_V2.0_FINAL2_20211202_508.pdf[CMMC Model Overview v2.0]|_Cybersecurity Maturity Model Certification (CMMC) Model Overview v2.0_ |=== [%header, cols=2*a] @@ -56,5 +64,5 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.0.0_ +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.1.0_ |=== \ No newline at end of file From 49b715e5875ff2b8bf30dcc2086d495881a8c72c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Aug 2023 14:51:28 -0400 Subject: [PATCH 12/62] refactor[scripts] updated generate_guidance Updated generate_guidance to match PR #279 --- scripts/generate_guidance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index ce18c3d7..d61889d0 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1082,7 +1082,7 @@ fi if [[ "$ssh_key_check" -ne 0 ]]; then /bin/rm /etc/ssh/ssh_host_rsa_key - /bin/rm /etc/ssh/ssh_host_rsa_key.public + /bin/rm /etc/ssh/ssh_host_rsa_key.pub ssh_key_check=0 fi """ From ef77483090bd6367e8db616fc6dc57d2c7af96d0 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 16 Aug 2023 15:30:00 -0400 Subject: [PATCH 13/62] fixed missing deprecation msg --- rules/os/os_blank_bluray_disable.yaml | 2 +- rules/os/os_blank_cd_disable.yaml | 2 +- rules/os/os_blank_dvd_disable.yaml | 2 +- rules/os/os_bluray_read_only_enforce.yaml | 2 +- rules/os/os_calendar_app_disable.yaml | 16 ++++++++-------- rules/os/os_cd_read_only_enforce.yaml | 2 +- rules/os/os_disk_image_disable.yaml | 2 +- rules/os/os_dvdram_disable.yaml | 2 +- rules/os/os_facetime_app_disable.yaml | 7 ++++++- rules/os/os_mail_app_disable.yaml | 5 +++++ rules/os/os_messages_app_disable.yaml | 7 ++++++- rules/os/os_removable_media_disable.yaml | 2 +- rules/os/os_user_app_installation_prohibit.yaml | 5 +++++ 13 files changed, 38 insertions(+), 18 deletions(-) diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 1f767e44..debd606d 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 301d59eb..3cf961d2 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 79c935e4..3cf42ea8 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 3db89db0..9cce0251 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index d9b05420..f627acd7 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -59,14 +64,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 615e7018..738aee1f 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 4496f6db..5afb65e1 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index ad2c0566..fe29df11 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -10,7 +10,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 5eb5a962..cb21ee43 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -3,7 +3,12 @@ title: "Disable FaceTime.app" discussion: | The macOS built-in FaceTime.app _MUST_ be disabled. - The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. + The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 83e7d91f..6539da0f 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -9,6 +9,11 @@ discussion: | ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 8128cfcd..351054f9 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -3,7 +3,12 @@ title: "Disable Messages App" discussion: | The macOS built-in Messages.app _MUST_ be disabled. - The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. + The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 5b3f3374..8c10270f 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -12,7 +12,7 @@ discussion: | [IMPORTANT] ==== - Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index ec13a424..20aaa9ae 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -4,6 +4,11 @@ discussion: | Users _MUST_ not be allowed to install software into /Users/. Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. + + [IMPORTANT] + ==== + Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS function run() { From c390ebe75f78b7407506b52e67a24efaa991c790 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Aug 2023 12:17:58 -0400 Subject: [PATCH 14/62] refactor[rules] Added rule using new regex Regex mobileconfig profile added for lower and upper case character enforce. --- ...cy_lower_upper_case_character_enforce.yaml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml new file mode 100644 index 00000000..4d4bf478 --- /dev/null +++ b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml @@ -0,0 +1,71 @@ +id: pwpolicy_lower_upper_case_character_enforce +title: "Require Passwords Contain a Minimum of One Lowercase Character and One Uppercase Character" +discussion: | + The macOS _MUST_ be configured to require at least one lower-case character and one upper-case character be used when a password is created. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. +check: | + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{1,}[a-z]{1,}.*'\''")])' - +result: + string: "true" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - IA-5(1) + 800-53r4: + - IA-5 + - IA-5(1) + disa_stig: + - N/A + srg: + - N/A + 800-171r2: + - 3.5.1 + - 3.5.2 + - 3.5.7 + - 3.5.8 + - 3.5.9 + - 3.5.10 + cis: + benchmark: + - 5.2.6 (level 2) + controls v8: + - 5.2 + cmmc: + - IA.L2-3.5.7 + - IA.L2-3.5.8 + - IA.L2-3.5.9 +macOS: + - "14.0" +odv: + hint: "Number of lowercase characters." + recommended: 1 + cis_lvl2: 1 +tags: + - 800-171 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl2 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 +mobileconfig: true +mobileconfig_info: + com.apple.mobiledevice.passwordpolicy: + customRegex: + passwordContentRegex: .*[A-Z]{1,}[a-z]{1,}.* + passwordContentDescription: + default: "Password must include 1 uppercase and 1 lowercase character" \ No newline at end of file From e3d0cb1fd6eff2b718c06a1f0821634902437978 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Aug 2023 12:21:05 -0400 Subject: [PATCH 15/62] refactor[rules] added ODV variable --- .../pwpolicy_lower_upper_case_character_enforce.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml index 4d4bf478..adae3bd2 100644 --- a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml @@ -6,6 +6,8 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: The configuration profile generated must be installed from an MDM server. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{1,}[a-z]{1,}.*'\''")])' - result: @@ -66,6 +68,6 @@ mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: customRegex: - passwordContentRegex: .*[A-Z]{1,}[a-z]{1,}.* + passwordContentRegex: .*[A-Z]{$ODV,}[a-z]{$ODV,}.* passwordContentDescription: - default: "Password must include 1 uppercase and 1 lowercase character" \ No newline at end of file + default: "Password must include $ODV uppercase and $ODV lowercase character" \ No newline at end of file From 40e4f147cab59f63d5d489482b820de8cc783f36 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Aug 2023 12:22:24 -0400 Subject: [PATCH 16/62] Added ODV in more places --- .../pwpolicy_lower_upper_case_character_enforce.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml index adae3bd2..76e1e37c 100644 --- a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml @@ -1,7 +1,7 @@ id: pwpolicy_lower_upper_case_character_enforce -title: "Require Passwords Contain a Minimum of One Lowercase Character and One Uppercase Character" +title: "Require Passwords Contain a Minimum of $ODV Lowercase Character and $ODV Uppercase Character" discussion: | - The macOS _MUST_ be configured to require at least one lower-case character and one upper-case character be used when a password is created. + The macOS _MUST_ be configured to require at least $ODV lower-case character and $ODV upper-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. @@ -9,7 +9,7 @@ discussion: | NOTE: The configuration profile generated must be installed from an MDM server. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{1,}[a-z]{1,}.*'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{$ODV,}[a-z]{$ODV,}.*'\''")])' - result: string: "true" fix: | From 3e7f2fa1b3b4840c64f8c331900f4e0263e408b0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 7 Sep 2023 12:53:27 -0400 Subject: [PATCH 17/62] refactor[rules] Fixed misspelling Issue #297 --- rules/os/os_sshd_unused_connection_timeout_configure.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml index cd7258e0..d49cfb00 100644 --- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectionetimeout/{print $2}' + /usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectiontimeout/{print $2}' result: integer: $ODV fix: | @@ -19,7 +19,7 @@ fix: | /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi - /usr/bin/grep -qxF 'unusedconnectionetimeout $ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectionetimeout $ODV" >> "${include_dir}01-mscp-sshd.conf" + /usr/bin/grep -qxF 'unusedconnectiontimeout $ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectiontimeout $ODV" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then From e5fb336bdb0969d4cc1e3a6370a39e6b6a9879f2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Sat, 9 Sep 2023 14:43:51 -0400 Subject: [PATCH 18/62] refactor[rules] CCEs added Added NIST issued CCEs to all rule files --- rules/audit/audit_acls_files_configure.yaml | 2 +- rules/audit/audit_acls_folders_configure.yaml | 2 +- rules/audit/audit_alert_processing_fail.yaml | 2 +- rules/audit/audit_auditd_enabled.yaml | 2 +- rules/audit/audit_configure_capacity_notify.yaml | 2 +- rules/audit/audit_control_acls_configure.yaml | 2 +- rules/audit/audit_control_group_configure.yaml | 2 +- rules/audit/audit_control_mode_configure.yaml | 2 +- rules/audit/audit_control_owner_configure.yaml | 2 +- rules/audit/audit_enforce_dual_auth.yaml | 2 +- rules/audit/audit_failure_halt.yaml | 2 +- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 2 +- rules/audit/audit_flags_aa_configure.yaml | 2 +- rules/audit/audit_flags_ad_configure.yaml | 2 +- rules/audit/audit_flags_ex_configure.yaml | 2 +- rules/audit/audit_flags_fd_configure.yaml | 2 +- rules/audit/audit_flags_fm_configure.yaml | 2 +- rules/audit/audit_flags_fm_failed_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 2 +- rules/audit/audit_flags_fw_configure.yaml | 2 +- rules/audit/audit_flags_lo_configure.yaml | 2 +- rules/audit/audit_folder_group_configure.yaml | 2 +- rules/audit/audit_folder_owner_configure.yaml | 2 +- rules/audit/audit_folders_mode_configure.yaml | 2 +- rules/audit/audit_off_load_records.yaml | 2 +- rules/audit/audit_record_reduction_report_generation.yaml | 2 +- rules/audit/audit_records_processing.yaml | 2 +- rules/audit/audit_retention_configure.yaml | 2 +- rules/audit/audit_settings_failure_notify.yaml | 2 +- rules/auth/auth_pam_login_smartcard_enforce.yaml | 2 +- rules/auth/auth_pam_su_smartcard_enforce.yaml | 2 +- rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 2 +- rules/auth/auth_smartcard_allow.yaml | 2 +- rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml | 2 +- .../auth/auth_smartcard_certificate_trust_enforce_moderate.yaml | 2 +- rules/auth/auth_smartcard_enforce.yaml | 2 +- rules/auth/auth_ssh_password_authentication_disable.yaml | 2 +- rules/icloud/icloud_addressbook_disable.yaml | 2 +- rules/icloud/icloud_appleid_preference_pane_disable.yaml | 2 +- rules/icloud/icloud_appleid_system_settings_disable.yaml | 2 +- rules/icloud/icloud_bookmarks_disable.yaml | 2 +- rules/icloud/icloud_calendar_disable.yaml | 2 +- rules/icloud/icloud_drive_disable.yaml | 2 +- rules/icloud/icloud_freeform_disable.yaml | 2 +- rules/icloud/icloud_game_center_disable.yaml | 2 +- rules/icloud/icloud_keychain_disable.yaml | 2 +- rules/icloud/icloud_mail_disable.yaml | 2 +- rules/icloud/icloud_notes_disable.yaml | 2 +- rules/icloud/icloud_photos_disable.yaml | 2 +- rules/icloud/icloud_private_relay_disable.yaml | 2 +- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/icloud/icloud_sync_disable.yaml | 2 +- rules/os/os_access_control_mobile_devices.yaml | 2 +- rules/os/os_airdrop_disable.yaml | 2 +- rules/os/os_allow_info_passed.yaml | 2 +- rules/os/os_anti_virus_installed.yaml | 2 +- rules/os/os_appleid_prompt_disable.yaml | 2 +- rules/os/os_application_sandboxing.yaml | 2 +- rules/os/os_asl_log_files_owner_group_configure.yaml | 2 +- rules/os/os_asl_log_files_permissions_configure.yaml | 2 +- rules/os/os_auth_peripherals.yaml | 2 +- rules/os/os_authenticated_root_enable.yaml | 2 +- rules/os/os_blank_bluray_disable.yaml | 2 +- rules/os/os_blank_cd_disable.yaml | 2 +- rules/os/os_blank_dvd_disable.yaml | 2 +- rules/os/os_bluray_read_only_enforce.yaml | 2 +- rules/os/os_bonjour_disable.yaml | 2 +- rules/os/os_burn_support_disable.yaml | 2 +- rules/os/os_calendar_app_disable.yaml | 2 +- rules/os/os_camera_disable.yaml | 2 +- rules/os/os_cd_read_only_enforce.yaml | 2 +- rules/os/os_certificate_authority_trust.yaml | 2 +- rules/os/os_change_security_attributes.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 2 +- rules/os/os_config_profile_ui_install_disable.yaml | 2 +- rules/os/os_continuous_monitoring.yaml | 2 +- rules/os/os_crypto_audit.yaml | 2 +- rules/os/os_directory_services_configured.yaml | 2 +- rules/os/os_disk_image_disable.yaml | 2 +- rules/os/os_dvdram_disable.yaml | 2 +- rules/os/os_efi_integrity_validated.yaml | 2 +- rules/os/os_enforce_access_restrictions.yaml | 2 +- rules/os/os_erase_content_and_settings_disable.yaml | 2 +- rules/os/os_error_message.yaml | 2 +- rules/os/os_ess_installed.yaml | 2 +- rules/os/os_facetime_app_disable.yaml | 2 +- rules/os/os_fail_secure_state.yaml | 2 +- rules/os/os_filevault_authorized_users.yaml | 2 +- rules/os/os_filevault_autologin_disable.yaml | 2 +- rules/os/os_firewall_default_deny_require.yaml | 2 +- rules/os/os_firewall_log_enable.yaml | 2 +- rules/os/os_firmware_password_require.yaml | 2 +- rules/os/os_gatekeeper_enable.yaml | 2 +- rules/os/os_gatekeeper_rearm.yaml | 2 +- rules/os/os_grant_privs.yaml | 2 +- rules/os/os_guest_folder_removed.yaml | 2 +- rules/os/os_handoff_disable.yaml | 2 +- rules/os/os_hibernate_mode_apple_silicon_enable.yaml | 2 +- rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_intel_enable.yaml | 2 +- rules/os/os_home_folders_default.yaml | 2 +- rules/os/os_home_folders_secure.yaml | 2 +- rules/os/os_httpd_disable.yaml | 2 +- rules/os/os_icloud_storage_prompt_disable.yaml | 2 +- rules/os/os_identify_non-org_users.yaml | 2 +- rules/os/os_implement_cryptography.yaml | 2 +- rules/os/os_implement_memory_protection.yaml | 2 +- rules/os/os_information_validation.yaml | 2 +- rules/os/os_install_log_retention_configure.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 2 +- rules/os/os_isolate_security_functions.yaml | 2 +- rules/os/os_library_validation_enabled.yaml | 2 +- rules/os/os_limit_auditable_events.yaml | 2 +- rules/os/os_limit_dos_attacks.yaml | 2 +- rules/os/os_limit_gui_sessions.yaml | 2 +- rules/os/os_logical_access.yaml | 2 +- rules/os/os_logoff_capability_and_message.yaml | 2 +- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_malicious_code_prevention.yaml | 2 +- rules/os/os_managed_access_control_points.yaml | 2 +- rules/os/os_map_pki_identity.yaml | 2 +- rules/os/os_mdm_require.yaml | 2 +- rules/os/os_messages_app_disable.yaml | 2 +- rules/os/os_mfa_network_access.yaml | 2 +- rules/os/os_mfa_network_non-priv.yaml | 2 +- rules/os/os_mobile_file_integrity_enable.yaml | 2 +- rules/os/os_newsyslog_files_owner_group_configure.yaml | 2 +- rules/os/os_newsyslog_files_permissions_configure.yaml | 2 +- rules/os/os_nfsd_disable.yaml | 2 +- rules/os/os_non_repudiation.yaml | 2 +- rules/os/os_nonlocal_maintenance.yaml | 2 +- rules/os/os_notify_account_created.yaml | 2 +- rules/os/os_notify_account_disabled.yaml | 2 +- rules/os/os_notify_account_enable.yaml | 2 +- rules/os/os_notify_account_modified.yaml | 2 +- rules/os/os_notify_account_removal.yaml | 2 +- rules/os/os_notify_unauthorized_baseline_change.yaml | 2 +- rules/os/os_obscure_password.yaml | 2 +- rules/os/os_on_device_dictation_enforce.yaml | 2 +- rules/os/os_parental_controls_enable.yaml | 2 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 2 +- rules/os/os_password_proximity_disable.yaml | 2 +- rules/os/os_password_sharing_disable.yaml | 2 +- rules/os/os_peripherals_identify.yaml | 2 +- rules/os/os_pii_deidentification.yaml | 2 +- rules/os/os_pii_quality_control.yaml | 2 +- rules/os/os_policy_banner_loginwindow_enforce.yaml | 2 +- rules/os/os_policy_banner_ssh_configure.yaml | 2 +- rules/os/os_policy_banner_ssh_enforce.yaml | 2 +- rules/os/os_power_nap_disable.yaml | 2 +- rules/os/os_power_nap_enable.yaml | 2 +- rules/os/os_predictable_behavior.yaml | 2 +- rules/os/os_prevent_priv_execution.yaml | 2 +- rules/os/os_prevent_priv_functions.yaml | 2 +- rules/os/os_prevent_unauthorized_disclosure.yaml | 2 +- rules/os/os_privacy_principle_minimization.yaml | 2 +- rules/os/os_privacy_setup_prompt_disable.yaml | 2 +- rules/os/os_prohibit_remote_activation_collab_devices.yaml | 2 +- rules/os/os_protect_dos_attacks.yaml | 2 +- rules/os/os_provide_automated_account_management.yaml | 2 +- rules/os/os_provide_disconnect_remote_access.yaml | 2 +- rules/os/os_rapid_security_response_allow.yaml | 2 +- rules/os/os_rapid_security_response_removal_disable.yaml | 2 +- rules/os/os_reauth_devices_change_authenticators.yaml | 2 +- rules/os/os_reauth_privilege.yaml | 2 +- rules/os/os_reauth_users_change_authenticators.yaml | 2 +- rules/os/os_recovery_lock_enable.yaml | 2 +- rules/os/os_remote_access_methods.yaml | 2 +- rules/os/os_removable_media_disable.yaml | 2 +- rules/os/os_remove_software_components_after_updates.yaml | 2 +- rules/os/os_required_crypto_module.yaml | 2 +- rules/os/os_root_disable.yaml | 2 +- rules/os/os_safari_advertising_privacy_protection_enable.yaml | 2 +- rules/os/os_safari_open_safe_downloads_disable.yaml | 2 +- rules/os/os_safari_prevent_cross-site_tracking_enable.yaml | 2 +- rules/os/os_safari_show_full_website_address_enable.yaml | 2 +- rules/os/os_safari_warn_fraudulent_website_enable.yaml | 2 +- rules/os/os_screensaver_loginwindow_enforce.yaml | 2 +- rules/os/os_screensaver_timeout_loginwindow_enforce.yaml | 2 +- rules/os/os_secure_boot_verify.yaml | 2 +- rules/os/os_secure_enclave.yaml | 2 +- rules/os/os_secure_name_resolution.yaml | 2 +- rules/os/os_separate_functionality.yaml | 2 +- rules/os/os_setup_assistant_filevault_enforce.yaml | 2 +- rules/os/os_show_filename_extensions_enable.yaml | 2 +- rules/os/os_sip_enable.yaml | 2 +- rules/os/os_siri_prompt_disable.yaml | 2 +- rules/os/os_skip_screen_time_prompt_enable.yaml | 2 +- rules/os/os_skip_unlock_with_watch_enable.yaml | 2 +- rules/os/os_software_update_deferral.yaml | 2 +- rules/os/os_ssh_fips_compliant.yaml | 2 +- rules/os/os_ssh_server_alive_count_max_configure.yaml | 2 +- rules/os/os_ssh_server_alive_interval_configure.yaml | 2 +- rules/os/os_sshd_channel_timeout_configure.yaml | 2 +- rules/os/os_sshd_client_alive_count_max_configure.yaml | 2 +- rules/os/os_sshd_client_alive_interval_configure.yaml | 2 +- rules/os/os_sshd_fips_140_ciphers.yaml | 2 +- rules/os/os_sshd_fips_140_macs.yaml | 2 +- rules/os/os_sshd_fips_compliant.yaml | 2 +- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 2 +- rules/os/os_sshd_login_grace_time_configure.yaml | 2 +- rules/os/os_sshd_permit_root_login_configure.yaml | 2 +- rules/os/os_sshd_unused_connection_timeout_configure.yaml | 2 +- rules/os/os_store_encrypted_passwords.yaml | 2 +- rules/os/os_sudo_timeout_configure.yaml | 2 +- rules/os/os_sudoers_timestamp_type_configure.yaml | 2 +- rules/os/os_system_read_only.yaml | 2 +- rules/os/os_system_wide_applications_configure.yaml | 2 +- rules/os/os_terminal_secure_keyboard_enable.yaml | 2 +- rules/os/os_terminate_session.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_time_offset_limit_configure.yaml | 2 +- rules/os/os_time_server_enabled.yaml | 2 +- rules/os/os_touchid_prompt_disable.yaml | 2 +- rules/os/os_unique_identification.yaml | 2 +- rules/os/os_unlock_active_user_session_disable.yaml | 2 +- rules/os/os_user_app_installation_prohibit.yaml | 2 +- rules/os/os_uucp_disable.yaml | 2 +- rules/os/os_verify_remote_disconnection.yaml | 2 +- rules/os/os_world_writable_library_folder_configure.yaml | 2 +- rules/os/os_world_writable_system_folder_configure.yaml | 2 +- rules/pwpolicy/pwpolicy_50_percent.yaml | 2 +- rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_force_password_change.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml | 2 +- rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml | 2 +- .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 2 +- .../system_settings_airplay_receiver_disable.yaml | 2 +- .../system_settings_apple_watch_unlock_disable.yaml | 2 +- rules/system_settings/system_settings_assistant_disable.yaml | 2 +- .../system_settings_automatic_login_disable.yaml | 2 +- .../system_settings_automatic_logout_enforce.yaml | 2 +- rules/system_settings/system_settings_bluetooth_disable.yaml | 2 +- .../system_settings/system_settings_bluetooth_menu_enable.yaml | 2 +- .../system_settings_bluetooth_prefpane_disable.yaml | 2 +- .../system_settings_bluetooth_sharing_disable.yaml | 2 +- .../system_settings/system_settings_cd_dvd_sharing_disable.yaml | 2 +- .../system_settings_content_caching_disable.yaml | 2 +- .../system_settings_critical_update_install_enforce.yaml | 2 +- .../system_settings_diagnostics_reports_disable.yaml | 2 +- rules/system_settings/system_settings_filevault_enforce.yaml | 2 +- rules/system_settings/system_settings_find_my_disable.yaml | 2 +- rules/system_settings/system_settings_firewall_enable.yaml | 2 +- .../system_settings_firewall_stealth_mode_enable.yaml | 2 +- ...ystem_settings_gatekeeper_identified_developers_allowed.yaml | 2 +- .../system_settings_gatekeeper_override_disallow.yaml | 2 +- .../system_settings_guest_access_smb_disable.yaml | 2 +- .../system_settings/system_settings_guest_account_disable.yaml | 2 +- rules/system_settings/system_settings_hot_corners_disable.yaml | 2 +- rules/system_settings/system_settings_hot_corners_secure.yaml | 2 +- .../system_settings_improve_siri_dictation_disable.yaml | 2 +- .../system_settings_install_macos_updates_enforce.yaml | 2 +- .../system_settings_internet_accounts_disable.yaml | 2 +- ...stem_settings_internet_accounts_preference_pane_disable.yaml | 2 +- .../system_settings_internet_sharing_disable.yaml | 2 +- .../system_settings_location_services_disable.yaml | 2 +- .../system_settings_location_services_enable.yaml | 2 +- .../system_settings_location_services_menu_enforce.yaml | 2 +- .../system_settings_loginwindow_loginwindowtext_enable.yaml | 2 +- ...m_settings_loginwindow_prompt_username_password_enforce.yaml | 2 +- .../system_settings/system_settings_media_sharing_disabled.yaml | 2 +- .../system_settings/system_settings_password_hints_disable.yaml | 2 +- .../system_settings_personalized_advertising_disable.yaml | 2 +- .../system_settings_printer_sharing_disable.yaml | 2 +- rules/system_settings/system_settings_rae_disable.yaml | 2 +- .../system_settings_remote_management_disable.yaml | 2 +- .../system_settings/system_settings_screen_sharing_disable.yaml | 2 +- ...tem_settings_screensaver_ask_for_password_delay_enforce.yaml | 2 +- .../system_settings_screensaver_password_enforce.yaml | 2 +- .../system_settings_screensaver_timeout_enforce.yaml | 2 +- rules/system_settings/system_settings_siri_disable.yaml | 2 +- .../system_settings/system_settings_siri_prefpane_disable.yaml | 2 +- rules/system_settings/system_settings_smbd_disable.yaml | 2 +- .../system_settings_software_update_app_update_enforce.yaml | 2 +- .../system_settings_software_update_download_enforce.yaml | 2 +- .../system_settings_software_update_enforce.yaml | 2 +- .../system_settings/system_settings_softwareupdate_current.yaml | 2 +- rules/system_settings/system_settings_ssh_disable.yaml | 2 +- rules/system_settings/system_settings_ssh_enable.yaml | 2 +- .../system_settings_system_wide_preferences_configure.yaml | 2 +- .../system_settings_time_machine_auto_backup_enable.yaml | 2 +- .../system_settings_time_machine_encrypted_configure.yaml | 2 +- .../system_settings/system_settings_time_server_configure.yaml | 2 +- rules/system_settings/system_settings_time_server_enforce.yaml | 2 +- .../system_settings/system_settings_token_removal_enforce.yaml | 2 +- .../system_settings/system_settings_touch_id_pane_disable.yaml | 2 +- .../system_settings/system_settings_touchid_unlock_disable.yaml | 2 +- rules/system_settings/system_settings_usb_restricted_mode.yaml | 2 +- .../system_settings_wake_network_access_disable.yaml | 2 +- .../system_settings_wallet_applepay_prefpane_disable.yaml | 2 +- .../system_settings_wallet_applepay_prefpane_hide.yaml | 2 +- rules/system_settings/system_settings_wifi_disable.yaml | 2 +- ...system_settings_wifi_disable_when_connected_to_ethernet.yaml | 2 +- rules/system_settings/system_settings_wifi_menu_enable.yaml | 2 +- 310 files changed, 310 insertions(+), 310 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 98e24ddc..c148e263 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92701-2 cci: - CCI-000162 - CCI-001314 diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 890cfe64..a0032d60 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92702-0 cci: - CCI-000162 800-53r5: diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index 9547234d..8cd8ed74 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92703-8 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 2f7c0f20..5216c818 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -36,7 +36,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92704-6 cci: - CCI-000130 - CCI-000131 diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 02b1b6eb..afff5c5e 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92705-3 cci: - CCI-001855 800-53r5: diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index 32d20222..0f0dc163 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92706-1 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index d5fa124e..5f48df85 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92707-9 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index 3943a7b4..42ad490f 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92708-7 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index 75dff5f9..0e4612c2 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92709-5 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index cb43b92b..f915fccd 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92710-3 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 95b7075d..6981bad5 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92711-1 cci: - CCI-000140 800-53r5: diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index e2bc9d39..722a9fb6 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92712-9 cci: - CCI-000162 800-53r5: diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 3ee7b257..2c37e957 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92713-7 cci: - CCI-000162 800-53r5: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index e4bb5e77..abf5fb07 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92714-5 cci: - CCI-000162 800-53r5: diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 16710be4..11090587 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92715-2 cci: - CCI-000172 800-53r5: diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index c26f8df9..c0b3fcd1 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -21,7 +21,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92716-0 cci: - CCI-000018 - CCI-000172 diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 53f3fa22..f9942576 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92717-8 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index a4031b99..42ed5269 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92718-6 cci: - CCI-000172 - CCI-001814 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index b4c31e87..1c61e4ec 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92719-4 cci: - CCI-000172 - CCI-001814 diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index 2b8927e4..46d660e8 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92720-2 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 569ec1f7..93a5a06b 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92721-0 cci: - CCI-000172 - CCI-001814 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index ed5f79b3..7f90327f 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92722-8 cci: - CCI-000172 - CCI-001814 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 090cf3d5..9ce5ba3d 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92723-6 cci: - CCI-000067 - CCI-000172 diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 6c8823aa..d132b033 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92724-4 cci: - CCI-000162 800-53r5: diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 429843e4..42ad8c27 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92725-1 cci: - CCI-000162 800-53r5: diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index ae3d7858..fe88d750 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92726-9 cci: - CCI-000162 - CCI-000163 diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 52de14ce..0ae12739 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92727-7 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index eca837b0..b333b9bc 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92728-5 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index dc6a9afb..86c177fe 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92729-3 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 06125642..253272ba 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92730-1 cci: - CCI-001849 800-53r5: diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index ec7b4c78..5f29c5e9 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92731-9 cci: - CCI-001858 800-53r5: diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 0b80c0bf..ce788528 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92732-7 cci: - CCI-000366 800-53r5: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 5fef0bf0..48409184 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92733-5 cci: - CCI-000366 800-53r5: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index e29b8d69..6b50c45e 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92734-3 cci: - CCI-000366 800-53r5: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 51f7bfaa..908624b1 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92735-0 cci: - CCI-000187 - CCI-000767 diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index cb0b84f2..ace343ea 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92736-8 cci: - N/A 800-53r5: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index eed008a7..4f5d6587 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92737-6 cci: - CCI-000186 - CCI-001953 diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 295756eb..773a2493 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -21,7 +21,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92738-4 cci: - CCI-000187 - CCI-000767 diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index 091b3070..b4b4105e 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92739-2 cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 53f89ce2..ded9d995 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92740-0 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index a4260501..b6f5e64c 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92741-8 cci: - CCI-001774 800-53r5: diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml index 665c3a49..baa536ca 100644 --- a/rules/icloud/icloud_appleid_system_settings_disable.yaml +++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92742-6 cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 07db0225..c6228db0 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92743-4 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index d5bf29e6..3540b7c5 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92744-2 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 92394c3b..3386e2d3 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92745-9 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml index f251239c..1ca63765 100644 --- a/rules/icloud/icloud_freeform_disable.yaml +++ b/rules/icloud/icloud_freeform_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92746-7 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 58fb93ad..773f43da 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92747-5 cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index b29e267d..85394731 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92748-3 cci: - CCI-001774 - CCI-000381 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index dbb379cf..045798cf 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92749-1 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index ff74f067..debcca2c 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92750-9 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 395671f5..031c98c9 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92751-7 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 393cbae3..512e1ce6 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92752-5 cci: - N/A 800-53r5: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 4cee2a0c..6752fdc0 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92753-3 cci: - CCI-000381 - CCI-001774 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 37fc463f..7498bc9c 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92754-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 7884dc1f..246f8107 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92755-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 70b1947b..81776bda 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92756-6 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index 609d05d1..c8a4f645 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92757-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index aace5590..2fc1ba99 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92758-2 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index 33a47c23..eb46bf4b 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92759-0 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 047bbe8c..15348d77 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92760-8 800-53r5: - SC-39 800-53r4: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index b978c2bf..c93a744d 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92761-6 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index 0a5b2a5f..52236337 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92762-4 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 9bf3bb03..8ec44bf6 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - - N/A + - CCE-92763-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index cb5e2a94..e48fd115 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -20,7 +20,7 @@ fix: | NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - N/A + - CCE-92764-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index debd606d..391a0615 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92765-7 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 3cf961d2..baec4c10 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92766-5 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 3cf42ea8..05ea9009 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92767-3 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 9cce0251..916ae5a7 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92768-1 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 752f3ae8..60144c00 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92769-9 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 8fa86ed8..60e8c89a 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92770-7 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index f627acd7..de9894cf 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -33,7 +33,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92771-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 872c448e..04f6cde6 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92772-3 cci: - CCI-000381 - CCI-001774 diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 738aee1f..c8d70f7d 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92773-1 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index 4aca623f..58ee242f 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -10,7 +10,7 @@ fix: | Obtain the approved certificates from the appropriate authority and install them to the System Keychain. references: cce: - - N/A + - CCE-92774-9 cci: - CCI-000185 - CCI-002450 diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index b16f1506..b450f5c5 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92775-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 595b032e..1b8f6d0e 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92776-4 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index 7e3a7370..db00e8d7 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92777-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index 7cb623bf..9a843dbd 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92778-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 57c0626b..575d3b30 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92779-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 14402167..f035f562 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -12,7 +12,7 @@ fix: | Integrate the system into an existing directory services infrastructure. references: cce: - - N/A + - CCE-92780-6 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 5afb65e1..ec14d08b 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92781-4 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index fe29df11..4037400c 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92782-2 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml index 21078d97..f7e557fe 100644 --- a/rules/os/os_efi_integrity_validated.yaml +++ b/rules/os/os_efi_integrity_validated.yaml @@ -10,7 +10,7 @@ fix: | Install a known good version of macOS. references: cce: - - N/A + - CCE-92783-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 61961007..a19c3700 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92784-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 7a3b15d3..de312163 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92785-5 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index bd130217..e9fd5965 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92786-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml index 9c6fbcc8..5a0611c2 100644 --- a/rules/os/os_ess_installed.yaml +++ b/rules/os/os_ess_installed.yaml @@ -11,7 +11,7 @@ fix: | Install the approved ESS solution onto the system. references: cce: - - N/A + - CCE-92787-1 cci: - CCI-001233 800-53r5: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index cb21ee43..5c5f62cc 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92788-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 55dacfc4..64816a73 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92789-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index 525bcb25..d9bf8eab 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92790-5 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index aaa508a5..1e0ec730 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92791-3 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 57c701b4..70279f00 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -21,7 +21,7 @@ fix: | NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule. references: cce: - - N/A + - CCE-92792-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 6679d46b..84f5ca4b 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -26,7 +26,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92793-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 752a0d25..db593d1f 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -24,7 +24,7 @@ fix: | NOTE: See discussion on remediation and how to enable firmware password. references: cce: - - N/A + - CCE-92794-7 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 0121534d..51e1c2df 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92795-4 cci: - CCI-001749 800-53r5: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 5060aeb7..0324b93c 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92796-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 2fd86b70..581e84eb 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92797-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index f8b320cc..791ff11e 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92798-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index cb0ec2fc..432a4f30 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92799-6 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml index 046b255c..9aaa9708 100644 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -38,7 +38,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92800-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 32b7ad4e..05914aec 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92801-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index 17fe02de..e0851eff 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -39,7 +39,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92802-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 741788fe..d87817bb 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -33,7 +33,7 @@ fix: |- NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected. references: cce: - - N/A + - CCE-92803-6 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 3d9558ce..a4c41055 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92804-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index e35f3c8b..f7e0b3ec 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92805-1 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index c6557035..26aac781 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92806-9 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index b2b53c23..b9ac41e4 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92807-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 81ec52b6..03a0a7a4 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92808-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index ebe2b09c..97d11229 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -19,7 +19,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92809-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index 849cc087..a985a566 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92810-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index abf8e984..a32b025a 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: cce: - - N/A + - CCE-92811-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 80c1d5bf..75db6dfc 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92812-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 9dd05bc0..2885a32c 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92813-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 4274a537..63a423b9 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92814-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index eecbf561..8a6d4e3b 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92815-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index ce70585a..4249e498 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92816-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index 78acd75c..b7bce84f 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92817-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 7bf55677..0302dffc 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92818-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index 0d56d72f..ef800d41 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92819-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 6539da0f..3ae406da 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -35,7 +35,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92820-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 7fdc1494..49466046 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -34,7 +34,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92821-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index 5eb610b4..55c81734 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92822-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index b93a8da3..6b6475e6 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -8,7 +8,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92823-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 9ea132d1..ffa9e09c 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -26,7 +26,7 @@ fix: | Ensure that system is enrolled via UAMDM. references: cce: - - N/A + - CCE-92824-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 351054f9..ba134c11 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92825-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index e5db1f6e..0f1c8e32 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92826-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index 74a27b6d..136d72e1 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92827-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index 4a41e549..a27fbb0c 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92828-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index c1a3871f..69208967 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92829-1 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 0f5f260c..0c98b6b2 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92830-9 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 35b113ab..90300572 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -14,7 +14,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - N/A + - CCE-92831-7 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index bb27ce97..c8c5d9d9 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92832-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index befbc261..089ed239 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92833-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 16f58769..ee54e7ec 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92834-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index d5704727..5614756b 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92835-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index f33999c7..99f0ce25 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92836-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index 59cb7c6b..63cd63a4 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92837-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 298609f2..68a1bf8c 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92838-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index a2637e7c..759816d2 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92839-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 96d8d92e..61bc6133 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92840-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index f958ef6d..487649a1 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92841-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 52b2136c..d893b305 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92842-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 4c8a4773..b928ab74 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92843-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 205afeb9..1854c973 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92844-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index f9f55486..2a7920a2 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92845-7 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 22e17a2d..c9d91c96 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92846-5 800-53r5: - IA-5 800-53r4: diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 5cd599e3..35148f32 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92847-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml index 27dc8be4..dec2c04a 100644 --- a/rules/os/os_pii_deidentification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92848-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml index 2701e4bd..fcae6549 100644 --- a/rules/os/os_pii_quality_control.yaml +++ b/rules/os/os_pii_quality_control.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92849-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index a2e51a22..6d33ed99 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -28,7 +28,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92850-7 cci: - CCI-000048 - CCI-000050 diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 72462641..235005a9 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92851-5 cci: - CCI-000048 800-53r5: diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index de6c048f..6ad0fafe 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92852-3 cci: - CCI-000048 - CCI-000050 diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index a6aad028..b5b28508 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92853-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index 0a300837..92bd1017 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92854-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index d0e101a8..46da8db7 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92855-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index bed1517f..b66eb6c0 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92856-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index dc069749..123cf112 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92857-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index dbe82fc2..f95574b1 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92858-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml index 0ede2a4c..4a517f3b 100644 --- a/rules/os/os_privacy_principle_minimization.yaml +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-92859-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index dc0776a5..c4f625e6 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92860-6 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index a56c0348..ab85c202 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -18,7 +18,7 @@ fix: | The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. references: cce: - - N/A + - CCE-92861-4 800-53r5: - SC-15 800-53r4: diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 3a3031de..f1f0754f 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92862-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 0105b1ea..a268f43f 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92863-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index aef4bb8d..451b0101 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92864-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index 2a4d25dc..c681bf79 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92865-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index e7e57218..65b87f39 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92866-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index a89319d7..c78c035f 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92867-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index 8afb1d1a..3a81b3f7 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92868-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index ef931da2..b7266190 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92869-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index fdca30ce..e0dfccb6 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -14,7 +14,7 @@ fix: | NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. references: cce: - - N/A + - CCE-92870-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index 5e24af95..9aacaef4 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92871-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 8c10270f..e096b9e6 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92872-1 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index ce0f625c..db84c9e6 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92873-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 09fe92ce..7537277d 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92874-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 7b3c8bb8..afbf3f4b 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92875-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index db3b946f..147d02ef 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92876-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index bcb02622..f25c24e3 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92877-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml index c0281b40..dc1f5f54 100644 --- a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml +++ b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92878-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index b9d5df44..246db6e5 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92879-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index a9f44c37..13b42523 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92880-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 9d3a05cc..b994709d 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92881-2 cci: - CCI-000060 800-53r5: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index c82d601b..221adaeb 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92882-0 cci: - CCI-000057 800-53r5: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index d90a07ed..4872192c 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -14,7 +14,7 @@ fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot references: cce: - - N/A + - CCE-92883-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 976e0f49..1d5a70e2 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -16,7 +16,7 @@ fix: | The hardware does not support the requirement. references: cce: - - N/A + - CCE-92884-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 76476d6f..73163389 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92885-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 7de44dff..d139bf27 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92886-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml index 11d5e817..c7280288 100644 --- a/rules/os/os_setup_assistant_filevault_enforce.yaml +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -15,7 +15,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - N/A + - CCE-92887-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 48b6b0e4..70e48b9c 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -22,7 +22,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92888-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index e2a0f33c..6d00a8f4 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -18,7 +18,7 @@ fix: | NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - N/A + - CCE-92889-5 cci: - CCI-000154 - CCI-000158 diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 550f3310..2be71a8d 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92890-3 cci: - CCI-000381 - CCI-001774 diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index 96083891..f23482d7 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92891-1 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index db3ab78a..56a5ca3a 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92892-9 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index 97dceca8..775e8b45 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92893-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index 2162c6ae..60f0cff1 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92894-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 25570b84..49fbcfd5 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -29,7 +29,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92895-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 5be1bc8a..da6dccdb 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92896-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml index 661d0166..1ce819c5 100644 --- a/rules/os/os_sshd_channel_timeout_configure.yaml +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92897-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index ca740adb..1f3b6978 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92898-6 cci: - CCI-001133 800-53r5: diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index fb107f0e..3fbc67fd 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92899-4 cci: - CCI-001133 800-53r5: diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index ae85b1fc..871d2a9b 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92900-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index f7232cc6..27399c51 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92901-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index 82bd2c12..d9b5a834 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -45,7 +45,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92902-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 14c88d37..7a77dd57 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92903-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 052f8a80..0ae3b852 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92904-2 cci: - CCI-001133 800-53r5: diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index e1b7a889..6886efba 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92905-9 cci: - CCI-000770 800-53r5: diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml index d49cfb00..852c20de 100644 --- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92906-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 397cb866..f7cb6ae5 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92907-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 7645717c..bfcc4aa8 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92908-3 cci: - CCI-002038 800-53r5: diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index bec35b0f..ab132078 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92909-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index ee8d8ed9..99b06b7a 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -12,7 +12,7 @@ fix: | NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - - N/A + - CCE-92910-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index 343496f9..e7a7d44b 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92911-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 058aa744..64159c3f 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92912-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 0b004f60..fe33f62b 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92913-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 2aff5934..bae5abd6 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -18,7 +18,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - N/A + - CCE-92914-1 cci: - CCI-000197 800-53r5: diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index b44e51f2..49285c42 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92915-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index f974f9fe..2b6df84c 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92916-6 cci: - CCI-002046 - CCI-001891 diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 372fffa6..efee84d6 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92917-4 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 94422cd4..823919f0 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92918-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 81f5d0d8..1d3abfe9 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92919-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 20aaa9ae..160e0510 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92920-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 4724a567..b1c7d372 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -18,7 +18,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - N/A + - CCE-92921-6 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index 92e5b585..771fe846 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92922-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 897f41c7..136646e5 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92923-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 908ef381..7e8eb61c 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92924-0 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index 6bb5b3f3..e3cf3b22 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92925-7 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index db2d989f..2b84368b 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -36,7 +36,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - N/A + - CCE-92926-5 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 2ade03f4..6dd85776 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92927-3 cci: - CCI-002238 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 15528f41..b3f34303 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92928-1 cci: - CCI-002238 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 45fe1ef1..c981aa0f 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92929-9 cci: - CCI-000194 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index d19f2f0a..91495587 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92930-7 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 3a6860a9..bd59b1b9 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -17,7 +17,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92931-5 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 6b1242ac..c9629a0e 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92932-3 cci: - CCI-000200 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index acf230a3..0cf55840 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - N/A + - CCE-92933-1 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml index 76e1e37c..59cf49dc 100644 --- a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92934-9 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index 4ed8b40b..1528fa1a 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92935-6 cci: - CCI-000199 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 0a517bd1..3ca84d3f 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92936-4 cci: - CCI-000205 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 00c1eacc..4073694e 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - N/A + - CCE-92937-2 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 7d006111..88f9d61a 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-92938-0 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 709b90f1..fe6247e2 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92939-8 cci: - CCI-001619 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index fbfecb04..54e1e4b8 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92940-6 cci: - CCI-001619 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index e04d8836..07d8be9c 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-92941-4 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index e8c72a55..dc618b79 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -56,7 +56,7 @@ fix: | /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file references: cce: - - N/A + - CCE-92942-2 cci: - CCI-001682 - CCI-000016 diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 497d96c6..3bac2a39 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - N/A + - CCE-92943-0 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index e2c1ba61..169eaafe 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92944-8 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 6e70cc81..97b1e566 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92945-5 cci: - CCI-000056 800-53r5: diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml index cfd45ca3..e2bfc8c9 100644 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ b/rules/system_settings/system_settings_assistant_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92946-3 cci: - CCI-000381 - CCI-001774 diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index 6ed9e69f..de2c76f2 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92947-1 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index c679a67a..2d8a69b9 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92948-9 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index 76e8e0a9..872606fa 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92949-7 cci: - CCI-001967 - CCI-002418 diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index 1237503d..9bc2524b 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92950-5 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml index 017e006f..43d792a4 100644 --- a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92951-3 cci: - CCI-002418 - CCI-001967 diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 66f404d5..99053b81 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92952-1 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml index a0028d07..e3420079 100644 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92953-9 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index 7fa72252..c3a5e5d3 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92954-7 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index 01344b2d..f622e6c8 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92955-4 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index c426951e..59097f2e 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92956-2 cci: - CCI-000382 800-53r5: diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index 8589bdee..13257a44 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -22,7 +22,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - N/A + - CCE-92957-0 cci: - CCI-001199 - CCI-002475 diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index ecc5cb37..3827370f 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -28,7 +28,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92958-8 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index ea51e7c5..06f80b5b 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -27,7 +27,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92959-6 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index 821d1761..49edf5cc 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92960-4 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index 24c3b4f5..68e4554d 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92961-2 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index b0496837..9bb8dd7e 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92962-0 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 740fb6ae..9bb6c0c8 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92963-8 cci: - N/A 800-171r2: diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index 1fc5fbe1..a2e663f8 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92964-6 cci: - CCI-001813 800-53r5: diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 08491124..85071eaf 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92965-3 cci: - CCI-000060 800-53r5: diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 20cc42c9..011cd989 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -25,7 +25,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92966-1 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index 63830e7f..16460905 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92967-9 cci: - CCI-000382 800-53r5: diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index 4fed6696..fc8cd115 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92968-7 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml index a6eee978..6b2a3b4b 100644 --- a/rules/system_settings/system_settings_internet_accounts_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92969-5 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml index 58c5c605..a27db767 100644 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92970-3 cci: - CCI-000381 800-53r5: diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index 204242a4..b984f8de 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92971-1 cci: - CCI-000381 800-53r5: diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index 72f6b3b6..8c98f26f 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92972-9 cci: - CCI-000381 800-53r5: diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index 82046671..eb316007 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92973-7 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 82fed1bb..373bf915 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92974-5 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index f97e6eb7..84d20048 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92975-2 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index c20d93ec..13013a6e 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92976-0 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index 17a72015..eac26f16 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92977-8 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index ed6de7bd..9111a3a7 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92978-6 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 39cd2c72..1f9a7c4a 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92979-4 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index 7949be41..a2bc6be0 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92980-2 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index da177a02..a9f781e6 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -17,7 +17,7 @@ fix: | NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. references: cce: - - N/A + - CCE-92981-0 cci: - CCI-000382 800-53r5: diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 0b9a5f1c..76925341 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92982-8 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index e9c7e085..5db7bf0c 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -16,7 +16,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - N/A + - CCE-92983-6 cci: - CCI-000366 800-53r5: diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index 0eaac33b..a8a9d7a3 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92984-4 cci: - CCI-000056 800-53r5: diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index bafcdbea..1fec3cc0 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92985-1 cci: - CCI-000056 800-53r5: diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index b35ecd58..e1f75f62 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92986-9 cci: - CCI-000057 800-53r5: diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index 06a1b165..73a698b2 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92987-7 cci: - CCI-000381 - CCI-001774 diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index b32bc4e3..d4b422ee 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92988-5 cci: - CCI-000381 - CCI-001774 diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index e6b05807..c19552aa 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - N/A + - CCE-92989-3 cci: - CCI-000381 800-53r5: diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml index a567c8ea..a1818303 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92990-1 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index 4c63fac3..a55de19c 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92991-9 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml index 621d3cca..635069c5 100644 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92992-7 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 44ec24d8..77eb1404 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -22,7 +22,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - N/A + - CCE-92993-5 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 7af42cd0..39d16a3b 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -15,7 +15,7 @@ fix: | NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. references: cce: - - N/A + - CCE-92994-3 cci: - CCI-000068 - CCI-001453 diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index cb89a5f8..5f58aa0e 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92995-0 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index e0663152..0a7a5910 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - N/A + - CCE-92996-8 cci: - CCI-001958 800-53r5: diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index 751720cd..f21085b7 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92997-6 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 14e5b4ef..274b212a 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -22,7 +22,7 @@ fix: | . Click *Use Disk* references: cce: - - N/A + - CCE-92998-4 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index 6586a06b..e3d3245d 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-92999-2 cci: - CCI-001891 - CCI-002046 diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index 7ee23cee..f388980e 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93000-8 cci: - CCI-001891 - CCI-002046 diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index b188359f..2523e0b1 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -20,7 +20,7 @@ fix: This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93001-6 cci: - CCI-000058 800-53r5: diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index f7f8938e..99ccc4f7 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93002-4 cci: - CCI-000381 - CCI-001774 diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml index 6bdb8e76..a01c1edc 100644 --- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml +++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93003-2 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index 6e332948..a9eb335c 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93004-0 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index 63d249cf..828c885d 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-93005-7 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 304230b6..8f4b13d8 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93006-5 cci: - CCI-000381 - CCI-001774 diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml index 9e85eb53..cec8336c 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93007-3 cci: - CCI-000381 - CCI-001774 diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index c1749d74..fb87d55b 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - N/A + - CCE-93008-1 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index d5281316..3016e9f0 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-93009-9 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index 79e951ac..cb74f675 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93010-7 cci: - N/A 800-53r5: From 889de402ab9021375b77f07274b132220acc62dc Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Tue, 12 Sep 2023 15:27:56 -0400 Subject: [PATCH 19/62] CMMC Sonoma dev branch. Unaltered baselines. --- baselines/cmmc_lvl1.yaml | 97 ++++++++ baselines/cmmc_lvl2.yaml | 219 ++++++++++++++++++ custom/rules/.gitignore | 4 - rules/os/os_auth_peripherals.yaml | 3 + .../os_screensaver_loginwindow_enforce.yaml | 3 + ...reensaver_timeout_loginwindow_enforce.yaml | 2 + rules/os/os_secure_enclave.yaml | 3 + .../system_settings_hot_corners_disable.yaml | 3 + .../system_settings_hot_corners_secure.yaml | 3 + 9 files changed, 333 insertions(+), 4 deletions(-) create mode 100644 baselines/cmmc_lvl1.yaml create mode 100644 baselines/cmmc_lvl2.yaml delete mode 100644 custom/rules/.gitignore diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml new file mode 100644 index 00000000..20150aee --- /dev/null +++ b/baselines/cmmc_lvl1.yaml @@ -0,0 +1,97 @@ +title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 1" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 1 security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |John Mahlman|Leidos + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "authentication" + rules: + - auth_smartcard_allow + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_filevault_autologin_disable + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_nfsd_disable + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_root_disable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_tftpd_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - section: "systemsettings" + rules: + - system_settings_automatic_login_disable + - system_settings_bluetooth_sharing_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_personalized_advertising_disable + - system_settings_rae_disable + - system_settings_screen_sharing_disable + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - section: "Inherent" + rules: + - os_logical_access + - os_malicious_code_prevention + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml new file mode 100644 index 00000000..8f82b28e --- /dev/null +++ b/baselines/cmmc_lvl2.yaml @@ -0,0 +1,219 @@ +title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 2" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 2 security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + |=== + |John Mahlman|Leidos + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce + - os_bonjour_disable + - os_burn_support_disable + - os_cd_read_only_enforce + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_disk_image_disable + - os_dvdram_disable + - os_erase_content_and_settings_disable + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_install_log_retention_configure + - os_ir_support_disable + - os_mdm_require + - os_nfsd_disable + - os_password_autofill_disable + - os_password_hint_remove + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_power_nap_disable + - os_privacy_setup_prompt_disable + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_removable_media_disable + - os_root_disable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_key_exchange_algorithm_configure + - os_sshd_login_grace_time_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_history_enforce + - pwpolicy_lower_case_character_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - pwpolicy_upper_case_character_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - audit_record_reduction_report_generation + - os_implement_cryptography + - os_logical_access + - os_malicious_code_prevention + - os_obscure_password + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - audit_records_processing + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_managed_access_control_points + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard \ No newline at end of file diff --git a/custom/rules/.gitignore b/custom/rules/.gitignore deleted file mode 100644 index 86d0cb27..00000000 --- a/custom/rules/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -# Ignore everything in this directory -* -# Except this file -!.gitignore \ No newline at end of file diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 9bf3bb03..759d6017 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -27,6 +27,8 @@ references: - N/A controls v8: - 13.9 + cmmc: + - IA.L1-3.5.2 macOS: - "14.0" tags: @@ -39,5 +41,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 9d3a05cc..539d4d16 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -26,6 +26,8 @@ references: - N/A 800-171r2: - 3.1.10 + cmmc: + - AC.L2-3.1.10 macOS: - "14.0" tags: @@ -37,6 +39,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index c82d601b..2908fc32 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -39,6 +39,8 @@ references: - N/A controls v8: - 4.3 + cmmc: + - AC.L2-3.1.10 macOS: - "14.0" odv: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 976e0f49..db8c080f 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -27,6 +27,8 @@ references: - N/A srg: - N/A + cmmc: + - SC.L2-3.13.10 macOS: - "14.0" tags: @@ -34,5 +36,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 08491124..931460c3 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -25,6 +25,8 @@ references: - N/A 800-171r2: - 3.1.10 + cmmc: + - AC.L2-3.1.10 macOS: - "14.0" tags: @@ -36,6 +38,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 20cc42c9..918950bf 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -43,6 +43,8 @@ references: - 2.7.1 (level 2) controls v8: - 4.3 + cmmc: + - AC.L2-3.1.10 macOS: - "14.0" tags: @@ -51,5 +53,6 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cmmc_lvl2 mobileconfig: false mobileconfig_info: \ No newline at end of file From ff2de7a93309c0006b539a8f7d18db92fbf46813 Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Tue, 12 Sep 2023 15:29:19 -0400 Subject: [PATCH 20/62] CMMC level 2 updated for Sonoma --- baselines/cmmc_lvl2.yaml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 8f82b28e..9191b337 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -4,6 +4,8 @@ description: | Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | + *macOS Security Compliance Project* + |=== |John Mahlman|Leidos |Bob Gendler|National Institute of Standards and Technology @@ -55,6 +57,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -67,6 +70,7 @@ profile: rules: - os_airdrop_disable - os_appleid_prompt_disable + - os_auth_peripherals - os_authenticated_root_enable - os_blank_bluray_disable - os_blank_cd_disable @@ -95,6 +99,7 @@ profile: - os_ir_support_disable - os_mdm_require - os_nfsd_disable + - os_on_device_dictation_enforce - os_password_autofill_disable - os_password_hint_remove - os_password_proximity_disable @@ -109,6 +114,9 @@ profile: - os_recovery_lock_enable - os_removable_media_disable - os_root_disable + - os_screensaver_loginwindow_enforce + - os_screensaver_timeout_loginwindow_enforce + - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable - os_skip_screen_time_prompt_enable @@ -116,11 +124,15 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs - os_sshd_fips_compliant - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure + - os_sshd_unused_connection_timeout_configure - os_tftpd_disable - os_time_server_enabled - os_touchid_prompt_disable @@ -161,6 +173,8 @@ profile: - system_settings_gatekeeper_override_disallow - system_settings_guest_access_smb_disable - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_hot_corners_secure - system_settings_improve_siri_dictation_disable - system_settings_internet_accounts_disable - system_settings_internet_sharing_disable @@ -197,6 +211,7 @@ profile: - os_prevent_priv_functions - os_prevent_unauthorized_disclosure - os_prohibit_remote_activation_collab_devices + - os_secure_enclave - os_separate_functionality - os_store_encrypted_passwords - os_unique_identification @@ -216,4 +231,4 @@ profile: - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard From 24de5b35b51ad0812d7b1dc435e37664744afb12 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 13 Sep 2023 11:44:59 -0400 Subject: [PATCH 21/62] removed os_efi_integrity_validated --- rules/os/os_efi_integrity_validated.yaml | 35 ------------------------ 1 file changed, 35 deletions(-) delete mode 100644 rules/os/os_efi_integrity_validated.yaml diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml deleted file mode 100644 index f7e557fe..00000000 --- a/rules/os/os_efi_integrity_validated.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: os_efi_integrity_validated -title: "Ensure Extensible Firmware Interface Version is Valid" -discussion: | - The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple. -check: | - if /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi -result: - integer: 1 -fix: | - Install a known good version of macOS. -references: - cce: - - CCE-92783-0 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 5.9 (level 1) - controls v8: - - 2.2 -macOS: - - "14.0" -tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 - - i386 -mobileconfig: false -mobileconfig_info: \ No newline at end of file From 6f28fc22c833d198acc41539fef1e24cb7267a21 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 14 Sep 2023 11:44:44 -0400 Subject: [PATCH 22/62] feature[scripts] Adding iOS Support in scripts * Updated generate_guidance * Updated generate_baseline * Updated generate_mapping * Updated generate_scap All to match iOS --- templates/adoc_rule_ios.adoc | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 templates/adoc_rule_ios.adoc diff --git a/templates/adoc_rule_ios.adoc b/templates/adoc_rule_ios.adoc new file mode 100644 index 00000000..8e6648e7 --- /dev/null +++ b/templates/adoc_rule_ios.adoc @@ -0,0 +1,57 @@ +=== $rule_title + +$rule_discussion + +$rule_check + +==== +**Remediation Description** + +Perform the following to configure the system to meet the requirements: + +$rule_fix +==== + +[cols="15%h, 85%a"] +|=== + +|ID +|$rule_id + +|References +| + +[cols="20%h,80%a"] +[frame="none"] +[grid="cols"] +!=== + +!800-53r5 +!$rule_80053r5 + +ifdef::show_171[] +!800-171r2 +!$rule_800171 +endif::[] + +ifdef::show_STIG[] +!DISA STIG(s) +!$rule_disa_stig +endif::[] + +ifdef::show_CIS[] +$rule_cis +endif::[] + +!CCE +!$rule_cce + +ifdef::show_tags[] +!TAGS +!$rule_tags +endif::[] + +!=== + +| +|=== From 3337ba8ae765c26fe768fee1ae37ffc2f8bb1373 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 14 Sep 2023 11:45:23 -0400 Subject: [PATCH 23/62] feature[scripts] Adding iOS Support in scripts * Updated generate_guidance * Updated generate_baseline * Updated generate_mapping * Updated generate_scap All to match iOS --- VERSION.yaml | 1 + scripts/generate_baseline.py | 22 +++++---- scripts/generate_guidance.py | 66 +++++++++++++++++-------- scripts/generate_mapping.py | 31 ++++++++---- scripts/generate_scap.py | 93 +++++++++++++++++++++++++++++++----- 5 files changed, 160 insertions(+), 53 deletions(-) diff --git a/VERSION.yaml b/VERSION.yaml index ef908160..595e0022 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,4 +1,5 @@ os: "14.0" +platform: macOS version: "Sonoma Guidance, Revision 1.0" cpe: o:apple:macos:14.0 date: "2023-XX-XX" diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index e15e6a3e..cf2f1bcd 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -131,6 +131,7 @@ def collect_rules(): except: #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) + all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), rule_yaml['id'].replace('|', '\|'), rule_yaml['severity'].replace('|', '\|'), @@ -167,11 +168,12 @@ def create_args(): return parser.parse_args() -def section_title(section_name): +def section_title(section_name, platform): + os = platform.split(':')[2] titles = { "auth": "authentication", "audit": "auditing", - "os": "macos", + "os": os, "pwpolicy": "passwordpolicy", "icloud": "icloud", "sysprefs": "systempreferences", @@ -234,7 +236,7 @@ def available_tags(all_rules): print(tag) return -def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, full_title): +def output_baseline(rules, version, baseline_tailored_string, benchmark, authors, full_title): inherent_rules = [] permanent_rules = [] na_rules = [] @@ -262,11 +264,11 @@ def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, ful if section_name not in sections: sections.append(section_name) if baseline_tailored_string: - output_text = f'title: "macOS {os}: Security Configuration -{full_title} {baseline_tailored_string}"\n' - output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the{full_title} {baseline_tailored_string} security baseline.\n' + output_text = f'title: "{version["platform"]} {version["os"]}: Security Configuration -{full_title} {baseline_tailored_string}"\n' + output_text += f'description: |\n This guide describes the actions to take when securing a {version["platform"]} {version["os"]} system against the{full_title} {baseline_tailored_string} security baseline.\n' else: - output_text = f'title: "macOS {os}: Security Configuration -{full_title}"\n' - output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the{full_title} security baseline.\n' + output_text = f'title: "{version["platform"]} {version["os"]}: Security Configuration -{full_title}"\n' + output_text += f'description: |\n This guide describes the actions to take when securing a {version["platform"]} {version["os"]} system against the{full_title} security baseline.\n' if benchmark == "recommended": output_text += "\n Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.\n" @@ -286,7 +288,7 @@ def output_baseline(rules, os, baseline_tailored_string, benchmark, authors, ful if len(other_rules) > 0: for section in sections: - output_text += (' - section: "{}"\n'.format(section_title(section))) + output_text += (' - section: "{}"\n'.format(section_title(section, version["cpe"]))) output_text += (" rules:\n") for rule in other_rules: if rule.startswith(section): @@ -552,10 +554,10 @@ def main(): # prompt for inclusion, add ODV odv_baseline_rules = odv_query(found_rules, benchmark) baseline_output_file = open(f"{build_path}/{tailored_filename}.yaml", 'w') - baseline_output_file.write(output_baseline(odv_baseline_rules, version_yaml["os"], baseline_tailored_string, benchmark, authors, full_title)) + baseline_output_file.write(output_baseline(odv_baseline_rules, version_yaml, baseline_tailored_string, benchmark, authors, full_title)) else: baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') - baseline_output_file.write(output_baseline(found_rules, version_yaml["os"], baseline_tailored_string, benchmark, authors, full_title)) + baseline_output_file.write(output_baseline(found_rules, version_yaml, baseline_tailored_string, benchmark, authors, full_title)) # finally revert back to the prior directory os.chdir(original_working_directory) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index d61889d0..008e531f 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1133,9 +1133,10 @@ def fill_in_odv(resulting_yaml, parent_values): if "$ODV" in resulting_yaml[field]: resulting_yaml[field]=resulting_yaml[field].replace("$ODV", str(odv)) - for result_value in resulting_yaml['result']: - if "$ODV" in str(resulting_yaml['result'][result_value]): - resulting_yaml['result'][result_value] = odv + if 'result' in resulting_yaml: + for result_value in resulting_yaml['result']: + if "$ODV" in str(resulting_yaml['result'][result_value]): + resulting_yaml['result'][result_value] = odv if resulting_yaml['mobileconfig_info']: for mobileconfig_type in resulting_yaml['mobileconfig_info']: @@ -1655,7 +1656,8 @@ def main(): with open(version_file) as r: version_yaml = yaml.load(r, Loader=yaml.SafeLoader) - adoc_templates = [ "adoc_rule", + adoc_templates = [ "adoc_rule_ios", + "adoc_rule", "adoc_supplemental", "adoc_rule_no_setting", "adoc_rule_custom_refs", @@ -1690,6 +1692,9 @@ def main(): # Setup AsciiDoc templates + with open(adoc_templates_dict['adoc_rule_ios']) as adoc_rule_ios_file: + adoc_rule_ios_template = Template(adoc_rule_ios_file.read()) + with open(adoc_templates_dict['adoc_rule']) as adoc_rule_file: adoc_rule_template = Template(adoc_rule_file.read()) @@ -2013,23 +2018,42 @@ def main(): rule_srg=srg ) else: - rule_adoc = adoc_rule_template.substitute( - rule_title=rule_yaml['title'].replace('|', '\|'), - rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), - rule_check=rule_yaml['check'], # .replace('|', '\|'), - rule_fix=rulefix, - rule_cci=cci, - rule_80053r5=nist_controls, - rule_800171=nist_800171, - rule_disa_stig=disa_stig, - rule_cis=cis, - rule_cmmc=cmmc, - rule_cce=cce, - rule_tags=tags, - rule_srg=srg, - rule_result=result_value - ) + if version_yaml['platform'] == "iOS/iPadOS": + rule_adoc = adoc_rule_ios_template.substitute( + rule_title=rule_yaml['title'].replace('|', '\|'), + rule_id=rule_yaml['id'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_fix=rulefix, + rule_cci=cci, + rule_80053r5=nist_controls, + rule_800171=nist_800171, + rule_disa_stig=disa_stig, + rule_cis=cis, + rule_cmmc=cmmc, + rule_cce=cce, + rule_tags=tags, + rule_srg=srg, + rule_result=result_value + ) + else: + rule_adoc = adoc_rule_template.substitute( + rule_title=rule_yaml['title'].replace('|', '\|'), + rule_id=rule_yaml['id'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_fix=rulefix, + rule_cci=cci, + rule_80053r5=nist_controls, + rule_800171=nist_800171, + rule_disa_stig=disa_stig, + rule_cis=cis, + rule_cmmc=cmmc, + rule_cce=cce, + rule_tags=tags, + rule_srg=srg, + rule_result=result_value + ) adoc_output_file.write(rule_adoc) diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index 8fb04ad8..cfd798f3 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -370,15 +370,15 @@ tags: continue - full_baseline = '''title: "macOS {2} ({3}): Security Configuration - {0}" + full_baseline = '''title: "{4} {2} ({3}): Security Configuration - {0}" description: | - This guide describes the actions to take when securing a macOS {2} system against the {1}. + This guide describes the actions to take when securing a {4} {2} system against the {1}. authors: | |=== |Name|Organization |=== parent_values: recommended -profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['version'].split(" ")[0]) +profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['version'].split(" ")[0],version_yaml['platform']) if len(audit) != 0: @@ -431,13 +431,22 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve if len(os_section) != 0: full_baseline = full_baseline + ''' + - section: "ios" + rules:''' + os_section.sort() + for rule in os_section: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(os_section) != 0 and version_yaml['platform'] == "macOS": + full_baseline = full_baseline + ''' - section: "macOS" rules:''' os_section.sort() for rule in os_section: full_baseline = full_baseline + ''' - {}'''.format(rule) - + if len(pwpolicy) != 0: full_baseline = full_baseline + ''' - section: "PasswordPolicy" @@ -474,13 +483,15 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve full_baseline = full_baseline + ''' - {}'''.format(rule) + listofsupplementals = str() + for supp_rule in glob.glob('../rules/supplemental/*.yaml',recursive=True): + listofsupplementals = listofsupplementals + '''- {} + '''.format(os.path.basename(supp_rule).split(".")[0]) full_baseline = full_baseline + ''' - section: "Supplemental" rules: - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard - ''' + {} + '''.format(listofsupplementals) @@ -488,9 +499,9 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: os.mkdir("../build/" + other_header.lower() + "/baseline") - with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower() + ".yaml",'w') as fw: + with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw: fw.write(full_baseline) - print(other_header.lower() + ".yaml baseline file created in build/" + other_header + "/baseline/") + print(other_header.lower().replace(" ","_") + ".yaml baseline file created in build/" + other_header + "/baseline/") print("Move all of the folders in rules into the custom folder.") except: diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index bfb7a7ab..bd2a3c08 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -14,8 +14,57 @@ from datetime import datetime import shutil from time import sleep import argparse +from xml.sax.saxutils import escape warnings.filterwarnings("ignore", category=DeprecationWarning) + +def format_mobileconfig_fix(mobileconfig): + """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide. + """ + rulefix = "" + for domain, settings in mobileconfig.items(): + if domain == "com.apple.ManagedClient.preferences": + rulefix = rulefix + \ + (f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types.\n\n") + rulefix = rulefix + format_mobileconfig_fix(settings) + else: + rulefix = rulefix + ( + f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n") + rulefix = rulefix + "[source,xml]\n----\n" + for item in settings.items(): + rulefix = rulefix + (f"{item[0]}\n") + + if type(item[1]) == bool: + rulefix = rulefix + \ + (f"<{str(item[1]).lower()}/>\n") + elif type(item[1]) == list: + rulefix = rulefix + "\n" + for setting in item[1]: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + "\n" + elif type(item[1]) == int: + rulefix = rulefix + \ + (f"{item[1]}\n") + elif type(item[1]) == str: + rulefix = rulefix + \ + (f"{item[1]}\n") + elif type(item[1]) == dict: + rulefix = rulefix + "\n" + for k,v in item[1].items(): + rulefix = rulefix + \ + (f" {k}\n") + rulefix = rulefix + " \n" + for setting in v: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + " \n" + rulefix = rulefix + "\n" + + rulefix = rulefix + "----\n\n" + + return rulefix + def replace_ocil(xccdf, x): regex = r'''([\r\n].*?)(?:=?\r|\n)(.*?(?:def:{}\").*)'''.format(x) substr = '''''' @@ -39,28 +88,37 @@ def create_args(): return parser.parse_args() def generate_scap(all_rules, all_baselines, args): - + export_as = "" + version_file = "../VERSION.yaml" + with open(version_file) as r: + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + if args.xccdf: export_as = "xccdf" if args.oval: export_as = "oval" + if "ios" in version_yaml['cpe']: + print("OVAL generation is not available on iOS") + exit() + if args.oval == None and args.xccdf == None: export_as = "scap" - - version_file = "../VERSION.yaml" - with open(version_file) as r: - version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + if "ios" in version_yaml['cpe']: + print("iOS will only export as XCCDF") + export_as = "xccdf" now = datetime.now() date_time_string = now.strftime("%Y-%m-%dT%H:%M:%S") filenameversion = version_yaml['version'].split(",")[1].replace(" ", "_")[1:] output = "../build/macOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) - + if "ios" in version_yaml['cpe']: + output = "../build/iOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) + if export_as == "xccdf": output = output + "_xccdf.xml" @@ -91,12 +149,15 @@ def generate_scap(all_rules, all_baselines, args): macOS Security Compliance Project '''.format(date_time_string) + ostype = "macOS" + if "ios" in version_yaml['cpe']: + ostype = "iOS/iPadOS" xccdfPrefix = ''' draft - macOS {1}: Security Configuration + {4} {1}: Security Configuration - macOS {1}: Security Configuration + {4} {1}: Security Configuration @@ -113,7 +174,7 @@ def generate_scap(all_rules, all_baselines, args): Dan Brodjieski - National Aeronautics and Space Administration Allen Golbig - Jamf - '''.format(date_time_string, version_yaml['os'], version_yaml['version'],date_time_string.split("T")[0] + "Z") + '''.format(date_time_string, version_yaml['os'], version_yaml['version'],date_time_string.split("T")[0] + "Z", ostype) scapPrefix = ''' @@ -339,6 +400,9 @@ def generate_scap(all_rules, all_baselines, args): cce = rule_yaml['references']['cce'][0] if export_as == "scap": + mobileconfig_info = "" + if rule_yaml['mobileconfig']: + mobileconfig_info = escape(format_mobileconfig_fix(rule_yaml['mobileconfig_info'])) xccdf_rules = xccdf_rules + ''' {2} @@ -351,9 +415,13 @@ def generate_scap(all_rules, all_baselines, args): {7} {8} - '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&"), check_rule, references) + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, check_rule, references) if export_as == "xccdf": + mobileconfig_info = "" + if rule_yaml['mobileconfig']: + mobileconfig_info = escape(format_mobileconfig_fix(rule_yaml['mobileconfig_info'])) + xccdf_rules = xccdf_rules + ''' {2} @@ -366,10 +434,11 @@ def generate_scap(all_rules, all_baselines, args): {7} - '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&"), references) + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, references) + continue - + if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 From 6534990e8eb99e59552ce3903dded952571f48de Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 14 Sep 2023 11:49:08 -0400 Subject: [PATCH 24/62] line 1586 updated --- scripts/generate_guidance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 008e531f..66d55e93 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1583,7 +1583,7 @@ def parse_cis_references(reference): string += "!CIS " + str(item).title() + "\n!\n" string += "* " for i in reference[item]: - string += str(i) + ", " + string += str(i) + "\n * " string = string[:-2] + "\n" else: string += "!" + str(item) + "!* " + str(reference[item]) + "\n" From 5acbdbd21e8397cdb0a6fb80e7b1dc5c3397b7c0 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 14 Sep 2023 14:21:06 -0400 Subject: [PATCH 25/62] chore: clean up extraneous trailing whitespace --- CONTRIBUTING.adoc | 16 +- LICENSE.md | 22 +- README.adoc | 6 +- baselines/all_rules.yaml | 2 +- includes/enablePF-mscp.sh | 8 +- includes/mscp-data.yaml | 12 +- includes/supported_payloads.yaml | 2 +- rules/audit/audit_auditd_enabled.yaml | 2 +- .../audit_configure_capacity_notify.yaml | 8 +- rules/audit/audit_control_acls_configure.yaml | 2 +- rules/audit/audit_enforce_dual_auth.yaml | 6 +- rules/audit/audit_failure_halt.yaml | 20 +- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 4 +- rules/audit/audit_flags_aa_configure.yaml | 22 +- rules/audit/audit_flags_ex_configure.yaml | 10 +- rules/audit/audit_flags_fm_configure.yaml | 4 +- .../audit_flags_fm_failed_configure.yaml | 14 +- rules/audit/audit_folder_group_configure.yaml | 2 +- rules/audit/audit_folder_owner_configure.yaml | 2 +- rules/audit/audit_folders_mode_configure.yaml | 4 +- rules/audit/audit_off_load_records.yaml | 4 +- ...it_record_reduction_report_generation.yaml | 8 +- rules/audit/audit_records_processing.yaml | 6 +- rules/auth/auth_smartcard_allow.yaml | 6 +- ...rtcard_certificate_trust_enforce_high.yaml | 8 +- ...rd_certificate_trust_enforce_moderate.yaml | 4 +- ...h_ssh_password_authentication_disable.yaml | 12 +- rules/icloud/icloud_addressbook_disable.yaml | 2 +- ...cloud_appleid_preference_pane_disable.yaml | 2 +- rules/icloud/icloud_game_center_disable.yaml | 16 +- rules/icloud/icloud_notes_disable.yaml | 2 +- .../icloud/icloud_private_relay_disable.yaml | 16 +- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/icloud/icloud_sync_disable.yaml | 4 +- rules/os/os_airdrop_disable.yaml | 2 +- rules/os/os_appleid_prompt_disable.yaml | 2 +- rules/os/os_application_sandboxing.yaml | 4 +- rules/os/os_auth_peripherals.yaml | 4 +- rules/os/os_authenticated_root_enable.yaml | 8 +- rules/os/os_calendar_app_disable.yaml | 4 +- rules/os/os_change_security_attributes.yaml | 6 +- .../os_config_profile_ui_install_disable.yaml | 6 +- rules/os/os_continuous_monitoring.yaml | 2 +- rules/os/os_crypto_audit.yaml | 12 +- .../os/os_directory_services_configured.yaml | 4 +- rules/os/os_enforce_access_restrictions.yaml | 4 +- rules/os/os_facetime_app_disable.yaml | 8 +- rules/os/os_fail_secure_state.yaml | 6 +- rules/os/os_filevault_autologin_disable.yaml | 2 +- .../os/os_firewall_default_deny_require.yaml | 4 +- rules/os/os_firewall_log_enable.yaml | 10 +- rules/os/os_gatekeeper_rearm.yaml | 4 +- rules/os/os_grant_privs.yaml | 4 +- rules/os/os_guest_folder_removed.yaml | 6 +- ...s_hibernate_mode_apple_silicon_enable.yaml | 6 +- ...ate_mode_destroyfvkeyonstandby_enable.yaml | 4 +- rules/os/os_hibernate_mode_intel_enable.yaml | 4 +- rules/os/os_home_folders_default.yaml | 16 +- rules/os/os_home_folders_secure.yaml | 2 +- rules/os/os_implement_cryptography.yaml | 6 +- rules/os/os_implement_memory_protection.yaml | 6 +- rules/os/os_information_validation.yaml | 2 +- .../os_install_log_retention_configure.yaml | 4 +- rules/os/os_ir_support_disable.yaml | 12 +- rules/os/os_isolate_security_functions.yaml | 4 +- rules/os/os_library_validation_enabled.yaml | 4 +- rules/os/os_limit_dos_attacks.yaml | 4 +- rules/os/os_limit_gui_sessions.yaml | 2 +- rules/os/os_logical_access.yaml | 4 +- rules/os/os_mail_app_disable.yaml | 10 +- rules/os/os_malicious_code_prevention.yaml | 22 +- rules/os/os_mdm_require.yaml | 8 +- rules/os/os_messages_app_disable.yaml | 6 +- rules/os/os_mobile_file_integrity_enable.yaml | 4 +- rules/os/os_nonlocal_maintenance.yaml | 2 +- rules/os/os_notify_account_created.yaml | 4 +- rules/os/os_notify_account_disabled.yaml | 2 +- rules/os/os_notify_account_enable.yaml | 4 +- rules/os/os_notify_account_modified.yaml | 4 +- rules/os/os_notify_account_removal.yaml | 4 +- ...s_notify_unauthorized_baseline_change.yaml | 4 +- rules/os/os_parental_controls_enable.yaml | 8 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 4 +- rules/os/os_password_proximity_disable.yaml | 4 +- rules/os/os_password_sharing_disable.yaml | 4 +- rules/os/os_peripherals_identify.yaml | 4 +- .../os_policy_banner_loginwindow_enforce.yaml | 12 +- rules/os/os_policy_banner_ssh_configure.yaml | 14 +- rules/os/os_policy_banner_ssh_enforce.yaml | 16 +- rules/os/os_power_nap_disable.yaml | 2 +- rules/os/os_power_nap_enable.yaml | 4 +- rules/os/os_prevent_priv_execution.yaml | 6 +- rules/os/os_prevent_priv_functions.yaml | 8 +- .../os_prevent_unauthorized_disclosure.yaml | 6 +- ...ibit_remote_activation_collab_devices.yaml | 6 +- rules/os/os_protect_dos_attacks.yaml | 6 +- ..._provide_automated_account_management.yaml | 2 +- .../os/os_rapid_security_response_allow.yaml | 8 +- ...pid_security_response_removal_disable.yaml | 10 +- ..._reauth_devices_change_authenticators.yaml | 4 +- rules/os/os_recovery_lock_enable.yaml | 16 +- rules/os/os_required_crypto_module.yaml | 4 +- rules/os/os_root_disable.yaml | 4 +- ...advertising_privacy_protection_enable.yaml | 2 +- ...os_safari_open_safe_downloads_disable.yaml | 2 +- ...fari_show_full_website_address_enable.yaml | 2 +- ...safari_warn_fraudulent_website_enable.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 10 +- rules/os/os_secure_boot_verify.yaml | 4 +- rules/os/os_secure_enclave.yaml | 6 +- rules/os/os_separate_functionality.yaml | 10 +- .../os_show_filename_extensions_enable.yaml | 4 +- rules/os/os_software_update_deferral.yaml | 2 +- rules/os/os_ssh_fips_compliant.yaml | 8 +- ..._ssh_server_alive_count_max_configure.yaml | 8 +- ...s_ssh_server_alive_interval_configure.yaml | 10 +- .../os/os_sshd_channel_timeout_configure.yaml | 10 +- ...sshd_client_alive_count_max_configure.yaml | 8 +- ..._sshd_client_alive_interval_configure.yaml | 12 +- rules/os/os_sshd_fips_compliant.yaml | 10 +- ...d_unused_connection_timeout_configure.yaml | 10 +- .../os_sudoers_timestamp_type_configure.yaml | 6 +- rules/os/os_system_read_only.yaml | 4 +- .../os_terminal_secure_keyboard_enable.yaml | 4 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_time_offset_limit_configure.yaml | 8 +- ...os_unlock_active_user_session_disable.yaml | 4 +- .../os/os_user_app_installation_prohibit.yaml | 6 +- rules/os/os_uucp_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_50_percent.yaml | 8 +- .../pwpolicy_account_inactivity_enforce.yaml | 12 +- .../pwpolicy_emergency_accounts_disable.yaml | 6 +- ...pwpolicy_lower_case_character_enforce.yaml | 16 +- ...cy_lower_upper_case_character_enforce.yaml | 10 +- .../pwpolicy_minimum_length_enforce.yaml | 2 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 14 +- .../pwpolicy_prevent_dictionary_words.yaml | 8 +- .../pwpolicy_special_character_enforce.yaml | 6 +- .../pwpolicy_temporary_accounts_disable.yaml | 2 +- ...pwpolicy_upper_case_character_enforce.yaml | 18 +- .../supplemental/supplemental_cis_manual.yaml | 14 +- rules/supplemental/supplemental_controls.yaml | 32 +- .../supplemental/supplemental_filevault.yaml | 2 +- .../supplemental_firewall_pf.yaml | 18 +- .../supplemental_password_policy.yaml | 12 +- ...tem_settings_airplay_receiver_disable.yaml | 8 +- ...m_settings_apple_watch_unlock_disable.yaml | 10 +- ...tem_settings_automatic_logout_enforce.yaml | 4 +- ...system_settings_bluetooth_menu_enable.yaml | 8 +- ...em_settings_bluetooth_sharing_disable.yaml | 12 +- ...ystem_settings_cd_dvd_sharing_disable.yaml | 10 +- ...stem_settings_content_caching_disable.yaml | 6 +- ...tings_critical_update_install_enforce.yaml | 6 +- ..._settings_diagnostics_reports_disable.yaml | 2 +- .../system_settings_find_my_disable.yaml | 8 +- .../system_settings_firewall_enable.yaml | 24 +- ...ekeeper_identified_developers_allowed.yaml | 14 +- ...settings_gatekeeper_override_disallow.yaml | 22 +- ...tem_settings_guest_access_smb_disable.yaml | 12 +- .../system_settings_hot_corners_disable.yaml | 10 +- .../system_settings_hot_corners_secure.yaml | 8 +- ...ettings_install_macos_updates_enforce.yaml | 6 +- ...em_settings_location_services_disable.yaml | 14 +- ...tem_settings_location_services_enable.yaml | 14 +- ...ttings_location_services_menu_enforce.yaml | 12 +- ...gs_loginwindow_loginwindowtext_enable.yaml | 12 +- ...ystem_settings_media_sharing_disabled.yaml | 2 +- ...ystem_settings_password_hints_disable.yaml | 2 +- ...ings_personalized_advertising_disable.yaml | 8 +- ...stem_settings_printer_sharing_disable.yaml | 10 +- ...em_settings_remote_management_disable.yaml | 10 +- ...settings_screensaver_password_enforce.yaml | 10 +- ...system_settings_siri_prefpane_disable.yaml | 2 +- ...gs_software_update_app_update_enforce.yaml | 2 +- ...ings_software_update_download_enforce.yaml | 2 +- ...stem_settings_software_update_enforce.yaml | 2 +- ...ystem_settings_softwareupdate_current.yaml | 4 +- .../system_settings_ssh_enable.yaml | 20 +- ...tings_time_machine_auto_backup_enable.yaml | 12 +- ...ings_time_machine_encrypted_configure.yaml | 12 +- .../system_settings_time_server_enforce.yaml | 6 +- ...system_settings_token_removal_enforce.yaml | 10 +- ...system_settings_touch_id_pane_disable.yaml | 2 +- .../system_settings_usb_restricted_mode.yaml | 4 +- ..._settings_wake_network_access_disable.yaml | 2 +- ...ings_wallet_applepay_prefpane_disable.yaml | 2 +- .../system_settings_wifi_disable.yaml | 6 +- ...fi_disable_when_connected_to_ethernet.yaml | 6 +- .../system_settings_wifi_menu_enable.yaml | 6 +- scripts/generate_baseline.py | 62 +- scripts/generate_guidance.py | 16 +- scripts/generate_mapping.py | 118 +- scripts/generate_scap.py | 1132 ++++++++--------- sections/authentication.yaml | 2 +- sections/passwordpolicy.yaml | 2 +- templates/adoc_acronyms.adoc | 2 +- templates/adoc_additional_docs.adoc | 4 +- templates/adoc_foreword.adoc | 2 +- templates/mscp-theme.yml | 4 +- 202 files changed, 1359 insertions(+), 1359 deletions(-) diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc index 36a78080..91d5bc7d 100644 --- a/CONTRIBUTING.adoc +++ b/CONTRIBUTING.adoc @@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the These operating rules describe and govern NIST’s management of this repository and contributors’ responsibilities. NIST reserves the right to modify this policy at any time. === Criteria for Contributions and Feedback -This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. +This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. -NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: -* states or implies NIST endorsement of any entities, services, or products; -* is inaccurate; -* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content; -* is clearly "off topic"; +NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: +* states or implies NIST endorsement of any entities, services, or products; +* is inaccurate; +* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content; +* is clearly "off topic"; * makes unsupported accusations; -* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, +* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, * contains .exe or .jar file types. _These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._ @@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito * responding to NIST representatives in a timely manner; * keeping contributions and contributor GitHub username up to date -*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. +*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. diff --git a/LICENSE.md b/LICENSE.md index 84660b48..5170c646 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo 5. _Downstream recipients._ **A.** _Offer from the Licensor_ – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. - + **B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. - + 6. _No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). ## b. Other rights. @@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following **i.** identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); **ii.** a copyright notice; - + **iii.** a notice that refers to this Public License; - + **iv.** a notice that refers to the disclaimer of warranties; - + **v.** a URI or hyperlink to the Licensed Material to the extent reasonably practicable; - + **B.** indicate if You modified the Licensed Material and retain an indication of any previous modifications; and - + **C.** indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. - + **2.** You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. **3.** If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. @@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your **a.** This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. **b.** Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: - + **1.** automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or - + **2.** upon express reinstatement by the Licensor. - + For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. **c.** For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. diff --git a/README.adoc b/README.adoc index a3e77152..95635302 100644 --- a/README.adoc +++ b/README.adoc @@ -1,7 +1,7 @@ image::templates/images/mscp_banner_outline.png[] // settings: :idprefix: -:idseparator: - +:idseparator: - ifndef::env-github[:icons: font] ifdef::env-github[] :status: @@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21 Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page. -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. To learn more about the project, please see the {uri-repo}/wiki[wiki]. @@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta == Changelog -Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. +Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. == NIST Disclaimer diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 0d136322..b5675245 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -324,7 +324,7 @@ profile: - pwpolicy_prevent_dictionary_words - system_settings_wifi_disable_when_connected_to_ethernet - section: "not_applicable" - rules: + rules: - os_access_control_mobile_devices - os_identify_non-org_users - os_information_validation diff --git a/includes/enablePF-mscp.sh b/includes/enablePF-mscp.sh index ade19866..f47035c9 100644 --- a/includes/enablePF-mscp.sh +++ b/includes/enablePF-mscp.sh @@ -4,9 +4,9 @@ enable_macos_application_firewall () { /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail + /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on - /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on + /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on } @@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () { launchctl enable system/macsec.pfctl launchctl bootstrap system $macsec_pfctl_plist - pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) + pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) } @@ -147,7 +147,7 @@ block log proto tcp to any port 540 ENDCONFIG } -#### +#### enable_macos_application_firewall create_macsec_pf_anchors diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 3f636b50..cc0d8ce4 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -1,6 +1,6 @@ --- authors: - all_rules: + all_rules: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration @@ -10,7 +10,7 @@ authors: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - 800-53r5_moderate: + 800-53r5_moderate: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration @@ -20,12 +20,12 @@ authors: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - 800-171: + 800-171: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - cis_lvl1: + cis_lvl1: preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) names: - Edward Byrd|Center for Internet Security @@ -72,10 +72,10 @@ authors: - Ekkehard Koch| - Bob Gendler|National Institute of Standards and Technology stig: - names: + names: - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - - Bob Gendler|National Institute of Standards and Technology + - Bob Gendler|National Institute of Standards and Technology titles: all_rules: All Rules 800-53r5_high: NIST SP 800-53 Rev 5 High Impact diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml index 033c86d9..e927999b 100644 --- a/includes/supported_payloads.yaml +++ b/includes/supported_payloads.yaml @@ -1,4 +1,4 @@ -payloads_types: +payloads_types: - com.apple.ADCertificate.managed - com.apple.AIM.account - com.apple.AssetCache.managed diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 5216c818..fe5a78dc 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -60,7 +60,7 @@ references: - AU-12(3) - AU-14(1) - MA-4(1) - - CM-5(1) + - CM-5(1) 800-53r4: - AU-3 - AU-3(1) diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index afff5c5e..382f02bf 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -1,7 +1,7 @@ id: audit_configure_capacity_notify title: "Configure Audit Capacity Warning" discussion: | - The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. + The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs. check: | @@ -11,7 +11,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: @@ -20,7 +20,7 @@ references: - CCI-001855 800-53r5: - AU-5(1) - 800-53r4: + 800-53r4: - AU-5(1) srg: - SRG-OS-000343-GPOS-00134 @@ -33,7 +33,7 @@ odv: recommended: 25 stig: 25 tags: - - 800-53r5_high + - 800-53r5_high - 800-53r4_high - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index 0f0dc163..5f4ac8be 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -4,7 +4,7 @@ discussion: | /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs). check: | /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" -result: +result: integer: 0 fix: | [source,bash] diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index f915fccd..a9d7742f 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -2,10 +2,10 @@ id: audit_enforce_dual_auth title: "Enforce Dual Authorization for Movement and Deletion of Audit Information" discussion: | All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed. - + An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation. - - To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 6981bad5..3a83c20b 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -1,11 +1,11 @@ id: audit_failure_halt title: "Configure System to Shut Down Upon Audit Failure" discussion: | - The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. + The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. - Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' + /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | @@ -33,13 +33,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 722a9fb6..8f53435d 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 2c37e957..54877401 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -1,7 +1,7 @@ id: audit_files_mode_configure title: "Configure Audit Log Files to Mode 440 or Less Permissive" discussion: | - The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' result: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index abf5fb07..2cc9eeb6 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_files_owner_configure -title: "Configure Audit Log Files to be Owned by Root" +title: "Configure Audit Log Files to be Owned by Root" discussion: | Audit log files _MUST_ be owned by root. @@ -7,7 +7,7 @@ discussion: | Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | - /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' + /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' result: integer: 0 fix: | diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 11090587..2d4e11c0 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -2,9 +2,9 @@ id: audit_flags_aa_configure title: "Configure System to Audit All Authorization and Authentication Events" discussion: | The auditing system _MUST_ be configured to flag authorization and authentication (aa) events. - - Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. - + + Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. + Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' @@ -54,14 +54,14 @@ references: macOS: - "14.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cis_lvl2 - cisv8 - cnssi-1253_moderate diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index f9942576..69a96ae7 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -3,9 +3,9 @@ title: "Configure System to Audit All Failed Program Execution on the System" discussion: | The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. - Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). - - This configuration ensures that audit lists include events in which program execution has failed. + Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). + + This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' @@ -20,7 +20,7 @@ references: cce: - CCE-92717-8 cci: - - N/A + - N/A 800-53r5: - AC-2(12) - AU-12 @@ -47,7 +47,7 @@ references: cmmc: - AU.L2-3.3.3 - AU.L2-3.3.6 - - SI.L2-3.14.3 + - SI.L2-3.14.3 macOS: - "14.0" tags: diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 1c61e4ec..fe72171e 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_configure title: "Configure System to Audit All Changes of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). - This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. + This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index 46d660e8..dc12ed32 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_failed_configure title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). - Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). - - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. + Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -29,13 +29,13 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) - MA-4(1) - srg: + srg: - N/A disa_stig: - N/A diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index d132b033..dd88df81 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Folders Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 42ad8c27..5a8b6d61 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_folder_owner_configure -title: "Configure Audit Log Folders to be Owned by Root" +title: "Configure Audit Log Folders to be Owned by Root" discussion: | Audit log folders _MUST_ be owned by root. diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index fe88d750..727f172c 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -1,9 +1,9 @@ id: audit_folders_mode_configure title: "Configure Audit Log Folders to Mode 700 or Less Permissive" discussion: | - The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. + The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. - Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') result: diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 0ae12739..9511bb94 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -3,9 +3,9 @@ title: "Off-Load Audit Records" discussion: | Audit records should be off-loaded onto a different system or media from the system being audited. - Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. + Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index b333b9bc..21ba6043 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -1,8 +1,8 @@ id: audit_record_reduction_report_generation title: "Audit Record Reduction and Report Generation" discussion: | - The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. - + The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). @@ -13,11 +13,11 @@ fix: | references: cce: - CCE-92728-5 - cci: + cci: - N/A 800-53r5: - AU-7 - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index 86c177fe..3618de30 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -2,7 +2,7 @@ id: audit_records_processing title: "Audit Record Reduction and Report Generation" discussion: | The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. - + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. check: | The technology does not support this requirement. This is an applicable-does not meet finding. @@ -11,11 +11,11 @@ fix: | references: cce: - CCE-92729-3 - cci: + cci: - N/A 800-53r5: - AU-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 908624b1..c0153ef3 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -1,10 +1,10 @@ id: auth_smartcard_allow title: "Allow Smartcard Authentication" discussion: | - Smartcard authentication _MUST_ be allowed. + Smartcard authentication _MUST_ be allowed. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. - + When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. check: | /usr/bin/osascript -l JavaScript << EOS @@ -26,7 +26,7 @@ references: - IA-2(1) - IA-2(2) - IA-2(12) - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(11) srg: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index ace343ea..0aaf5fc7 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -1,8 +1,8 @@ id: auth_smartcard_certificate_trust_enforce_high title: "Set Smartcard Certificate Trust to High" discussion: | - The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). - + The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). + To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed. @@ -20,12 +20,12 @@ fix: | references: cce: - CCE-92736-8 - cci: + cci: - N/A 800-53r5: - IA-5(2) - SC-17 - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(2) srg: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 4f5d6587..f2d86b43 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -45,8 +45,8 @@ references: macOS: - "14.0" tags: - - 800-53r4_moderate - - 800-53r5_moderate + - 800-53r4_moderate + - 800-53r5_moderate - cnssi-1253_moderate - cnssi-1253_low - cmmc_lvl2 diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index b4b4105e..c195756b 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -80,12 +80,12 @@ macOS: - "14.0" tags: - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index ded9d995..6a493827 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -1,7 +1,7 @@ id: icloud_addressbook_disable title: "Disable iCloud Address Book" discussion: | - The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index b6f5e64c..c9ed5dac 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -1,7 +1,7 @@ id: icloud_appleid_preference_pane_disable title: "Disable the Preference Pane for Apple ID" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 773f43da..63b01813 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -22,7 +22,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -49,14 +49,14 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high - 800-171 - - cisv8 + - cisv8 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index debcca2c..52bef441 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -1,7 +1,7 @@ id: icloud_notes_disable title: "Disable iCloud Notes" discussion: | - The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 512e1ce6..fe05db63 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -50,13 +50,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 6752fdc0..52e243cb 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -1,7 +1,7 @@ id: icloud_reminders_disable title: "Disable iCloud Reminders" discussion: | - The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 7498bc9c..39b61e25 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -3,7 +3,7 @@ title: "Disable iCloud Desktop and Document Folder Sync" discussion: | The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 81776bda..f4597b12 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -3,7 +3,7 @@ title: "Disable AirDrop" discussion: AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. - AirDrop allows users to share and receive files from other nearby Apple devices. + AirDrop allows users to share and receive files from other nearby Apple devices. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index eb46bf4b..4f08f077 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -2,7 +2,7 @@ id: os_appleid_prompt_disable title: "Disable Apple ID Setup during Setup Assistant" discussion: | The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. - + macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 15348d77..adf5f6f3 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -1,8 +1,8 @@ id: os_application_sandboxing title: "Ensure Seperate Execution Domain for Processes" discussion: | - The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. - + The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. + link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 8ec44bf6..35bab5ed 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -5,7 +5,7 @@ discussion: | check: | The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level. fix: | - This requirement is a permanent finding and can be fixed by implementing a third party solution. + This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - CCE-92763-2 @@ -24,7 +24,7 @@ references: - 3.5.2 cis: benchmark: - - N/A + - N/A controls v8: - 13.9 macOS: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index e48fd115..27e96a5c 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -1,12 +1,12 @@ id: os_authenticated_root_enable title: "Enable Authenticated Root" discussion: | - Authenticated Root _MUST_ be enabled. - + Authenticated Root _MUST_ be enabled. + When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. - + WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input. check: | /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' @@ -21,7 +21,7 @@ fix: | references: cce: - CCE-92764-0 - cci: + cci: - N/A 800-53r5: - AC-3 diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index de9894cf..91a86f90 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -34,7 +34,7 @@ fix: | references: cce: - CCE-92771-5 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -72,5 +72,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Calendar.app diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index b450f5c5..966b50bd 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -1,9 +1,9 @@ id: os_change_security_attributes title: "Allow Administrators to Modify Security Settings and System Attributes" discussion: | - The information system _IS_ configured to allow administrators to modify security settings and system attributes. - - The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . + The information system _IS_ configured to allow administrators to modify security settings and system attributes. + + The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index db00e8d7..eee79dc3 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -15,7 +15,7 @@ references: cce: - CCE-92777-2 cci: - - N/A + - N/A 800-53r5: - CM-5 800-171r2: @@ -30,8 +30,8 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index 9a843dbd..42e158f4 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -26,7 +26,7 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - permanent + - permanent - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 575d3b30..65d4abe9 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -1,13 +1,13 @@ id: os_crypto_audit title: "Protect Audit Integrity with Cryptographic Mechanisms" discussion: | - The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. - - The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. - + The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. + + The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. + link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[] - - NOTE: This will only apply to a Mac that includes a T2 security chip. + + NOTE: This will only apply to a Mac that includes a T2 security chip. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index f035f562..bd13d64d 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -1,13 +1,13 @@ id: os_directory_services_configured title: "Integrate System into a Directory Services Infrastructure" discussion: | - The macOS system _MUST_ be integrated into a directory services infrastructure. + The macOS system _MUST_ be integrated into a directory services infrastructure. A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system. check: | /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $? result: - integer: 0 + integer: 0 fix: | Integrate the system into an existing directory services infrastructure. references: diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index a19c3700..3ba26a56 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -2,8 +2,8 @@ id: os_enforce_access_restrictions title: "Enforce Access Restrictions" discussion: | The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions. - - The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. + + The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 5c5f62cc..13addb48 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -1,7 +1,7 @@ id: os_facetime_app_disable title: "Disable FaceTime.app" discussion: | - The macOS built-in FaceTime.app _MUST_ be disabled. + The macOS built-in FaceTime.app _MUST_ be disabled. The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. @@ -9,7 +9,7 @@ discussion: | ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== -check: | +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -31,7 +31,7 @@ fix: | references: cce: - CCE-92788-9 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -69,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/FaceTime.app diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 64816a73..81090220 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -1,11 +1,11 @@ id: os_fail_secure_state title: "Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails" discussion: | - The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. + The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. - Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. + Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. - Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. + Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. link:https://developer.apple.com/videos/play/wwdc2017/715/[] check: | diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 1e0ec730..8ccbf107 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -3,7 +3,7 @@ title: "Disable FileVault Automatic Login" discussion: | If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. - The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. + The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 70279f00..8c7571d1 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -1,13 +1,13 @@ id: os_firewall_default_deny_require title: "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy" discussion: | - A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. + A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. - If you are using a third-party firewall solution, this setting does not apply. + If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 84f5ca4b..0408a07b 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -1,11 +1,11 @@ id: os_firewall_log_enable title: "Enable Firewall Logging" discussion: | - Firewall logging _MUST_ be enabled. + Firewall logging _MUST_ be enabled. - Firewall logging ensures that malicious network activity will be logged to the system. + Firewall logging ensures that malicious network activity will be logged to the system. - NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. + NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -27,12 +27,12 @@ fix: | references: cce: - CCE-92793-9 - cci: + cci: - N/A 800-53r5: - AU-12 - SC-7 - 800-53r4: + 800-53r4: - SC-7 - AU-12 srg: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 0324b93c..11a6d7a9 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-92796-2 - cci: + cci: - N/A 800-53r5: - CM-5 - 800-53r4: + 800-53r4: - CM-5 - SI-3 srg: diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 581e84eb..3bc7b904 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -1,8 +1,8 @@ id: os_grant_privs title: "Allow Administrators to Promote Other Users to Administrator Status" discussion: | - The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. - + The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. + The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users. link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[] diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 791ff11e..02c3ac50 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -1,6 +1,6 @@ id: os_guest_folder_removed title: "Remove Guest Folder if Present" -discussion: | +discussion: | The guest folder _MUST_ be deleted if present. check: | /bin/ls /Users/ | /usr/bin/grep -c "Guest" @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92798-8 - cci: + cci: - N/A 800-53r5: - N/A @@ -29,7 +29,7 @@ references: cis: benchmark: - 5.10 (level 1) - controls v8: + controls v8: - 4.1 macOS: - "14.0" diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml index 9aaa9708..aeb824c0 100644 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -1,11 +1,11 @@ id: os_hibernate_mode_apple_silicon_enable title: "Enable Hibernate Mode (Apple Silicon)" discussion: | - Hibernate mode _MUST_ be enabled. + Hibernate mode _MUST_ be enabled. This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. - Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. + Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time. NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. @@ -15,7 +15,7 @@ check: | hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') - + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then ((error_count++)) fi diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 05914aec..dc622409 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_destroyfvkeyonstandby_enable title: "Enable DestroyFVKeyOnStandby on Hibernate" discussion: | - DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. + DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.9.1.3 (level 2) - controls v8: + controls v8: - 4.1 macOS: - "14.0" diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index e0851eff..cb2414eb 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_intel_enable title: "Enable Hibernate Mode (Intel)" discussion: | - Hibernate mode _MUST_ be enabled. + Hibernate mode _MUST_ be enabled. This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. @@ -12,7 +12,7 @@ check: | hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') - + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then ((error_count++)) fi diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index d87817bb..705a3b62 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -2,27 +2,27 @@ id: os_home_folders_default title: "Configure User's Home Folders to Apple's Default" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - + Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures. check: |- Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: /bin/ls -le /Users - + This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be: 0: group:everyone deny delete - + For every authorized user account, also run the following command: - /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. - + /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. + This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: - drwx------+ + drwx------+ 0: group:everyone deny delete The exception is the \"Public\" directory, whose permissions must match the following: - drwxr-xr-x+ + drwxr-xr-x+ 0: group:everyone deny delete - + If the permissions returned by either of these checks differ from what is shown, this is a finding. result: "" fix: |- diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index a4c41055..a0f5fbdf 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -2,7 +2,7 @@ id: os_home_folders_secure title: "Secure User's Home Folders" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - + The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. check: | /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 03a0a7a4..9d3c135c 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -1,14 +1,14 @@ id: os_implement_cryptography title: "Configure the System to Implement Approved Cryptography to Protect Information" discussion: | - The information system _IS_ configured to implement approved cryptography to protect information. + The information system _IS_ configured to implement approved cryptography to protect information. - Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 97d11229..99a1207e 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Protect Memory from Unauthorized Code Execution" discussion: | The information system _IS_ configured to implement non-executable data to protect memory from code execution. - Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] - + link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] link:https://www.apple.com/macos/security/[] - + check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index a985a566..38eab6c6 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -2,7 +2,7 @@ id: os_information_validation title: "Information Input Validation" discussion: | Check the validity of the following information inputs: organization-defined information inputs to the systems. - + Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. check: | This requirement is NA for this technology. diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index a32b025a..8946b804 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -1,7 +1,7 @@ id: os_install_log_retention_configure title: "Configure Install.log Retention to $ODV" discussion: | - The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. + The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. check: | /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' result: @@ -10,7 +10,7 @@ fix: | [source,bash] ---- /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=$ODV/g" /etc/asl/com.apple.install - ---- + ---- NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 75db6dfc..1bec9ec0 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -1,10 +1,10 @@ id: os_ir_support_disable title: "Disable Infrared (IR) support" discussion: | - Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. - - By default, if IR is enabled, the system will accept IR control from any remote device. - + Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. + + By default, if IR is enabled, the system will accept IR control from any remote device. + NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | /usr/bin/osascript -l JavaScript << EOS @@ -18,13 +18,13 @@ fix: | references: cce: - CCE-92812-7 - cci: + cci: - N/A 800-53r5: - AC-18 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-18 diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 2885a32c..804837eb 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -1,8 +1,8 @@ id: os_isolate_security_functions title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to isolate security functions from non-security functions. - + The information system _IS_ configured to isolate security functions from non-security functions. + link:https://support.apple.com/guide/security/welcome/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 63a423b9..cefbf83d 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -1,6 +1,6 @@ id: os_library_validation_enabled title: "Enable Library Validation" -discussion: +discussion: Library validation _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92814-3 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 4249e498..b8b10799 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_limit_dos_attacks title: "Limit Impact of Denial of Service Attacks" discussion: | - The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. + The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index b7bce84f..7e83e52e 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -1,7 +1,7 @@ id: os_limit_gui_sessions title: "Limit Concurrent GUI Sessions to 10 for all Accounts" discussion: | - The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. + The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. check: | diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 0302dffc..c1d491e0 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -1,9 +1,9 @@ id: os_logical_access title: "Enforce Approved Authorization for Logical Access" discussion: | - The information system _IS_ configured to enforce an approved authorization process before granting users logical access. + The information system _IS_ configured to enforce an approved authorization process before granting users logical access. - The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. + The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 3ae406da..c95c15e3 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -1,10 +1,10 @@ id: os_mail_app_disable title: "Disable Mail App" discussion: | - The macOS built-in Mail.app _MUST_ be disabled. + The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. - + [IMPORTANT] ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -14,7 +14,7 @@ discussion: | ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== -check: | +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -36,7 +36,7 @@ fix: | references: cce: - CCE-92820-0 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -74,5 +74,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Mail.app diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 49466046..e54584b0 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -2,31 +2,31 @@ id: os_malicious_code_prevention title: "Ensure the System Implements Malicious Code Protection Mechanisms" discussion: | The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. - - 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. - The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: - * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. - * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. + + 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. + The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: + * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. + * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. * In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: * an app is first launched, * an app has been changed (in the file system), and * XProtect signatures are updated. * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. - * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. + * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. - 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. - The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: + 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. + The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: * XProtect (defined above). * Gatekeeper (defined above). * Notarization (defined above). - 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. - The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: + 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. + The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: * Apple's XProtect: a technology included on all macOS systems. XProtect will remediate infections upon receiving updated information delivered and when infections are detected link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] - + link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index ffa9e09c..f64e8e85 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -2,9 +2,9 @@ id: os_mdm_require title: "Enforce Enrollment in Mobile Device Management" discussion: | You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software. - + User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: - + * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload @@ -12,7 +12,7 @@ discussion: | * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: - + * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates @@ -38,7 +38,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - 3.4.1 - 3.4.2 diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index ba134c11..ea360c73 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -1,7 +1,7 @@ id: os_messages_app_disable title: "Disable Messages App" discussion: | - The macOS built-in Messages.app _MUST_ be disabled. + The macOS built-in Messages.app _MUST_ be disabled. The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. @@ -31,7 +31,7 @@ fix: | references: cce: - CCE-92825-9 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -69,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Messages.app diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index a27fbb0c..b0f8a483 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -1,6 +1,6 @@ id: os_mobile_file_integrity_enable title: "Enable Apple Mobile File Integrity" -discussion: +discussion: Mobile file integrity _MUST_ be ebabled. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92828-3 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 089ed239..388952a1 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -1,7 +1,7 @@ id: os_nonlocal_maintenance title: "Configure the System for Nonlocal Maintenance" discussion: | - Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. + Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. check: | This requirement is NA for this technology. fix: | diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index ee54e7ec..edb08d65 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Created Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 5614756b..e7a881c3 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -5,7 +5,7 @@ discussion: | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index 99f0ce25..72e74a25 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Enabled Actions " discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index 63cd63a4..593898c2 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Modified Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 68a1bf8c..f765a10b 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -4,8 +4,8 @@ discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - - To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index 759816d2..d8656c7b 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Baseline Configuration Changes" discussion: | The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified. - Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. - To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index d893b305..76be9ffd 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -1,8 +1,8 @@ id: os_parental_controls_enable title: "Enable Parental Controls" discussion: | - Parental Controls _MUST_ be enabled. - + Parental Controls _MUST_ be enabled. + Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline. Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-92842-4 - cci: + cci: - N/A 800-53r5: - CM-7(2) - 800-53r4: + 800-53r4: - CM-7(2) srg: - N/A diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index b928ab74..0d63b799 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -1,7 +1,7 @@ id: os_password_autofill_disable title: "Disable Password Autofill" discussion: | - Password Autofill _MUST_ be disabled. + Password Autofill _MUST_ be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 1854c973..a86c5994 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done ---- @@ -17,7 +17,7 @@ references: cce: - CCE-92844-0 cci: - - N/A + - N/A 800-53r5: - IA-6 800-53r4: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 2a7920a2..03afbab3 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -1,8 +1,8 @@ id: os_password_proximity_disable title: "Disable Proximity Based Password Sharing Requests" discussion: | - Proximity based password sharing requests _MUST_ be disabled. - + Proximity based password sharing requests _MUST_ be disabled. + The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index c9d91c96..0466e921 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -1,8 +1,8 @@ id: os_password_sharing_disable title: "Disable Password Sharing" discussion: | - Password Sharing _MUST_ be disabled. - + Password Sharing _MUST_ be disabled. + The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 35148f32..1fac6a63 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -2,7 +2,7 @@ id: os_peripherals_identify title: The macOS system must uniquely identify peripherals before establishing a connection. discussion: | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - + Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -22,7 +22,7 @@ references: disa_stig: - N/A 800-171r2: - - N/A + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 6d33ed99..2988465d 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -6,7 +6,7 @@ discussion: | System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. - + The banner text of the document _MUST_ read: [source,text] @@ -65,15 +65,15 @@ odv: cis_lvl1: "Center for Internet Security Test Message" cis_lvl2: "Center for Internet Security Test Message" stig: |- - You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: - -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - -At any time, the USG may inspect and seize data stored on this IS. + -At any time, the USG may inspect and seize data stored on this IS. - -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. - -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. tags: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 235005a9..8ef024a7 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -60,13 +60,13 @@ odv: -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 6ad0fafe..330d7d3e 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -1,7 +1,7 @@ id: os_policy_banner_ssh_enforce title: "Enforce SSH to Display Policy Banner" discussion: | - SSH _MUST_ be configured to display a policy banner. + SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. @@ -55,13 +55,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index b5b28508..a78d4fb7 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Power Nap" discussion: | Power Nap _MUST_ be disabled. - NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. + NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. The following Macs support Power Nap: diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index 92bd1017..a6e39a71 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -3,7 +3,7 @@ title: "Enable Power Nap" discussion: | Power Nap _MUST_ be enabled. - NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. + NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. The following Macs support Power Nap: @@ -34,7 +34,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - N/A cis: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index b66eb6c0..78ebe659 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -3,8 +3,8 @@ title: "Prevent Software From Executing at Higher Privilege Levels than Users Ex discussion: | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. - + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -24,7 +24,7 @@ references: srg: - N/A 800-171r2: - - 3.1.7 + - 3.1.7 macOS: - "14.0" tags: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 123cf112..8d6f3858 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -1,11 +1,11 @@ id: os_prevent_priv_functions title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions" discussion: | - The information system _IS_ configured to block standard users from executing privileged functions. + The information system _IS_ configured to block standard users from executing privileged functions. - Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. - - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. + + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[] check: | diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index f95574b1..5d3d1a09 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -1,9 +1,9 @@ id: os_prevent_unauthorized_disclosure title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources" discussion: | - The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. - - The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. + The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. + + The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index ab85c202..041d9466 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -2,13 +2,13 @@ id: os_prohibit_remote_activation_collab_devices title: "Prohibit Remote Activation of Collaborative Computing Devices" discussion: | The inherent configuration of the macOS _IS_ in compliance. - + Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There is an orange dot indicator by the Control Center pull down menu item to indicate when the system's microphone is listening or activated. The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. - + link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] - + link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/12.0/mac/12.0[] diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index f1f0754f..8e201d7e 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_protect_dos_attacks title: "Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces" discussion: | - The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. - - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. + + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index a268f43f..766bcf99 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -4,7 +4,7 @@ discussion: | The organization should employ automated mechanisms to support the management of information system accounts. The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management. - + To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index c681bf79..6f49469f 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92865-5 - cci: + cci: - N/A 800-53r5: - SI-2 @@ -40,9 +40,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index 65b87f39..c8f8f4da 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -1,7 +1,7 @@ id: os_rapid_security_response_removal_disable title: "Disable User Ability from Being Able to Undo Rapid Security Responses" discussion: | - Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled. + Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92866-3 - cci: + cci: - N/A 800-53r5: - SI-2 @@ -40,9 +40,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index c78c035f..c989af68 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -1,8 +1,8 @@ id: os_reauth_devices_change_authenticators title: "Require Devices to Reauthenticate when Changing Authenticators" discussion: | - The macOS should be configured to require users to reauthenticate when the device authenticator is changed. - + The macOS should be configured to require users to reauthenticate when the device authenticator is changed. + Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate. check: | The technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index e0dfccb6..fc0973e7 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -1,17 +1,17 @@ id: os_recovery_lock_enable title: "Enable Recovery Lock" discussion: | - A recovery lock password _MUST_ be enabled and set. + A recovery lock password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" -result: +result: integer: 1 fix: | - NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. + NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. references: cce: - CCE-92870-5 @@ -33,11 +33,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - arm64 - manual - cnssi-1253_moderate diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 7537277d..a37d57f6 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -2,13 +2,13 @@ id: os_required_crypto_module title: "Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met" discussion: | The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication - + macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index afbf3f4b..1e44c3d9 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Root Login" discussion: | To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled. - The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. + The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. check: | /usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" result: @@ -17,7 +17,7 @@ references: cce: - CCE-92875-4 cci: - - N/A + - N/A 800-53r5: - IA-2 - IA-2(5) diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index 147d02ef..15b42a4a 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_advertising_privacy_protection_enable title: "Ensure Advertising Privacy Protection in Safari Is Enabled" discussion: | - Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari. + Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index f25c24e3..73a1ae35 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -1,7 +1,7 @@ id: os_safari_open_safe_downloads_disable title: "Disable Automatic Opening of Safe Files in Safari" discussion: | - Open "safe" files after downloading _MUST_ be disabled in Safari. + Open "safe" files after downloading _MUST_ be disabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index 246db6e5..59556959 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_show_full_website_address_enable title: "Ensure Show Full Website Address in Safari Is Enabled" discussion: | - Show full website address _MUST_ be enabled in Safari. + Show full website address _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowFullURLInSmartSearchField = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index 13b42523..ddd18de3 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_warn_fraudulent_website_enable title: "Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled" discussion: | - Warn when visiting a fraudulent website _MUST_ be enabled in Safari. + Warn when visiting a fraudulent website _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WarnAboutFraudulentWebsites = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index b994709d..9b31bfd4 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -29,11 +29,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 4872192c..fe520f34 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -3,12 +3,12 @@ title: "Ensure Secure Boot Level Set to Full" discussion: | The Secure Boot security setting _MUST_ be set to full. - Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. + Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" -result: +result: integer: 1 fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 1d5a70e2..98055d11 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -2,9 +2,9 @@ id: os_secure_enclave title: "Protected Storage for Cryptographic Keys" discussion: | A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. - + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. - + link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. @@ -13,7 +13,7 @@ check: | result: integer: 0 fix: | - The hardware does not support the requirement. + The hardware does not support the requirement. references: cce: - CCE-92884-6 diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index d139bf27..83df7fb2 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -1,11 +1,11 @@ id: os_separate_functionality title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to separate user and system functionality. - - Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. - - The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. + The information system _IS_ configured to separate user and system functionality. + + Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. + + The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[] check: | diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 70e48b9c..7a7ff2b8 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -2,8 +2,8 @@ id: os_show_filename_extensions_enable title: "Enable Show All Filename Extensions" discussion: | Show all filename extensions _MUST_ be enabled in the Finder. - - [NOTE] + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index 775e8b45..c6f57766 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -41,7 +41,7 @@ references: - 7.4 macOS: - "14.0" -odv: +odv: hint: "Number of days." recommended: 30 cis_lvl1: 30 diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index 60f0cff1..e5af04bf 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -32,18 +32,18 @@ fix: | PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config - ---- + ---- references: cce: - CCE-92894-5 - cci: + cci: - N/A 800-53r5: - AC-17(2) - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 49fbcfd5..f89602e4 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -19,7 +19,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do @@ -30,11 +30,11 @@ fix: | references: cce: - CCE-92895-2 - cci: + cci: - N/A 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -48,7 +48,7 @@ macOS: - "14.0" odv: hint: "Number of seconds." - recommended: 0 + recommended: 0 tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index da6dccdb..8362b65b 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_ssh_server_alive_interval_configure title: "Configure SSH ServerAliveInterval option set to $ODV" discussion: | - SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. - + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. + Setting the Active Server Alive Maximum Count to $ODV will log users out after a $ODV seconds interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -21,7 +21,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do @@ -32,12 +32,12 @@ fix: | references: cce: - CCE-92896-0 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml index 1ce819c5..0e66b31a 100644 --- a/rules/os/os_sshd_channel_timeout_configure.yaml +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -2,7 +2,7 @@ id: os_sshd_channel_timeout_configure title: "Configure SSHD Channel Timeout to $ODV" discussion: | If SSHD is enabled it _MUST_ be configured with session ChannelTime out set to $ODV. - + This will set the time out when the session is inactive. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -34,12 +34,12 @@ fix: | references: cce: - CCE-92897-8 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -54,9 +54,9 @@ odv: hint: "Number of seconds." recommended: 900 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 1f3b6978..52a93014 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -36,11 +36,11 @@ fix: | references: cce: - CCE-92898-6 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -57,9 +57,9 @@ odv: recommended: 0 stig: 1 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 3fbc67fd..c81cf4ad 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_sshd_client_alive_interval_configure title: "Configure SSHD ClientAliveInterval to $ODV" discussion: | - If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to $ODV. - + If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to $ODV. + Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. This setting works in conjuction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached. @@ -38,12 +38,12 @@ fix: | references: cce: - CCE-92899-4 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -63,8 +63,8 @@ odv: tags: - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high + - 800-53r4_moderate + - 800-53r4_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index d9b5a834..719c56b3 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -28,7 +28,7 @@ fix: | fi fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") - + for config in $fips_sshd_config; do /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf" done @@ -42,18 +42,18 @@ fix: | fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done - ---- + ---- references: cce: - CCE-92902-6 - cci: + cci: - N/A 800-53r5: - AC-17(2) - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml index 852c20de..2826b3b7 100644 --- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -2,7 +2,7 @@ id: os_sshd_unused_connection_timeout_configure title: "Configure SSHD Unused Connection Timeout to $ODV" discussion: | If SSHD is enabled it _MUST_ be configured with unused connectione timeout set to $ODV. - + This will set the time out when there are no open channels within an session. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -34,12 +34,12 @@ fix: | references: cce: - CCE-92906-7 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -54,9 +54,9 @@ odv: hint: "Number of seconds." recommended: 900 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index ab132078..e7d5ffa6 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -35,9 +35,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cis_lvl1 - cis_lvl2 - cisv8 diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 99b06b7a..3ccc1a35 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -6,10 +6,10 @@ discussion: | NOTE: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' -result: +result: string: "No" fix: | - NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. + NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - CCE-92910-9 diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 64159c3f..1038d88f 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -1,7 +1,7 @@ id: os_terminal_secure_keyboard_enable title: "Ensure Secure Keyboard Entry Terminal.app is Enabled" discussion: | - Secure keyboard entry _MUST_ be enabled in Terminal.app. + Secure keyboard entry _MUST_ be enabled in Terminal.app. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92912-5 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index bae5abd6..f5c4f433 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Trivial File Transfer Protocol Service" discussion: | If the system does not require Trivial File Transfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. + The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. NOTE: TFTP service is disabled at startup by default macOS. check: | diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 49285c42..ce5bd763 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-92915-8 - cci: - - N/A + cci: + - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 1d3abfe9..26268bc7 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -1,8 +1,8 @@ id: os_unlock_active_user_session_disable title: "Disable Login to Other User's Active and Locked Sessions" discussion: | - The ability to log in to another user's active or locked session _MUST_ be disabled. - + The ability to log in to another user's active or locked session _MUST_ be disabled. + macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. check: | /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 160e0510..0e4bc80b 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -1,8 +1,8 @@ id: os_user_app_installation_prohibit title: "Prohibit User Installation of Software into /Users/" discussion: | - Users _MUST_ not be allowed to install software into /Users/. - + Users _MUST_ not be allowed to install software into /Users/. + Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. [IMPORTANT] @@ -55,5 +55,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - "/Users/" diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index b1c7d372..c1618048 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Unix-to-Unix Copy Protocol Service" discussion: | The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. - UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. + UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. NOTE: UUCP service is disabled at startup by default macOS. check: | diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index e3cf3b22..0247cb6b 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -1,11 +1,11 @@ id: pwpolicy_50_percent title: "Require a Minimum of Fifty Percent Character Change in New Passwords" discussion: | - The macOS should be configured to require users to change at least 50% of the characters when setting a new password. - + The macOS should be configured to require users to change at least 50% of the characters when setting a new password. + If the operating system allows users to consecutively reuse extensive portions of passwords, this increases the window of opportunity for a malicious user to guess the password. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. - - To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. + + To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 2b84368b..71203b15 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -3,16 +3,16 @@ title: "Disable Accounts after $ODV Days of Inactivity" discussion: | The macOS _MUST_ be configured to disable accounts after $ODV days of inactivity. - This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. -check: | + This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. +check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' - result: integer: $ODV fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to disable an inactive user after $ODV days, edit the current password policy to contain the following within the "policyCategoryAuthentication": - + [source,xml] ---- @@ -28,7 +28,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -37,7 +37,7 @@ fix: | references: cce: - CCE-92926-5 - cci: + cci: - N/A 800-53r5: - AC-2(3) diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 91495587..5bee2b8b 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -1,11 +1,11 @@ id: pwpolicy_emergency_accounts_disable title: "Automatically Remove or Disable Emergency Accounts within 72 Hours" discussion: | - The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. + The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. + Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. @@ -21,7 +21,7 @@ references: - N/A 800-53r5: - AC-2(2) - 800-53r4: + 800-53r4: - AC-2(2) srg: - N/A diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 0cf55840..c2dd37a8 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -2,19 +2,19 @@ id: pwpolicy_lower_case_character_enforce title: "Require Passwords Contain a Minimum of One Lowercase Character" discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. - - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least $ODV lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-92933-1 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml index 59cf49dc..46c281ef 100644 --- a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml @@ -2,14 +2,14 @@ id: pwpolicy_lower_upper_case_character_enforce title: "Require Passwords Contain a Minimum of $ODV Lowercase Character and $ODV Uppercase Character" discussion: | The macOS _MUST_ be configured to require at least $ODV lower-case character and $ODV upper-case character be used when a password is created. - - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: The configuration profile generated must be installed from an MDM server. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{$ODV,}[a-z]{$ODV,}.*'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{$ODV,}[a-z]{$ODV,}.*'\''")])' - result: string: "true" fix: | @@ -17,11 +17,11 @@ fix: | references: cce: - CCE-92934-9 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 3ca84d3f..a87b4254 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - result: string: "true" fix: | diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 4073694e..cdd60d46 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -6,15 +6,15 @@ discussion: | This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require a minimum password lifetime, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-92937-2 - cci: + cci: - N/A - 800-53r5: + 800-53r5: - IA-5 - 800-53r4: + 800-53r4: - IA-5(1) disa_stig: - N/A diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 88f9d61a..0e847f44 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -1,10 +1,10 @@ id: pwpolicy_prevent_dictionary_words title: "Prevent the Use of Dictionary Words for Passwords" discussion: | - The macOS should be configured to forbid users to use dictionary words for passwords. - - If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. - + The macOS should be configured to forbid users to use dictionary words for passwords. + + If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. + To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 54e1e4b8..86249892 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -4,12 +4,12 @@ discussion: | The macOS _MUST_ be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - result: string: "true" fix: | diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 07d8be9c..d7fb3a2e 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_temporary_accounts_disable title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours" discussion: | - The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. + The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 3bac2a39..07ee45b5 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -3,18 +3,18 @@ title: "Require Passwords Contain a Minimum of One Uppercase Character" discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least $ODV lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-92943-0 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: @@ -72,7 +72,7 @@ odv: hint: "Number of special characters." recommended: 1 cis_lvl1: 1 - cis_lvl2: 1 + cis_lvl2: 1 tags: - 800-171 - 800-53r4_low diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index d4e7a1ef..177c7c49 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -2,7 +2,7 @@ id: supplemental_cis_manual title: "CIS Manual Recommendations" discussion: | List of CIS recommendations that are manual check in the CIS macOS Benchmark. - + [cols="15%h, 85%a"] |=== |Section @@ -10,7 +10,7 @@ discussion: | |Recommendations |2.1.1.1 Audit iCloud Keychain + - 2.1.1.2 Audit iCloud Drive + + 2.1.1.2 Audit iCloud Drive + 2.1.1.4 Audit Security Keys Used With AppleIDs + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + @@ -18,10 +18,10 @@ discussion: | 2.6.1.3 Audit Location Services Access + 2.6.6 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + - 2.11.2 Audit Touch ID + + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + 2.14.1 Audit Game Center Settings + - 2.15.1 Audit Notification & Focus Settings + + 2.15.1 Audit Notification & Focus Settings + 2.16.1 Audit Wallet & Apple Pay Settings + |=== @@ -62,9 +62,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 31c2854c..d443bdf2 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -1,20 +1,20 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - [cols="15%h, 85%a"] |=== |Family |Access Control (AC) - |Controls + |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3[AC-3(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -34,7 +34,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9[AU-9(2)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -44,7 +44,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3(6)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -54,7 +54,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1[CM-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4[CM-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8[CM-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10[CM-10], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11[CM-11] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -64,7 +64,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1[CP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2[CP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3[CP-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4[CP-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9[CP-9], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10[CP-10] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -74,7 +74,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1[IA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(4)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -84,7 +84,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -114,7 +114,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1[PE-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2[PE-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3[PE-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6[PE-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8[PE-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12[PE-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13[PE-13], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14[PE-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15[PE-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16[PE-16] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -135,7 +135,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1[PS-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2[PS-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3[PS-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4[PS-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5[PS-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6[PS-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7[PS-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8[PS-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -181,9 +181,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index ba6c40fd..74bb455a 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -58,7 +58,7 @@ references: cci: - N/A 800-53r5: - - N/A + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 8a84ecc6..3bb5376b 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -2,17 +2,17 @@ id: supplemental_firewall_pf title: "Packet Filter (pf) Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - + * os_firewall_default_deny_require macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. - + * The ALF can block incoming traffic on a per-application basis and prevent applications from gaining control of network ports, but it cannot be configured to block outgoing traffic. - ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 - - * The PF firewall can manipulate virtually any packet data and is highly configurable. + ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 + + * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. @@ -106,9 +106,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index d0d30e6a..f744cabe 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -9,21 +9,21 @@ discussion: | * pwpolicy_minimum_lifetime_enforce Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the `pwpolicy` command: - + * Enforcing at least 1 lowercase character * Enforcing at least 1 uppercase character * Disabling an account after 35 days of inactivity * Password minimum lifetime To set the local policy to meet these requirements, save the following XML password policy to a file. - + [source,xml] ---- include::../../includes/pwpolicy.xml[] ---- Run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,9 +38,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 169eaafe..a6457539 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -1,8 +1,8 @@ id: system_settings_airplay_receiver_disable title: "Disable Airplay Receiver" discussion: | - Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. - + Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. + Support for Airplay Receiver is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-92944-8 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 97b1e566..609cf4e0 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -33,11 +33,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index 2d8a69b9..6321951c 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -1,7 +1,7 @@ id: system_settings_automatic_logout_enforce title: "Enforce Auto Logout After $ODV Seconds of Inactivity" discussion: | - Auto logout _MUST_ be configured to automatically terminate a user session and log out the after $ODV seconds of inactivity. + Auto logout _MUST_ be configured to automatically terminate a user session and log out the after $ODV seconds of inactivity. NOTE:The maximum that macOS can be configured for autologoff is $ODV seconds. @@ -56,5 +56,5 @@ mobileconfig: true mobileconfig_info: .GlobalPreferences: com.apple.autologout.AutoLogOutDelay: $ODV - + diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index 9bc2524b..d2766fa0 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-92950-5 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -31,7 +31,7 @@ references: - 2.4.2 (level 1) controls v8: - 4.8 - - 13.9 + - 13.9 macOS: - "14.0" tags: diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 99053b81..4b393f53 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -1,11 +1,11 @@ id: system_settings_bluetooth_sharing_disable title: "Disable Bluetooth Sharing" discussion: | - Bluetooth Sharing _MUST_ be disabled. + Bluetooth Sharing _MUST_ be disabled. - Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. - - [NOTE] + Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] @@ -25,14 +25,14 @@ fix: | references: cce: - CCE-92952-1 - cci: + cci: - N/A 800-53r5: - AC-3 - AC-18(4) - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - AC-3 - AC-18(4) - CM-7 diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml index e3420079..9c85376e 100644 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_cd_dvd_sharing_disable title: "Disable CD/DVD Sharing" discussion: | - CD/DVD Sharing _MUST_ be disabled. + CD/DVD Sharing _MUST_ be disabled. check: | /usr/bin/pgrep -q ODSAgent; /bin/echo $? result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-92953-9 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.1 (level 1) controls v8: - 4.1 diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index c3a5e5d3..4b0c670d 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -1,9 +1,9 @@ id: system_settings_content_caching_disable title: "Disable Content Caching Service" discussion: | - Content caching _MUST_ be disabled. + Content caching _MUST_ be disabled. - Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. + Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-92954-7 - cci: + cci: - N/A 800-53r5: - CM-7 diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index f622e6c8..31cc1d0d 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -1,7 +1,7 @@ id: system_settings_critical_update_install_enforce title: "Enforce Critical Security Updates to be Installed" discussion: | - Ensure that security updates are installed as soon as they are available from Apple. + Ensure that security updates are installed as soon as they are available from Apple. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-92955-4 - cci: + cci: - N/A 800-53r5: - SI-2 - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index 59097f2e..326f5e0b 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -2,7 +2,7 @@ id: system_settings_diagnostics_reports_disable title: "Disable Sending Diagnostic and Usage Data to Apple" discussion: | The ability to submit diagnostic data to Apple _MUST_ be disabled. - + The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index 3827370f..ec4606e9 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -4,7 +4,7 @@ discussion: | The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. - + Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | /usr/bin/osascript -l JavaScript << EOS @@ -29,13 +29,13 @@ fix: | references: cce: - CCE-92958-8 - cci: + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -80,4 +80,4 @@ mobileconfig_info: allowFindMyFriends: false com.apple.icloud.managed: DisableFMMiCloudSetting: true - + diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 06f80b5b..5258da07 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_firewall_enable title: "Enable macOS Application Firewall" discussion: | - The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. + The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | @@ -28,7 +28,7 @@ fix: | references: cce: - CCE-92959-6 - cci: + cci: - CCI-000366 800-53r5: - AC-4 @@ -36,7 +36,7 @@ references: - CM-7 - CM-7(1) - SC-7 - 800-53r4: + 800-53r4: - AC-4 - AC-6(1) - AC-19 @@ -57,9 +57,9 @@ references: - 3.13.2 - 3.13.5 cis: - benchmark: + benchmark: - 2.2.1 (level 1) - controls v8: + controls v8: - 4.1 - 4.5 - 13.1 @@ -71,13 +71,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cis_lvl1 - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index 68e4554d..92e4916a 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -2,7 +2,7 @@ id: system_settings_gatekeeper_identified_developers_allowed title: "Apply Gatekeeper Settings to Block Applications from Unidentified Developers" discussion: | The information system implements cryptographic mechanisms to authenticate software prior to installation. - + Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" @@ -38,12 +38,12 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index 9bb8dd7e..bd4285c8 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -1,9 +1,9 @@ id: system_settings_gatekeeper_override_disallow title: "Configure Gatekeeper to Disallow End User Override" discussion: | - Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. + Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. - If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. + If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-92962-0 - cci: + cci: - N/A 800-53r5: - CM-5 - SI-7(15) - 800-53r4: + 800-53r4: - CM-5 - SI-7(15) srg: @@ -35,12 +35,12 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high @@ -50,4 +50,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempolicy.managed: DisableOverride: true - + diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 9bb6c0c8..8b636677 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -1,8 +1,8 @@ id: system_settings_guest_access_smb_disable title: "Disable Guest Access to Shared SMB Folders" discussion: | - Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. - + Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. + Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess @@ -16,8 +16,8 @@ fix: | references: cce: - CCE-92963-8 - cci: - - N/A + cci: + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -32,9 +32,9 @@ references: srg: - N/A cis: - benchmark: + benchmark: - 2.12.2 (level 1) - controls v8: + controls v8: - 3.3 cmmc: - AC.L1-3.1.2 diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 85071eaf..d7a63b1a 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -28,11 +28,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 011cd989..857c3a5d 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -1,7 +1,7 @@ id: system_settings_hot_corners_secure title: "Secure Hot Corners" discussion: | - Hot corners _MUST_ be secured. + Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | @@ -26,15 +26,15 @@ fix: | references: cce: - CCE-92966-1 - cci: + cci: - N/A 800-53r5: - AC-11(1) - 800-53r4: + 800-53r4: - AC-11(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index fc8cd115..d7d000b3 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92968-7 - cci: + cci: - N/A 800-53r5: - N/A @@ -27,9 +27,9 @@ references: 800-171r2: - N/A cis: - benchmark: + benchmark: - 1.4 (level 1) - controls v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index 8c98f26f..59549796 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -40,13 +40,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index eb316007..55b78f08 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_location_services_enable title: "Enable Location Services" discussion: | - Location Services _MUST_ be enabled. + Location Services _MUST_ be enabled. check: | /usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\ @@ -17,22 +17,22 @@ fix: | references: cce: - CCE-92973-7 - cci: + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.6.1.1 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 373bf915..76bfdebe 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-92974-5 - cci: + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.6.1.2 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index 84d20048..719dd595 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_loginwindow_loginwindowtext_enable title: "Configure Login Window to Show A Custom Message" discussion: | - The login window _MUST_ be configured to show a custom access warning message. + The login window _MUST_ be configured to show a custom access warning message. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ @@ -14,26 +14,26 @@ fix: | references: cce: - CCE-92975-2 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.10.3 (level 1) controls v8: - 4.1 macOS: - "14.0" -odv: +odv: hint: "Organization's approved message." recommended: Center for Internet Security Test Message cis_lvl1: Center for Internet Security Test Message diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index eac26f16..9f82faf0 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -3,7 +3,7 @@ title: "Disable Media Sharing" discussion: | Media sharing _MUST_ be disabled. - When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. + When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index 9111a3a7..85ec502a 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -2,7 +2,7 @@ id: system_settings_password_hints_disable title: "Disable Password Hints" discussion: | Password hints _MUST_ be disabled. - + Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 1f9a7c4a..f5498016 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. + The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -16,14 +16,14 @@ fix: | references: cce: - CCE-92979-4 - cci: + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - - SC-7(10) - 800-53r4: + - SC-7(10) + 800-53r4: - AC-20 - CM-7 - CM-7(1) diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index a2bc6be0..9cac53b0 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_printer_sharing_disable title: "Disable Printer Sharing" discussion: | - Printer Sharing _MUST_ be disabled. + Printer Sharing _MUST_ be disabled. check: | /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" result: @@ -15,22 +15,22 @@ fix: | references: cce: - CCE-92980-2 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.4 (level 1) controls v8: - 4.1 diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 76925341..f40ac463 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_remote_management_disable title: "Disable Remote Management" discussion: | - Remote Management _MUST_ be disabled. + Remote Management _MUST_ be disabled. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-92982-8 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.6 (level 1) controls v8: - 4.1 diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 1fec3cc0..608c2e28 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -33,11 +33,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index d4b422ee..eced38cd 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_siri_prefpane_disable title: "Disable the System Preference Pane for Siri" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml index a1818303..f969fba6 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92990-1 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index a55de19c..cba551be 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92991-9 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml index 635069c5..19193006 100644 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92992-7 - cci: + cci: - N/A 800-53r5: - SI-2(5) diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 77eb1404..d445c87f 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -23,7 +23,7 @@ fix: | references: cce: - CCE-92993-5 - cci: + cci: - N/A 800-53r5: - N/A @@ -31,7 +31,7 @@ references: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index 5f58aa0e..acacec1b 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_ssh_enable title: "Enable SSH Server for Remote Access Sessions" discussion: | - Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. + Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => enabled' result: @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92995-0 - cci: + cci: - N/A 800-53r5: - IA-2(8) @@ -23,7 +23,7 @@ references: - CM-7(1) - AC-17 800-53r4: - - AC-3 + - AC-3 - CM-7 - CM-7(1) - IA-2(8) @@ -45,13 +45,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index f21085b7..2865158e 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -1,33 +1,33 @@ id: system_settings_time_machine_auto_backup_enable title: "Configure Time Machine for Automatic Backups" discussion: | - Automatic backups _MUST_ be enabled when using Time Machine. + Automatic backups _MUST_ be enabled when using Time Machine. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ .objectForKey('AutoBackup').js EOS -result: +result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - CCE-92997-6 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.4.1 (level 2) controls v8: - 11.2 diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 274b212a..121780f0 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -1,7 +1,7 @@ id: system_settings_time_machine_encrypted_configure title: "Ensure Time Machine Volumes are Encrypted" discussion: | - Time Machine volumes _MUST_ be encrypted. + Time Machine volumes _MUST_ be encrypted. check: | error_count=0 for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do @@ -12,7 +12,7 @@ check: | fi done echo "$error_count" -result: +result: integer: 0 fix: | . Go to System Settings -> Time Machine @@ -23,20 +23,20 @@ fix: | references: cce: - CCE-92998-4 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.4.2 (level 1) controls v8: - 3.6 diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index f388980e..4c2db4b6 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -16,17 +16,17 @@ fix: | references: cce: - CCE-93000-8 - cci: + cci: - CCI-001891 - CCI-002046 800-53r5: - AU-12(1) - SC-45(1) - 800-53r4: + 800-53r4: - AU-8(1) srg: - SRG-OS-000355-GPOS-00143 - - SRG-OS-000356-GPOS-00144 + - SRG-OS-000356-GPOS-00144 disa_stig: - N/A 800-171r2: diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 2523e0b1..07bab8c4 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -38,11 +38,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index 99ccc4f7..32ba99e9 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_touch_id_pane_disable title: "Disable the Touch ID and Password Preference Pane" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index a9eb335c..125aebdc 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -27,10 +27,10 @@ references: cce: - CCE-93004-0 cci: - - N/A + - N/A 800-53r5: - MP-7 - - SC-41 + - SC-41 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index 828c885d..648e795e 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -23,7 +23,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 8f4b13d8..262aa522 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_wallet_applepay_prefpane_disable title: "Disable the System Preference Pane for Wallet and Apple Pay" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index fb87d55b..cf149de1 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -1,14 +1,14 @@ id: system_settings_wifi_disable title: "Disable Wi-Fi Interface" discussion: | - The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. + The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | /usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi" -result: +result: integer: 1 fix: | To disable Wi-Fi on a macOS system, run the following command. @@ -26,7 +26,7 @@ references: - AC-18 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index 3016e9f0..350b281a 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -1,9 +1,9 @@ id: system_settings_wifi_disable_when_connected_to_ethernet title: "Disable Wi-Fi When Connected to Ethernet" discussion: | - The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. + The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. - The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. + The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | @@ -19,7 +19,7 @@ references: - AC-4 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index cb74f675..3cc6026c 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-93010-7 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index cf2f1bcd..d1d9db9f 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -65,13 +65,13 @@ def get_rule_yaml(rule_file, custom=False): else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + try: og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] except IndexError: #assume this is a completely new rule og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] - + # get original/default rule yaml for comparison with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) @@ -165,7 +165,7 @@ def create_args(): help="List the available keyword tags to search for.", action="store_true") parser.add_argument("-t", "--tailor", default=None, help="Customize the baseline to your organizations values.", action="store_true") - + return parser.parse_args() def section_title(section_name, platform): @@ -181,7 +181,7 @@ def section_title(section_name, platform): "sys_prefs": "systempreferences", "srg": "srg" } - + if section_name in titles: return titles[section_name] else: @@ -193,9 +193,9 @@ def get_controls(all_rules): for control in rule.rule_80053r4: if control not in all_controls: all_controls.append(control) - + all_controls.sort() - + return all_controls def append_authors(authors, name, org): @@ -212,7 +212,7 @@ def parse_authors(authors_from_yaml): if "preamble" in authors_from_yaml.keys(): preamble = authors_from_yaml['preamble'] author_block += f'{preamble}\n ' - + author_block += "|===\n " for name in authors_from_yaml['names']: author_block += f'|{name}\n ' @@ -269,16 +269,16 @@ def output_baseline(rules, version, baseline_tailored_string, benchmark, authors else: output_text = f'title: "{version["platform"]} {version["os"]}: Security Configuration -{full_title}"\n' output_text += f'description: |\n This guide describes the actions to take when securing a {version["platform"]} {version["os"]} system against the{full_title} security baseline.\n' - + if benchmark == "recommended": output_text += "\n Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.\n" - + # # process authors output_text += f'authors: |\n {authors}' output_text += f'parent_values: "{benchmark}"\n' output_text += 'profile:\n' - + # sort the rules other_rules.sort() inherent_rules.sort() @@ -293,7 +293,7 @@ def output_baseline(rules, version, baseline_tailored_string, benchmark, authors for rule in other_rules: if rule.startswith(section): output_text += (" - {}\n".format(rule)) - + if len(inherent_rules) > 0: output_text += (' - section: "Inherent"\n') output_text += (" rules:\n") @@ -317,12 +317,12 @@ def output_baseline(rules, version, baseline_tailored_string, benchmark, authors output_text += (" rules:\n") for rule in supplemental_rules: output_text += (" - {}\n".format(rule)) - + return output_text def write_odv_custom_rule(rule, odv): print(f"Writing custom rule for {rule.rule_id} to include value {odv}") - + if not os.path.exists("../custom/rules"): os.makedirs("../custom/rules") if os.path.exists(f"../custom/rules/{rule.rule_id}.yaml"): @@ -331,11 +331,11 @@ def write_odv_custom_rule(rule, odv): else: rule_yaml = {} - # add odv to rule_yaml + # add odv to rule_yaml rule_yaml['odv'] = {"custom" : odv} with open(f"../custom/rules/{rule.rule_id}.yaml", 'w') as f: - yaml.dump(rule_yaml, f, explicit_start=True) - + yaml.dump(rule_yaml, f, explicit_start=True) + return def remove_odv_custom_rule(rule): @@ -353,7 +353,7 @@ def remove_odv_custom_rule(rule): else: if os.path.exists(f"../custom/rules/{rule.rule_id}.yaml"): os.remove(f"../custom/rules/{rule.rule_id}.yaml") - + def sanitised_input(prompt, type_=None, range_=None, default_=None): while True: ui = input(prompt) or default_ @@ -387,18 +387,18 @@ def sanitised_input(prompt, type_=None, range_=None, default_=None): def odv_query(rules, benchmark): print("The inclusion of any given rule is a risk-based-decision (RBD). While each rule is mapped to an 800-53 control, deploying it in your organization should be part of the decision-making process. \nYou will be prompted to include each rule, and for those with specific organizational defined values (ODV), you will be prompted for those as well.\n") - + if not benchmark == "recommended": print(f"WARNING: You are attempting to tailor an already established benchmark. Excluding rules or modifying ODVs may not meet the compliance of the established benchmark.\n") - + included_rules = [] queried_rule_ids = [] - + include_all = False for rule in rules: get_odv = False - + _always_include = ['inherent'] if any(tag in rule.rule_tags for tag in _always_include): #print(f"Including rule {rule.rule_id} by default") @@ -461,7 +461,7 @@ def main(): # switch to the scripts directory os.chdir(file_dir) - + all_rules = collect_rules() if args.list_tags: @@ -475,14 +475,14 @@ def main(): with open(baselines_file) as r: baselines = yaml.load(r, Loader=yaml.SafeLoader) - + included_controls = get_controls(all_rules) needed_controls = [] - + for control in baselines['low']: if control not in needed_controls: needed_controls.append(control) - + for n_control in needed_controls: if n_control not in included_controls: print(f'{n_control} missing from any rule, needs a rule, or included in supplemental') @@ -507,7 +507,7 @@ def main(): version_file = os.path.join(parent_dir, "VERSION.yaml") with open(version_file) as r: - version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) found_rules = [] for rule in all_rules: @@ -517,7 +517,7 @@ def main(): if "supplemental" in rule.rule_tags: if rule not in found_rules: found_rules.append(rule) - + if args.keyword == None: print("No rules found for the keyword provided, please verify from the following list:") available_tags(all_rules) @@ -527,19 +527,19 @@ def main(): benchmark = args.keyword else: benchmark = "recommended" - + if args.keyword in mscp_data_yaml['authors']: authors = parse_authors(mscp_data_yaml['authors'][args.keyword]) else: authors = "|===\n |Name|Organization\n |===\n" - + if args.keyword in mscp_data_yaml['titles'] and not args.tailor: full_title = f" {mscp_data_yaml['titles'][args.keyword]}" elif args.tailor: full_title = "" else: full_title = f" {args.keyword}" - + baseline_tailored_string = "" if args.tailor: # prompt for name of benchmark to be used for filename @@ -558,7 +558,7 @@ def main(): else: baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') baseline_output_file.write(output_baseline(found_rules, version_yaml, baseline_tailored_string, benchmark, authors, full_title)) - + # finally revert back to the prior directory os.chdir(original_working_directory) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 66d55e93..b4d9f6a3 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -359,7 +359,7 @@ def concatenate_payload_settings(settings): def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''): """Generate the configuration profiles for the rules in the provided baseline YAML file """ - + # import profile_manifests.plist manifests_file = os.path.join( parent_dir, 'includes', 'supported_payloads.yaml') @@ -486,7 +486,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign created = date.today() description = "Created: {}\nConfiguration settings for the {} preference domain.".format(created, payload) - + organization = "macOS Security Compliance Project" displayname = f"[{baseline_name}] {payload} settings" @@ -852,7 +852,7 @@ fi nist_80053r5 = 'N/A' else: nist_80053r5 = rule_yaml['references']['800-53r5'] - + cis_ref = ['cis', 'cis_lvl1', 'cis_lvl2', 'cisv8'] if reference == "default": @@ -1155,7 +1155,7 @@ def get_rule_yaml(rule_file, baseline_yaml, custom=False,): resulting_yaml = {} names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] file_name = os.path.basename(rule_file) - + # get parent values try: parent_values = baseline_yaml['parent_values'] @@ -1370,7 +1370,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): cis = cis.replace(", ", "\n") sheet1.write(counter, 13, cis, topWrap) sheet1.col(13).width = 500 * 15 - + cmmc_refs = (str(rule.rule_cmmc)).strip('[]\'') cmmc_refs = cmmc_refs.replace(", ", "\n").replace("\'", "") @@ -1621,7 +1621,7 @@ def main(): # convert logo to base64 for inline processing b64logo = base64.b64encode(open(pdf_logo_path, "rb").read()) - + build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') if not (os.path.isdir(build_path)): @@ -1769,8 +1769,8 @@ def main(): else: adoc_html_subtitle=baseline_yaml['title'].split(':')[1] adoc_document_subtitle2 = ':document-subtitle2:' - - # Create header + + # Create header header_adoc = adoc_header_template.substitute( description=baseline_yaml['description'], html_header_title=baseline_yaml['title'], diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index cfd798f3..a0ed910d 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -106,8 +106,8 @@ def sort_nicely( l ): def main(): file_dir = os.path.dirname(os.path.abspath(__file__)) - - os.chdir(file_dir) + + os.chdir(file_dir) nist_header = "" other_header = "" @@ -123,7 +123,7 @@ def main(): parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) parser.add_argument("-f", "--framework", default="800-53r5", help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", action="store") - + try: results = parser.parse_args() print("Mapping CSV: " + results.CSV.name) @@ -131,9 +131,9 @@ def main(): except IOError as msg: - + parser.error(str(msg)) - + version_file = "../VERSION.yaml" with open(version_file) as r: @@ -142,14 +142,14 @@ def main(): for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): sub_directory = rule.split(".yaml")[0].split("/")[2] - + if "supplemental" in rule or "srg" in rule: continue - + # with open(rule) as r: # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) rule_yaml = get_rule_yaml(rule, custom=False) - + control_array = [] # print("----------------------") # print(rule_yaml) @@ -159,21 +159,21 @@ def main(): modded_reader = csv_reader dict_from_csv = dict(list(modded_reader)[0]) - + list_of_column_names = list(dict_from_csv.keys()) nist_header = list_of_column_names[1] other_header = list_of_column_names[0] - - - + + + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: reader = csv.DictReader(csvfile,dialect='excel') - + for row in reader: - + if results.framework != nist_header: sys.exit(str(results.framework) + " not found in CSV") @@ -185,33 +185,33 @@ def main(): duplicate = "" csv_duplicate = "" for control in controls: - + try: - + rule_yaml['references'] - + if "/" in str(results.framework): - + framework_main = results.framework.split("/")[0] framework_sub = results.framework.split("/")[1] - + references = [] if "custom" not in rule_yaml['references']: references = rule_yaml['references'][framework_main][framework_sub] else: references = rule_yaml['references']['custom'][framework_main][framework_sub] - + for yaml_control in references: if duplicate == str(yaml_control).split("(")[0]: continue if csv_duplicate == str(row[other_header]): - + continue if control.replace(" ",'') == str(yaml_control): - + duplicate = str(yaml_control).split("(")[0] csv_duplicate = str(row[other_header]) - + row_array = str(row[other_header]).split(",") for item in row_array: control_array.append(item) @@ -219,7 +219,7 @@ def main(): else: - + references = [] if "custom" not in rule_yaml['references']: references = rule_yaml['references'][results.framework] @@ -239,33 +239,33 @@ def main(): for item in row_array: control_array.append(item) print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) - + except: continue - + if len(control_array) == 0: continue - + custom_rule = '''references: custom: {}:'''.format(other_header) - + for control in control_array: custom_rule = custom_rule + ''' - {}'''.format(control) - + custom_rule = custom_rule + ''' tags: - {}'''.format(other_header) - + if os.path.isdir("../build/" + other_header) == False: os.mkdir("../build/" + other_header) if os.path.isdir("../build/" + other_header + "/rules/") == False: os.mkdir("../build/" + other_header + "/rules/") if os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) == False: os.mkdir("../build/" + other_header + "/rules/" + sub_directory) - - try: + + try: with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as r: custom_yaml = r.read() @@ -276,23 +276,23 @@ tags: with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: fw.write(custom_rule) - + for rule in glob.glob("../build/" + other_header + "/rules/*/*"): if "supplemental" in rule or "srg" in rule: continue - + with open(rule) as r: custom_rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) othercontrols = [] - + if other_header in custom_rule_yaml['references']['custom']: - + for control in custom_rule_yaml['references']['custom'][other_header]: - + if str(control) in othercontrols: continue else: - + othercontrols.append(str(control)) sort_nicely(othercontrols) @@ -302,18 +302,18 @@ tags: custom_rule = '''references: custom: {}:'''.format(other_header) - + for control in othercontrols: custom_rule = custom_rule + ''' - {}'''.format(control) - + custom_rule = custom_rule + ''' tags: - {}'''.format(other_header) - + with open(rule, 'w') as rite: - rite.write(custom_rule) - + rite.write(custom_rule) + audit = [] auth = [] @@ -333,8 +333,8 @@ tags: with open(rule) as r: custom_rule = yaml.load(r, Loader=yaml.SafeLoader) rule_id = rule.split(".yaml")[0].split("/")[5] - - + + if other_header in custom_rule['tags']: if "inherent" in rule_yaml['tags']: inherent.append(rule_id) @@ -345,10 +345,10 @@ tags: if "n_a" in custom_rule['tags']: na.append(rule_id) continue - + if "/audit/" in rule: audit.append(rule_id) - + continue if "/auth/" in rule: auth.append(rule_id) @@ -368,8 +368,8 @@ tags: if "/sysprefs/" in rule: sysprefs.append(rule_id) continue - - + + full_baseline = '''title: "{4} {2} ({3}): Security Configuration - {0}" description: | This guide describes the actions to take when securing a {4} {2} system against the {1}. @@ -377,11 +377,11 @@ authors: | |=== |Name|Organization |=== -parent_values: recommended +parent_values: recommended profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['version'].split(" ")[0],version_yaml['platform']) - + if len(audit) != 0: - + full_baseline = full_baseline + ''' - section: "Auditing" rules:''' @@ -395,7 +395,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve - section: "Authentication" rules:''' auth.sort() - + for rule in auth: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -405,7 +405,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve - section: "SystemPreferences" rules:''' sysprefs.sort() - + for rule in sysprefs: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -415,7 +415,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve - section: "SystemSettings" rules:''' system_settings.sort() - + for rule in system_settings: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -437,7 +437,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve for rule in os_section: full_baseline = full_baseline + ''' - {}'''.format(rule) - + if len(os_section) != 0 and version_yaml['platform'] == "macOS": full_baseline = full_baseline + ''' - section: "macOS" @@ -446,7 +446,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve for rule in os_section: full_baseline = full_baseline + ''' - {}'''.format(rule) - + if len(pwpolicy) != 0: full_baseline = full_baseline + ''' - section: "PasswordPolicy" @@ -493,7 +493,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve {} '''.format(listofsupplementals) - + try: if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: @@ -502,7 +502,7 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw: fw.write(full_baseline) print(other_header.lower().replace(" ","_") + ".yaml baseline file created in build/" + other_header + "/baseline/") - + print("Move all of the folders in rules into the custom folder.") except: print("No controls mapped were found in rule files.") diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index bd2a3c08..a6b6f4f4 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -16,7 +16,7 @@ from time import sleep import argparse from xml.sax.saxutils import escape -warnings.filterwarnings("ignore", category=DeprecationWarning) +warnings.filterwarnings("ignore", category=DeprecationWarning) def format_mobileconfig_fix(mobileconfig): """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide. @@ -73,7 +73,7 @@ def replace_ocil(xccdf, x): def create_args(): - + parser = argparse.ArgumentParser( description="Easily generate xccdf, oval, or scap datastream. If no option is defined, it will generate an scap datastream file.") parser.add_argument("-x", "--xccdf", default=None, @@ -88,16 +88,16 @@ def create_args(): return parser.parse_args() def generate_scap(all_rules, all_baselines, args): - + export_as = "" version_file = "../VERSION.yaml" with open(version_file) as r: version_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + if args.xccdf: export_as = "xccdf" - + if args.oval: export_as = "oval" if "ios" in version_yaml['cpe']: @@ -118,10 +118,10 @@ def generate_scap(all_rules, all_baselines, args): output = "../build/macOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) if "ios" in version_yaml['cpe']: output = "../build/iOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) - + if export_as == "xccdf": output = output + "_xccdf.xml" - + if export_as == "oval": output = output + "_oval.xml" @@ -159,8 +159,8 @@ def generate_scap(all_rules, all_baselines, args): {4} {1}: Security Configuration - - + + Security Content Automation Protocol National Institute of Standards and Technology @@ -207,8 +207,8 @@ def generate_scap(all_rules, all_baselines, args): macOS {1}: Security Configuration - - + + Security Content Automation Protocol National Institute of Standards and Technology @@ -228,32 +228,32 @@ def generate_scap(all_rules, all_baselines, args): '''.format(date_time_string, version_yaml['os'], version_yaml['cpe'], version_yaml['version'],date_time_string.split("T")[0] + "Z") generated_baselines = {} - + for rule in all_rules: - + if glob.glob('../custom/rules/**/{}.yaml'.format(rule),recursive=True): rule_file = glob.glob('../custom/rules/**/{}.yaml'.format(rule),recursive=True)[0] custom=True - + elif glob.glob('../rules/*/{}.yaml'.format(rule)): rule_file = glob.glob('../rules/*/{}.yaml'.format(rule))[0] custom=False odv_label = str() og_rule_yaml = get_rule_yaml(rule_file, custom) - + loop = 1 if "odv" in og_rule_yaml: loop = len(og_rule_yaml['odv']) - + if args.baseline != "None": loop = 1 for a in range(0, loop): - + rule_yaml = get_rule_yaml(rule_file, custom) - try: - + try: + # # odv_label = list(rule_yaml['odv'].keys())[a] # # odv_label.remove('hint') if args.baseline != "None": @@ -265,27 +265,27 @@ def generate_scap(all_rules, all_baselines, args): else: odv_label = list(rule_yaml['odv'].keys())[a] - - + + # if odv_label == "hint": # continue - - + + odv_value = str(rule_yaml['odv'][odv_label]) rule_yaml['title'] = rule_yaml['title'].replace("$ODV",str(odv_value)) rule_yaml['discussion'] = rule_yaml['discussion'].replace("$ODV",odv_value) rule_yaml['check'] = rule_yaml['check'].replace("$ODV",odv_value) - + rule_yaml['fix'] = rule_yaml['fix'].replace("$ODV",odv_value) - - + + for result_value in rule_yaml['result']: if "$ODV" == rule_yaml['result'][result_value]: rule_yaml['result'][result_value] = rule_yaml['result'][result_value].replace("$ODV",odv_value) - - + + if rule_yaml['mobileconfig_info']: for mobileconfig_type in rule_yaml['mobileconfig_info']: if isinstance(rule_yaml['mobileconfig_info'][mobileconfig_type], dict): @@ -295,30 +295,30 @@ def generate_scap(all_rules, all_baselines, args): except: odv_label = "recommended" - + for baseline in all_baselines: found_rules = [] for tag in rule_yaml['tags']: if tag == baseline: if odv_label != "recommended" and odv_label == tag or odv_label == "custom": - + if baseline in generated_baselines: generated_baselines[baseline].append(rule_yaml['id'] + "_" + odv_label) else: generated_baselines[baseline] = [rule_yaml['id'] + "_" + odv_label] continue elif odv_label == "recommended" or odv_label == "custom": - + if "odv" in rule_yaml: if baseline not in rule_yaml['odv']: if baseline in generated_baselines: - + generated_baselines[baseline].append(rule_yaml['id'] + "_" + odv_label) else: generated_baselines[baseline] = [rule_yaml['id'] + "_" + odv_label] else: if baseline in generated_baselines: - + generated_baselines[baseline].append(rule_yaml['id'] + "_" + odv_label) else: generated_baselines[baseline] = [rule_yaml['id'] + "_" + odv_label] @@ -347,7 +347,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x) references = str() - + if "800-53r5" in rule_yaml['references'] and rule_yaml['references']['800-53r5'][0] != "N/A": references = references + "NIST SP 800-53r5: " for nist80053 in rule_yaml['references']['800-53r5']: @@ -379,13 +379,13 @@ def generate_scap(all_rules, all_baselines, args): for v8controls in rule_yaml['references']['cis']['controls v8']: references = references + str(v8controls) + ", " references = references[:-2] + "" - + for k,v in rule_yaml['references'].items(): if k == "cci" or k == "srg": continue if k == "custom": - - + + for i,u in rule_yaml['references']['custom'].items(): references = references + '{0}: '.format(i) for refs in rule_yaml['references']['custom'][i]: @@ -407,9 +407,9 @@ def generate_scap(all_rules, all_baselines, args): {2} {3} - + {4} - + {5}{9} {6} {7} @@ -426,19 +426,19 @@ def generate_scap(all_rules, all_baselines, args): {2} {3} - + {4} - + {5}{8} {6} {7} - + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, references) continue - - + + if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 @@ -495,13 +495,13 @@ def generate_scap(all_rules, all_baselines, args): continue if "os_home_folders_secure" in rule_yaml['id']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -517,7 +517,7 @@ def generate_scap(all_rules, all_baselines, args): - + @@ -551,24 +551,24 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+999) x = x + 1 continue - + if rule_yaml['mobileconfig']: if "spctl" in rule_yaml['check']: - + if "verbose" in rule_yaml['check']: xccdf_rules = replace_ocil(xccdf_rules,x) x = x + 1 continue else: - + oval_definition = oval_definition + ''' - - + + {} - {} - + {} + @@ -590,28 +590,28 @@ def generate_scap(all_rules, all_baselines, args): true '''.format(rule_yaml['id'] + "_" + odv_label,x) - + x += 1 continue - + for payload_type, info in rule_yaml['mobileconfig_info'].items(): if payload_type == "com.apple.systempolicy.control": continue if payload_type == "com.apple.ManagedClient.preferences": for payload_domain, settings in info.items(): oval_definition = oval_definition + ''' - - + + {} - {} + {} '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip()) if len(settings) > 1: oval_definition = oval_definition + '''''' else: oval_definition = oval_definition + '''''' - + for key, value in settings.items(): state_kind = "" if type(value) == bool: @@ -620,7 +620,7 @@ def generate_scap(all_rules, all_baselines, args): state_kind = "int" elif type(value) == str: state_kind = "string" - + dz = d + 5000 oval_definition = oval_definition + ''''''.format(rule_yaml['id'] + '_' + odv_label + "_" + str(d), dz) @@ -629,11 +629,11 @@ def generate_scap(all_rules, all_baselines, args): - - + + '''.format(rule_yaml['id'] + "_" + odv_label + "_" + str(d),dz,dz,dz) if payload_domain == "com.apple.dock": - + oval_object = oval_object + ''' /Library/Preferences/com.apple.loginwindow.plist @@ -661,8 +661,8 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,dz,payload_domain,key) - - + + oval_state = oval_state + ''' {} @@ -677,19 +677,19 @@ def generate_scap(all_rules, all_baselines, args): if key == "familyControlsEnabled": xpath_search = "" if len(info) > 1: - + xpath_search = info['pathBlackList'] oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -706,28 +706,28 @@ def generate_scap(all_rules, all_baselines, args): boolean(plist/dict/array/string/text() = "{}") '''.format(rule_yaml['id'] + "_" + odv_label,x,str(xpath_search).replace('[',"").replace(']',"").replace("'","")) - + oval_state = oval_state + ''' true '''.format(rule_yaml['id'] + "_" + odv_label,x) - + x = x + 1 continue else: - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -741,7 +741,7 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -769,16 +769,16 @@ def generate_scap(all_rules, all_baselines, args): continue if payload_type == "com.apple.finder": oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -797,7 +797,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -822,7 +822,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -832,19 +832,19 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 continue - + if payload_type == "com.apple.DiscRecording": oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -863,7 +863,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -888,7 +888,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -897,19 +897,19 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 - continue + continue if payload_type == "com.apple.Safari" and key == "AutoOpenSafeDownloads": oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -928,7 +928,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -953,7 +953,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -962,20 +962,20 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 - continue - if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "DisabledSystemSettings": - + continue + if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "DisabledSystemSettings": + oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -994,19 +994,19 @@ def generate_scap(all_rules, all_baselines, args): /plist/dict/key[string()="{}"]/following-sibling::*[1]/string[string()="{}"]/text() - + '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x,key,str(value).strip('[]').strip("'")) - - + + oval_state = oval_state + ''' - + {} - + '''.format(rule_yaml['id'] + "_" + odv_label,x,str(value).strip('[]').strip("'")) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -1026,20 +1026,20 @@ def generate_scap(all_rules, all_baselines, args): elif type(value) == str: state_kind = "string" else: - + continue - + oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -1050,11 +1050,11 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - + if state_kind == "boolean": oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) @@ -1063,7 +1063,7 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - + oval_state = oval_state + ''' {} @@ -1080,14 +1080,14 @@ def generate_scap(all_rules, all_baselines, args): continue if "SPStorageDataType" in rule_yaml['check']: - + print(rule_yaml['id'] + " - No relevant oval test") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 continue try: if "fdesetup" in command[3]: - + print(rule_yaml['id'] + " - No relevant oval test") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 @@ -1098,18 +1098,18 @@ def generate_scap(all_rules, all_baselines, args): if "profiles" in command[3]: if "/usr/bin/profiles status -type enrollment" in rule_yaml['check']: oval_definition = oval_definition + ''' - - + + {} - {} - + {} + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],x,x+899,x+799) oval_test = oval_test + ''' @@ -1140,19 +1140,19 @@ def generate_scap(all_rules, all_baselines, args): try: if "csrutil" in command[3]: if "authenticated-root" in command[3]: - + print(rule_yaml['id'] + " - No relevant oval test") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 continue oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1216,21 +1216,21 @@ def generate_scap(all_rules, all_baselines, args): try: if "pmset" in command[3] and "standby" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888) - - + + oval_test = oval_test + ''' @@ -1242,14 +1242,14 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_standbydelaylow",x+877,x+877,x+877) - + oval_test = oval_test + ''' '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888,x+888,x+888) - + standbydelayhigh = str() standbydelaylow = str() highstandbythreshold = str() @@ -1263,7 +1263,7 @@ def generate_scap(all_rules, all_baselines, args): standbydelaylow = line.split(" ")[-1].rstrip() if "highstandbythreshold" in line: highstandbythreshold = line.split(" ")[-1].rstrip() - + oval_object = oval_object + ''' SPHardwareDataType @@ -1271,7 +1271,7 @@ def generate_scap(all_rules, all_baselines, args): //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() '''.format("hardware UUID",x+999) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Preferences/com.apple.PowerManagement. @@ -1283,16 +1283,16 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x) - + oval_object = oval_object + ''' boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") '''.format("High Standby Delay",standbydelayhigh) - + oval_object = oval_object + ''' '''.format(rule_yaml['id'] + "_standbydelaylow",x+877, x) - + oval_object = oval_object + ''' boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") '''.format("Standby Delay",standbydelaylow) @@ -1300,11 +1300,11 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888, x) - + oval_object = oval_object + ''' boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") '''.format("Standby Battery Threshold",highstandbythreshold) - + oval_state = oval_state + ''' true @@ -1325,29 +1325,29 @@ def generate_scap(all_rules, all_baselines, args): except: pass if "sudo -V" in rule_yaml['check']: - - + + if "grep" in rule_yaml['check'].split("|")[1]: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x, rule_yaml['id'] + "_" + odv_label,x+5051) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1355,7 +1355,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+5051, rule_yaml['id'] + "_" + odv_label, x+5051) check_string = rule_yaml['fix'].split("echo")[1].split('"')[1] - + oval_object = oval_object + ''' @@ -1373,21 +1373,21 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5051, rule_yaml['id'] + "_" + odv_label, check_string) - - + + x = x + 1 continue if "awk" in rule_yaml['check'].split("|")[1]: if "timestamp_type" in rule_yaml['fix'] and rule_yaml['result']['string'] == "tty": oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1395,13 +1395,13 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1420,7 +1420,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+8002, rule_yaml['id'] + "_" + odv_label, x+8002) - + oval_object = oval_object + ''' @@ -1459,27 +1459,27 @@ def generate_scap(all_rules, all_baselines, args): continue else: check_string = "Defaults.*.timestamp_type={}".format(rule_yaml['result']['string']) - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1494,7 +1494,7 @@ def generate_scap(all_rules, all_baselines, args): 1 '''.format(x, rule_yaml['id'] + "_" + odv_label, check_string) - + oval_object = oval_object + ''' @@ -1508,28 +1508,28 @@ def generate_scap(all_rules, all_baselines, args): continue if "ssh_config" in rule_yaml['discussion'] and "dscl" in rule_yaml['check']: - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5000, rule_yaml['id'] + "_" + odv_label,x+5001) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1545,9 +1545,9 @@ def generate_scap(all_rules, all_baselines, args): matchy_match = "" for matchNum, match in enumerate(matches, start=1): matchy_match = match.group() - + ssh_config_pattern = matchy_match.split('"')[1] - + oval_object = oval_object + ''' @@ -1566,21 +1566,21 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, ssh_config_pattern) - + oval_object = oval_object + ''' {} 1 - + - + .* oval:mscp:ste:{} '''.format(x+5001,rule_yaml['id'] + "_" + odv_label,x,ssh_config_pattern,x+999,x+999) - + oval_state = oval_state + ''' ^[^_\s].* @@ -1600,34 +1600,34 @@ def generate_scap(all_rules, all_baselines, args): continue if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check'] or "sshd -G" in rule_yaml['check'] and "fips" in rule_yaml['check']: fipslist = rule_yaml['check'].split("\n")[0].split("(")[1].replace(")","").replace('" "',"\n").replace('"',"") - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5000, rule_yaml['id'] + "_" + odv_label,x+5001) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, x+5000) - + oval_object = oval_object + ''' @@ -1645,38 +1645,38 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, fipslist) - + x = x + 1 - + continue if "sshd -T" in rule_yaml['check'] or "sshd -G" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5000, rule_yaml['id'] + "_" + odv_label,x+5001) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, x+5000) sshd_config_pattern = "" - if "grep" in rule_yaml['check']: + if "grep" in rule_yaml['check']: regex = r"(?<=grep).*$" matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) matchy_match = "" @@ -1687,12 +1687,12 @@ def generate_scap(all_rules, all_baselines, args): sshd_config_pattern = matchy_match.split('"')[1] elif "'" in matchy_match: sshd_config_pattern = matchy_match.split("'")[1] - + if "awk" in rule_yaml['check']: matchy_match = rule_yaml['check'].split("'")[1].split("/")[1] for item in rule_yaml['result']: sshd_config_pattern = matchy_match + " " + str(rule_yaml['result'][item]) - + oval_object = oval_object + ''' @@ -1710,32 +1710,32 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, sshd_config_pattern) - - + + x = x + 1 continue try: if "pmset" in command[3]: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'] + "_" + odv_label,x) @@ -1759,13 +1759,13 @@ def generate_scap(all_rules, all_baselines, args): pass if "socketfilterfw" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1802,13 +1802,13 @@ def generate_scap(all_rules, all_baselines, args): if "systemsetup" in command[3]: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1826,9 +1826,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x) state_test = "" if "-getnetworktimeserver" in rule_yaml['check']: - + timeservers = rule_yaml['result']['string'] - + state_test = ''' {} '''.format(timeservers) @@ -1843,7 +1843,7 @@ def generate_scap(all_rules, all_baselines, args): abc = 0 if "defaults" in rule_yaml['check'] and "grep" in rule_yaml['check'] and "CURRENT_USER" in rule_yaml['check']: - + regex = r"(?<=\()(.*?)(?=\))" test_str = rule_yaml['check'].split("grep")[1] @@ -1852,25 +1852,25 @@ def generate_scap(all_rules, all_baselines, args): matchy_match = "" for matchNum, match in enumerate(matches, start=1): matchy_match = match.group() - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + for multi_grep in matchy_match.split("|"): - + oval_definition = oval_definition + ''' '''.format(rule_yaml['id']+"_"+str(abc),x) - + oval_test = oval_test + ''' @@ -1880,7 +1880,7 @@ def generate_scap(all_rules, all_baselines, args): key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","") value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","") if "$CURRENT_USER" in rule_yaml['check']: - + oval_object = oval_object + ''' @@ -1898,18 +1898,18 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - + oval_variable = oval_variable + ''' - /Library/Preferences/{}. + /Library/Preferences/{}. plist '''.format(x,x+1999,plist) - + oval_object = oval_object + ''' '''.format(rule_yaml['id']+"_"+str(abc),x,x) @@ -1917,8 +1917,8 @@ def generate_scap(all_rules, all_baselines, args): oval_datatype = "" try: int(value) - - oval_datatype = "int" + + oval_datatype = "int" oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) @@ -1937,28 +1937,28 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value) - + abc =+ 1 x = x+1 oval_definition = oval_definition + ''' ''' oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - + x = x+1 break - + if "defaults" in rule_yaml['check']: - + if rule_yaml['id'] == "system_settings_hot_corners_secure" or rule_yaml['id'] == "sysprefs_hot_corners_secure": oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1966,7 +1966,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+5000,rule_yaml['id'] + "_" + odv_label,x+5001,rule_yaml['id'] + "_" + odv_label,x+5002) - + oval_test = oval_test + ''' @@ -1994,44 +1994,44 @@ def generate_scap(all_rules, all_baselines, args): plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + '''.format(key) key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' - + '''.format(rule_yaml['id'] + "_" + odv_label,x+5000,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' - + '''.format(rule_yaml['id'] + "_" + odv_label,x+5001,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' - + '''.format(rule_yaml['id'] + "_" + odv_label,x+5002,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) @@ -2043,8 +2043,8 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - - + + after_user = plist.split('"')[2] oval_variable = oval_variable + ''' @@ -2056,10 +2056,10 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,after_user,x+999) try: check_if = rule_yaml['check'].split("\n")[5] - + modifier = 0 for n in check_if.split(): - + if n.replace('"',"").isdigit(): if modifier >= 4999: modifier = modifier + 1 @@ -2070,25 +2070,25 @@ def generate_scap(all_rules, all_baselines, args): modifier = 4999 x = x + 1 continue - except: - x = x + 1 + except: + x = x + 1 continue - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' @@ -2096,9 +2096,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - + if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - + oval_object = oval_object + ''' SPHardwareDataType @@ -2107,28 +2107,28 @@ def generate_scap(all_rules, all_baselines, args): '''.format("hardware UUID",x+999) if "$CURRENT_USER" in rule_yaml['check']: - - + + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split()[check_length-1] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - try: + + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) except: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -2138,7 +2138,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -2149,10 +2149,10 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) - + else: - + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].replace(" 2>/dev/null","").split()[check_length-1] @@ -2170,8 +2170,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - - oval_variable = oval_variable + ''' + + oval_variable = oval_variable + ''' {}. @@ -2179,30 +2179,30 @@ def generate_scap(all_rules, all_baselines, args): .plist '''.format(x,plist,x+999) - + elif "$CURRENT_USER" in rule_yaml['check']: - - + + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].replace(" 2>/dev/null","").split()[-1] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - try: + + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) except: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -2212,7 +2212,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -2223,15 +2223,15 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) else: - + if plist[-6:] != ".plist": plist = plist + ".plist" - + plist_key = rule_yaml['check'].replace(" 2>/dev/null","").split(" ")[3].rstrip() oval_object = oval_object + ''' {}'''.format(rule_yaml['id'] + "_" + odv_label,x,plist) - + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' @@ -2241,8 +2241,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(plist_key) - - + + datatype = "" plist_key = rule_yaml['check'].split(" ")[3].rstrip() for key in rule_yaml['result']: @@ -2259,20 +2259,20 @@ def generate_scap(all_rules, all_baselines, args): value = "true" else: value = rule_yaml['result'][datatype] - + oval_state = oval_state + ''' {} '''.format(rule_yaml['id'] + "_" + odv_label,x,oval_datatype,value) oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) x = x+1 - + continue try: if "security" in command[3]: if rule_yaml['check'].split()[1] == "authorizationdb": check = rule_yaml['check'].split("|") - + authdb = rule_yaml['check'].split()[3] if len(check) > 2: @@ -2280,18 +2280,18 @@ def generate_scap(all_rules, all_baselines, args): key = str(matches).replace("[","").replace("]","").replace("'","") length = len(check[2].split()) - + last_string = check[2].split()[length-1].replace('"',"").replace("<","").replace(">","").replace("/","") - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2303,7 +2303,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' {} @@ -2312,20 +2312,20 @@ def generate_scap(all_rules, all_baselines, args): oval_state = oval_state + ''' - + true '''.format(rule_yaml['id'] + "_" + odv_label,x) else: key = (check[1].split()[2].replace("'","")) oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2347,7 +2347,7 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,key) - + else: if "authorizationdb" in rule_yaml['check']: regex = r"=\(.*.\)" @@ -2355,19 +2355,19 @@ def generate_scap(all_rules, all_baselines, args): matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) for matchNum, match in enumerate(matches, start=1): matchy_match = match.group().replace('=(',"").replace(")","").replace('"','').split() - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion']) for match in matchy_match: - + oval_definition = oval_definition + ''' '''.format(rule_yaml['id'] + "+" + match, x) @@ -2378,7 +2378,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(match,x,x,x) key="shared" value="" - if "false" in rule_yaml["check"]: + if "false" in rule_yaml["check"]: value="false" else: value="true" @@ -2391,11 +2391,11 @@ def generate_scap(all_rules, all_baselines, args): oval_state = oval_state + ''' - + true '''.format(match,x) x += 1 - + oval_definition = oval_definition + "" x += 1 continue @@ -2403,17 +2403,17 @@ def generate_scap(all_rules, all_baselines, args): pass if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - - + + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2421,11 +2421,11 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x) path = rule_yaml['fix'].split("----")[1].split(" ")[-1] - + oval_object = oval_object + ''' {} - + '''.format(x,rule_yaml['id'] + "_" + odv_label,path.rstrip()) x += 1 continue @@ -2433,20 +2433,20 @@ def generate_scap(all_rules, all_baselines, args): try: if "ls" in command[2] or "stat" in command[3].split()[0]: if '/Library/Security/PolicyBanner.rtf' in rule_yaml['check']: - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+2999) oval_test = oval_test + ''' @@ -2460,33 +2460,33 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' /Library/Security/PolicyBanner.rtf - + /Library/Security/PolicyBanner.rtfd - + '''.format(x,rule_yaml['id'] + "_" + odv_label,x+2999,rule_yaml['id']) x = x + 1 continue - + s = rule_yaml['check'] config_file = str() oval_variable_need = bool() if "grep" in s.split()[2]: - - + + oval_variable_need = True grep_search = re.search('\((.*?)\)', s).group(1) - + substring = grep_search.split("|")[0] regex = re.search('\'(.*?)\'', substring).group(1) - + try: regex = re.search('/(.*?)/', regex).group(1) except: regex = regex - config_file = substring = grep_search.split("|")[0].split()[-1] + config_file = substring = grep_search.split("|")[0].split()[-1] oval_object = oval_object + ''' @@ -2500,7 +2500,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x+999) - + else: oval_variable_need = False config_file = s.split()[2] @@ -2508,20 +2508,20 @@ def generate_scap(all_rules, all_baselines, args): s = rule_yaml['fix'] fix_command = re.search('-\n(.*?)\n-', s).group(1).split('$')[0] - + oval_definition = oval_definition + ''' - - - - {} + + + + {} - {} - - + {} + + - - + + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2529,7 +2529,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x,x) - + if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": behavior = '' if "audit" in rule_yaml['id']: @@ -2550,30 +2550,30 @@ def generate_scap(all_rules, all_baselines, args): {} {} - + '''.format(rule_yaml['id'] + "_" + odv_label,x,behavior,config_file) state_test = "" if "-" in fix_command and "N" in fix_command and "chmod" in fix_command: state_test = ''' false ''' - + elif "chgrp" in fix_command: state_test = ''' {} '''.format(rule_yaml['result']['integer']) elif "chown" in fix_command: - + state_test = ''' {} '''.format(rule_yaml['result']['integer']) - + elif "chmod" in fix_command: - + perms = fix_command.split()[1] - + if perms[0] == "0": state_test = ''' false @@ -2595,7 +2595,7 @@ def generate_scap(all_rules, all_baselines, args): true true''' elif perms[0] == "4": - + state_test = ''' true false @@ -2615,7 +2615,7 @@ def generate_scap(all_rules, all_baselines, args): true true true''' - + if perms[1] == "0": state_test = state_test + ''' false @@ -2637,7 +2637,7 @@ def generate_scap(all_rules, all_baselines, args): true true''' elif perms[1] == "4": - + state_test = state_test + ''' true false @@ -2659,11 +2659,11 @@ def generate_scap(all_rules, all_baselines, args): true''' if perms[2] == "0": - + state_test = state_test + ''' false false - false''' + false''' if perms[2] == "1": state_test = state_test + ''' false @@ -2709,7 +2709,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x) + state_test + ''' ''' - + x += 1 continue except: @@ -2719,19 +2719,19 @@ def generate_scap(all_rules, all_baselines, args): if "UserShell" in rule_yaml['check']: shell = rule_yaml['check'].split()[9].replace('"','') oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' @@ -2744,7 +2744,7 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,command[5].split()[0]) - + oval_state = oval_state + ''' {} @@ -2759,51 +2759,51 @@ def generate_scap(all_rules, all_baselines, args): awk_file = "" awk_search = "" field_sep = "" - + if "grep -qE" in rule_yaml['fix']: awk_file = rule_yaml['fix'].split(" ")[3].strip(" ") awk_search = rule_yaml['fix'].split(" ")[2].strip("\"") - + elif "grep" in rule_yaml['check']: awk_file = rule_yaml['check'].split("|")[0].split(" ")[-2] awk_search = rule_yaml['check'].split("|")[-1].split(" ")[-2].strip("\'") - + else: awk_file = rule_yaml['check'].split("'")[2].strip(" ") awk_search = rule_yaml['check'].split("'")[1].split("/")[1] - - try: + + try: field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") except: field_sep = " " - try: - + try: + awk_result = rule_yaml['result']['string'] - except: - + except: + awk_result = str(rule_yaml['result']['integer']) - + if awk_search[0] != "^": awk_search = "^" + awk_search + field_sep + awk_result else: awk_search = awk_search + field_sep + awk_result - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2823,33 +2823,33 @@ def generate_scap(all_rules, all_baselines, args): pass try: if "grep" in command[3] and not "pgrep" in command[3]: - + if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']: - + text_to_find = rule_yaml['check'].split("=")[1].split('"')[1] matches = text_to_find.replace(".","\.").replace(")","\)").replace("(","\(").replace("*","\*") - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} + {} - + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + file_path = rule_yaml["check"].split(" ")[-1].rstrip() - + oval_object = oval_object + ''' {} @@ -2860,32 +2860,32 @@ def generate_scap(all_rules, all_baselines, args): x += 1 continue else: - + s = rule_yaml['check'] - - try: - + + try: + grep_search = re.search('"(.*?)"', s).group(1) - - except: - + + except: + grep_search = re.search('\'(.*?)\'', s).group(1) - - + + grep_file = rule_yaml['check'].split(grep_search,1)[1].split(" ")[1] - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2907,13 +2907,13 @@ def generate_scap(all_rules, all_baselines, args): if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']: if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix'] or "disable" in command[2] and "=> disabled" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2927,17 +2927,17 @@ def generate_scap(all_rules, all_baselines, args): - + '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x,x+999,rule_yaml['id'] + "_" + odv_label,x+999) - + domain = str() if "launchctl" not in rule_yaml['check']: domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - + else: s = command[5].split()[2] domain = re.search('"(.*?)"', s).group(1) - + oval_object = oval_object + ''' /var/db/com.apple.xpc.launchd/disabled.plist @@ -2946,7 +2946,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain) - + status = "" if "enable" in rule_yaml["fix"]: status = "false" @@ -2956,16 +2956,16 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,status) - + elif "launchctl unload" in rule_yaml['fix']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2975,38 +2975,38 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - + domain = str() - + if "launchctl" not in rule_yaml['check']: domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - + else: s = command[5].split()[2] domain = re.search('"(.*?)"', s).group(1) - + oval_object = oval_object + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label,domain) - + elif "defaults write" in rule_yaml['fix']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' @@ -3014,9 +3014,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) plist = rule_yaml['fix'].split(" ")[2].replace(".plist","") # plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - + if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - + oval_object = oval_object + ''' SPHardwareDataType @@ -3025,28 +3025,28 @@ def generate_scap(all_rules, all_baselines, args): '''.format("hardware UUID",x+999) if "$CURRENT_USER" in rule_yaml['check']: - - - + + + key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": rule_yaml['result']['boolean'] oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) else: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -3056,7 +3056,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -3067,11 +3067,11 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) - + else: - - + + key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] oval_object = oval_object + ''' @@ -3079,9 +3079,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x) - + if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - + oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) @@ -3089,8 +3089,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - - oval_variable = oval_variable + ''' + + oval_variable = oval_variable + ''' {}. @@ -3098,30 +3098,30 @@ def generate_scap(all_rules, all_baselines, args): .plist '''.format(x,plist,x+999) - + elif "$CURRENT_USER" in rule_yaml['check']: - - + + check_length = len(rule_yaml['check'].split()) key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - + oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) else: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -3131,7 +3131,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -3142,15 +3142,15 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) else: - + if plist[-6:] != ".plist": plist = plist + ".plist" plist_key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_object = oval_object + ''' {}'''.format(rule_yaml['id'] + "_" + odv_label,x,plist) - + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' @@ -3160,21 +3160,21 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(plist_key) - - + + datatype = "" plist_key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_datatype = rule_yaml['fix'].split("defaults")[1].split(" ")[4].replace("-","") if oval_datatype == "integer": oval_datatype = "int" - + if oval_datatype == "bool": oval_datatype = "boolean" value = rule_yaml['fix'].split("defaults")[1].split(" ")[5].replace(";","") - + oval_state = oval_state + ''' {} @@ -3183,30 +3183,30 @@ def generate_scap(all_rules, all_baselines, args): x = x+1 - + continue else: - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - + domain = command[5].split()[2] domain = domain.replace('"','').replace("'",'') @@ -3215,10 +3215,10 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,domain) x += 1 - continue + continue except: pass - + for k in generated_baselines.keys(): xccdf_profiles = xccdf_profiles + ''' @@ -3229,7 +3229,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(v) xccdf_profiles = xccdf_profiles + ''' ''' - + total_xccdf = xccdfPrefix + xccdf_profiles + ''' @@ -3239,7 +3239,7 @@ def generate_scap(all_rules, all_baselines, args): The check/fix commands outlined in this section must be run with elevated privileges. - ''' + xccdf_rules + ''' + ''' + xccdf_rules + ''' ''' total_scap = scapPrefix + xccdf_profiles + ''' @@ -3250,9 +3250,9 @@ def generate_scap(all_rules, all_baselines, args): The check/fix commands outlined in this section must be run with elevated privileges. - ''' + xccdf_rules + ''' + ''' + xccdf_rules + ''' - + @@ -3267,11 +3267,11 @@ def generate_scap(all_rules, all_baselines, args): total_oval = total_oval + "\n" + oval_state + "\n\n" if oval_variable != "": total_oval = total_oval + "\n\n" + oval_variable + "\n\n" - + total_oval = total_oval + "\n" - + final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval) - + total_scap = total_scap + final_oval + ''' @@ -3395,15 +3395,15 @@ def generate_scap(all_rules, all_baselines, args): print("Error writing Oval file.") else: cmd = cmd + " " + scap_file + "temp --format --output " + scap_file - + os.popen(cmd).read() if os.path.exists(scap_file): - os.remove(scap_file + "temp") + os.remove(scap_file + "temp") def get_rule_yaml(rule_file, custom=False, baseline_name=""): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ - global resulting_yaml + global resulting_yaml resulting_yaml = {} names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] file_name = os.path.basename(rule_file) @@ -3419,13 +3419,13 @@ def get_rule_yaml(rule_file, custom=False, baseline_name=""): else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + try: og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] except IndexError: og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] resulting_yaml['customized'] = ["customized rule"] - + with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) @@ -3444,7 +3444,7 @@ def get_rule_yaml(rule_file, custom=False, baseline_name=""): resulting_yaml['references'][ref] = rule_yaml['references'][ref] except KeyError: resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] - try: + try: if "custom" in rule_yaml['references']: resulting_yaml['references']['custom'] = rule_yaml['references']['custom'] if 'customized' in resulting_yaml: @@ -3465,7 +3465,7 @@ def get_rule_yaml(rule_file, custom=False, baseline_name=""): resulting_yaml['tags'] = og_rule_yaml['tags'] + rule_yaml['tags'] except KeyError: resulting_yaml['tags'] = og_rule_yaml['tags'] - else: + else: try: if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] @@ -3477,10 +3477,10 @@ def get_rule_yaml(rule_file, custom=False, baseline_name=""): resulting_yaml['customized'] = ["customized {}".format(yaml_field)] except KeyError: resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] - + return resulting_yaml - - + + class MacSecurityRule(): def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, disa_stig, srg, odv, tags, result_value, mobileconfig, mobileconfig_info): self.rule_title = title @@ -3606,16 +3606,16 @@ def available_tags(all_rules): available_tags.sort() return available_tags - + def get_controls(all_rules): all_controls = [] for rule in all_rules: for control in rule.rule_80053r4: if control not in all_controls: all_controls.append(control) - + all_controls.sort() - + return all_controls def main(): @@ -3630,7 +3630,7 @@ def main(): os.chdir(file_dir) all_rules = collect_rules() - + all_rules_pruned = [] # for rule in all_rules: @@ -3655,7 +3655,7 @@ def main(): for rule in all_rules: if rule.rule_id not in all_rules_pruned: all_rules_pruned.append(rule.rule_id) - + generate_scap(all_rules_pruned, all_baselines, args) os.chdir(original_working_directory) From 20451f6fabadd2f47dc88fd6ddb46bbe5588cca0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 15 Sep 2023 14:18:47 -0400 Subject: [PATCH 29/62] refactor[rules] new sonoma rules added Added custom regex password policy rule added rule for account modification --- rules/os/os_account_modification_disable.yaml | 73 +++++++++++++++++++ ...aml => pwpolicy_custom_regex_enforce.yaml} | 26 ++++--- 2 files changed, 87 insertions(+), 12 deletions(-) create mode 100644 rules/os/os_account_modification_disable.yaml rename rules/pwpolicy/{pwpolicy_lower_upper_case_character_enforce.yaml => pwpolicy_custom_regex_enforce.yaml} (70%) diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml new file mode 100644 index 00000000..524fc77a --- /dev/null +++ b/rules/os/os_account_modification_disable.yaml @@ -0,0 +1,73 @@ +id: os_account_modification_disable +title: "Disable AppleID and Internet Account Modifications" +discussion: | + The system _MUST_ disable account modification. + + Account modification includes adding additional or modifying internet acounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane. + + This prevents the addition of unauthorized accounts. + + [IMPORTANT] + ==== + Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAccountModification').js + EOS +result: + string: "false" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + - AC-20(1) + - SC-7(10) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + cmmc: + - N/A +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAccountModification: false \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml similarity index 70% rename from rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml rename to rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml index 46c281ef..f767d890 100644 --- a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml @@ -1,7 +1,7 @@ -id: pwpolicy_lower_upper_case_character_enforce -title: "Require Passwords Contain a Minimum of $ODV Lowercase Character and $ODV Uppercase Character" +id: pwpolicy_custom_regex_enforce +title: Require Passwords to match the complexity defined in $ODV discussion: | - The macOS _MUST_ be configured to require at least $ODV lower-case character and $ODV upper-case character be used when a password is created. + The macOS _MUST_ be configured to meet complexity requirements when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. @@ -9,9 +9,9 @@ discussion: | NOTE: The configuration profile generated must be installed from an MDM server. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{$ODV,}[a-z]{$ODV,}.*'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''$ODV'\''")])' result: - string: "true" + string: 'true' fix: | This is implemented by a Configuration Profile. references: @@ -27,7 +27,8 @@ references: disa_stig: - N/A srg: - - N/A + - SRG-OS-000070-GPOS-00038 + - SRG-OS-000069-GPOS-00037 800-171r2: - 3.5.1 - 3.5.2 @@ -45,11 +46,11 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - "14.0" + - '14.0' odv: - hint: "Number of lowercase characters." - recommended: 1 - cis_lvl2: 1 + hint: Custom regex (recommended is 1 upper and 1 lowercase) + recommended: .*[A-Z]{1,}[a-z]{1,}.* + cis_lvl2: .*[A-Z]{1,}[a-z]{1,}.* tags: - 800-171 - 800-53r4_low @@ -64,10 +65,11 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - newstig mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: customRegex: - passwordContentRegex: .*[A-Z]{$ODV,}[a-z]{$ODV,}.* + passwordContentRegex: $ODV passwordContentDescription: - default: "Password must include $ODV uppercase and $ODV lowercase character" \ No newline at end of file + default: Password must match custom regex. From 3c6dc2955cee963e1a497cb142b03b1fee786c2e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 15 Sep 2023 14:35:35 -0400 Subject: [PATCH 30/62] refactor[rules] pwpolicy update Removed baseline tags from pwpolicy_lower_case_character_enforce and pwpolicy_upper_case_character_enforce Updated note to point to pwplicy_custom_regex_enfroce --- ...pwpolicy_lower_case_character_enforce.yaml | 19 ++++-------------- ...pwpolicy_upper_case_character_enforce.yaml | 20 ++++--------------- 2 files changed, 8 insertions(+), 31 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index c2dd37a8..edadfd9f 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -6,6 +6,8 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: @@ -59,7 +61,7 @@ references: - 3.5.10 cis: benchmark: - - 5.2.6 (level 2) + - N/A controls v8: - 5.2 cmmc: @@ -71,20 +73,7 @@ macOS: odv: hint: "Number of lowercase characters." recommended: 1 - cis_lvl2: 1 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - cis_lvl2 - - cisv8 - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 + - none mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 07ee45b5..fd4e76f0 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -6,6 +6,8 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: @@ -59,7 +61,7 @@ references: - 3.5.10 cis: benchmark: - - 5.2.6 (level 2) + - N/A controls v8: - 5.2 cmmc: @@ -71,21 +73,7 @@ macOS: odv: hint: "Number of special characters." recommended: 1 - cis_lvl1: 1 - cis_lvl2: 1 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - cis_lvl2 - - cisv8 - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 + - none mobileconfig: false mobileconfig_info: \ No newline at end of file From 08e11c95750310b360603047c120b3a67ecb9e66 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 15 Sep 2023 15:08:18 -0400 Subject: [PATCH 31/62] removed test tag and removed cce --- rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml index f767d890..8e0994ab 100644 --- a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-92934-9 + - N/A cci: - N/A 800-53r5: @@ -65,7 +65,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - newstig mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: From ba71f606cc44e9b8e9fe0b06cb6061199ffd61b7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 15 Sep 2023 15:08:28 -0400 Subject: [PATCH 32/62] fixed odv replacement --- scripts/generate_scap.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index f393fd43..dfd22414 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -279,20 +279,20 @@ def generate_scap(all_rules, all_baselines, args): rule_yaml['check'] = rule_yaml['check'].replace("$ODV",odv_value) rule_yaml['fix'] = rule_yaml['fix'].replace("$ODV",odv_value) - + if "result" in rule_yaml: for result_value in rule_yaml['result']: if "$ODV" == rule_yaml['result'][result_value]: rule_yaml['result'][result_value] = rule_yaml['result'][result_value].replace("$ODV",odv_value) - if rule_yaml['mobileconfig_info']: for mobileconfig_type in rule_yaml['mobileconfig_info']: if isinstance(rule_yaml['mobileconfig_info'][mobileconfig_type], dict): for mobileconfig_value in rule_yaml['mobileconfig_info'][mobileconfig_type]: if "$ODV" in str(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]): - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = rule_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].replace("$ODV",odv_value) - + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv_value + + except: odv_label = "recommended" From 8250d020aadb53a17096deca05ba2a5361b911c6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 15 Sep 2023 23:00:54 -0400 Subject: [PATCH 33/62] refactor[scripts] updated to handle new pwpolicy Updated to handle dict better in mobileconfig files --- scripts/generate_guidance.py | 37 +++++++++++++++++++++++++------ scripts/generate_scap.py | 43 +++++++++++++++++++++++++++++------- 2 files changed, 65 insertions(+), 15 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 251f58d5..53edb0de 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -146,14 +146,32 @@ def format_mobileconfig_fix(mobileconfig): elif type(item[1]) == dict: rulefix = rulefix + "\n" for k,v in item[1].items(): - rulefix = rulefix + \ - (f" {k}\n") - rulefix = rulefix + " \n" - for setting in v: + if type(v) == dict: rulefix = rulefix + \ - (f" {setting}\n") - rulefix = rulefix + " \n" + (f" {k}\n") + rulefix = rulefix + \ + (f" \n") + for x,y in v.items(): + rulefix = rulefix + \ + (f" {x}\n") + rulefix = rulefix + \ + (f" {y}\n") + rulefix = rulefix + \ + (f" \n") + break + if isinstance(v, list): + rulefix = rulefix + " \n" + for setting in v: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + " \n" + else: + rulefix = rulefix + \ + (f" {k}\n") + rulefix = rulefix + \ + (f" {v}\n") rulefix = rulefix + "\n" + rulefix = rulefix + "----\n\n" @@ -1133,7 +1151,12 @@ def fill_in_odv(resulting_yaml, parent_values): if isinstance(resulting_yaml['mobileconfig_info'][mobileconfig_type], dict): for mobileconfig_value in resulting_yaml['mobileconfig_info'][mobileconfig_type]: if "$ODV" in str(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]): - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv + if type(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]) == dict: + for k,v in resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].items(): + if v == "$ODV": + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value][k] = odv + else: + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index dfd22414..07ef4db0 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -52,15 +52,32 @@ def format_mobileconfig_fix(mobileconfig): elif type(item[1]) == dict: rulefix = rulefix + "\n" for k,v in item[1].items(): - rulefix = rulefix + \ - (f" {k}\n") - rulefix = rulefix + " \n" - for setting in v: + if type(v) == dict: rulefix = rulefix + \ - (f" {setting}\n") - rulefix = rulefix + " \n" + (f" {k}\n") + rulefix = rulefix + \ + (f" \n") + for x,y in v.items(): + rulefix = rulefix + \ + (f" {x}\n") + rulefix = rulefix + \ + (f" {y}\n") + rulefix = rulefix + \ + (f" \n") + break + if isinstance(v, list): + rulefix = rulefix + " \n" + for setting in v: + rulefix = rulefix + \ + (f" {setting}\n") + rulefix = rulefix + " \n" + else: + rulefix = rulefix + \ + (f" {k}\n") + rulefix = rulefix + \ + (f" {v}\n") rulefix = rulefix + "\n" - + rulefix = rulefix + "----\n\n" return rulefix @@ -289,8 +306,14 @@ def generate_scap(all_rules, all_baselines, args): for mobileconfig_type in rule_yaml['mobileconfig_info']: if isinstance(rule_yaml['mobileconfig_info'][mobileconfig_type], dict): for mobileconfig_value in rule_yaml['mobileconfig_info'][mobileconfig_type]: + if "$ODV" in str(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]): - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv_value + if type(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]) == dict: + for k,v in resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].items(): + if v == "$ODV": + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value][k] = odv_value + else: + resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv_value except: @@ -595,6 +618,10 @@ def generate_scap(all_rules, all_baselines, args): continue for payload_type, info in rule_yaml['mobileconfig_info'].items(): + + if payload_type == "com.apple.mobiledevice.passwordpolicy" and "customRegex" in info: + print("REGEX") + ################# CUSTOM REGEX PWPOLICY ###################### if payload_type == "com.apple.systempolicy.control": continue if payload_type == "com.apple.ManagedClient.preferences": From 04ed18850d76475f7cb1e278f8aa6887b2b7f2c5 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Sat, 16 Sep 2023 13:30:34 -0400 Subject: [PATCH 34/62] refactor[rules] Added customRegex check Modified to test for customRegex in com.apple.mobiledevice.passwordpolicy --- scripts/generate_scap.py | 44 +++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index 07ef4db0..d70f9f01 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# filename: generate_guidance.py -# description: Process a given keyword, and output a baseline file +# filename: generate_scap.py +# description: Input a keyword for the baseline, output the scap/oval/xccdf import sys import os @@ -268,7 +268,7 @@ def generate_scap(all_rules, all_baselines, args): for a in range(0, loop): rule_yaml = get_rule_yaml(rule_file, custom) - + try: # # odv_label = list(rule_yaml['odv'].keys())[a] @@ -619,9 +619,6 @@ def generate_scap(all_rules, all_baselines, args): for payload_type, info in rule_yaml['mobileconfig_info'].items(): - if payload_type == "com.apple.mobiledevice.passwordpolicy" and "customRegex" in info: - print("REGEX") - ################# CUSTOM REGEX PWPOLICY ###################### if payload_type == "com.apple.systempolicy.control": continue if payload_type == "com.apple.ManagedClient.preferences": @@ -700,7 +697,6 @@ def generate_scap(all_rules, all_baselines, args): oval_definition = oval_definition + ''' ''' continue for key, value in info.items(): - if key == "familyControlsEnabled": xpath_search = "" if len(info) > 1: @@ -726,7 +722,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + "" oval_object = oval_object + ''' /Library/Managed Preferences/com.apple.applicationaccess.new.plist @@ -764,7 +760,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) @@ -1043,8 +1039,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 continue - - + state_kind = "" if type(value) == bool: state_kind = "boolean" @@ -1052,6 +1047,14 @@ def generate_scap(all_rules, all_baselines, args): state_kind = "int" elif type(value) == str: state_kind = "string" + try: + int(value) + state_kind = "int" + except: + pass + + elif type(value) == dict: + state_kind = "string" else: continue @@ -1076,22 +1079,31 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - + if state_kind == "boolean": oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) else: - oval_object = oval_object + ''' + if payload_type == "com.apple.mobiledevice.passwordpolicy" and "customRegex" in info: + oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + '''.format("passwordContentRegex") + oval_state = oval_state + ''' + + {} + + '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value['passwordContentRegex']) + else: + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) - oval_state = oval_state + ''' + oval_state = oval_state + ''' {} From cdb738d739b5aba297c5d573d14b27e930a22e07 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Sat, 16 Sep 2023 14:38:44 -0400 Subject: [PATCH 35/62] fixed indentation causing no plist511 state for boolean --- scripts/generate_scap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index d70f9f01..e8d69084 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -1102,8 +1102,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - - oval_state = oval_state + ''' + + oval_state = oval_state + ''' {} From 7a7fb9a3b0b5f7a27d6d78a8f90891bafaff14c4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Sat, 16 Sep 2023 14:40:07 -0400 Subject: [PATCH 36/62] added missing x += 1 and continue --- scripts/generate_scap.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index e8d69084..f719aa94 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -1098,11 +1098,13 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value['passwordContentRegex']) + x += 1 + continue else: oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - + oval_state = oval_state + ''' {} From 489d134a05f563b6eba1bb6a98233d52db50dcd4 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 18 Sep 2023 11:12:35 -0400 Subject: [PATCH 37/62] updated Changelog --- CHANGELOG.adoc | 47 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 574b6d41..31a6c793 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,4 +2,49 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Sonoma, Revision 1.0] - 2023-XX-XX \ No newline at end of file +== [Sonoma, Revision 1.0] - 2023-XX-XX + +* Rules +** Added Rules +*** icloud_freeform_disable +*** os_account_modification_disable +*** os_on_device_dictation_enforce +*** os_setup_assistant_filevault_enforce +*** os_sshd_channel_timeout_configure +*** os_sshd_unused_connection_timeout_configure +** Modified Rules +*** auth_ssh_password_authentication_disable +*** os_policy_banner_ssh_enforce +*** os_sshd_client_alive_count_max_configure +*** os_sshd_client_alive_interval_configure +*** os_sshd_fips_140_ciphers +*** os_sshd_fips_140_macs +*** os_sshd_fips_compliant +*** os_sshd_key_exchange_algorithm_configure +*** os_sshd_login_grace_time_configure +*** os_sshd_permit_root_login_configure +*** system_settings_location_services_menu_enforce +*** system_settings_siri_disable +** Deleted Rules +*** os_efi_integrity_validated +** Bug Fixes + +* Baselines +** Modified existing baselines + +* Scripts +** generate_guidance +*** Added iOS support +*** Added support for pwpolicy regex +*** Modified ssh_key_check +*** Bug Fixes +** generate_baseline +*** Added iOS support +*** Bug Fixes +** generate_mappings +*** Added iOS support +*** Bug Fixes +** generate_scap +*** Added iOS support +*** Added support for pwpolicy regex +*** Bug Fixes \ No newline at end of file From ee21b093cb6b63ae370f18c4d3f722eac5e73367 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 18 Sep 2023 21:24:40 -0400 Subject: [PATCH 38/62] refactor[rules] Modified and removed Removed rules that are STIG only since no DISA STIG exists for macOS Sonoma yet. Updated system_settings_location_services_menu_enforce Updated changelog --- ...cloud_appleid_preference_pane_disable.yaml | 44 ------------ rules/os/os_sshd_fips_140_ciphers.yaml | 71 ------------------- ...sshd_key_exchange_algorithm_configure.yaml | 66 ----------------- ...m_settings_bluetooth_prefpane_disable.yaml | 41 ----------- ...rnet_accounts_preference_pane_disable.yaml | 49 ------------- ...ttings_location_services_menu_enforce.yaml | 18 +++-- ...system_settings_siri_prefpane_disable.yaml | 46 ------------ ...system_settings_touch_id_pane_disable.yaml | 46 ------------ ...ings_wallet_applepay_prefpane_disable.yaml | 46 ------------ ...ettings_wallet_applepay_prefpane_hide.yaml | 46 ------------ 10 files changed, 8 insertions(+), 465 deletions(-) delete mode 100644 rules/icloud/icloud_appleid_preference_pane_disable.yaml delete mode 100644 rules/os/os_sshd_fips_140_ciphers.yaml delete mode 100644 rules/os/os_sshd_key_exchange_algorithm_configure.yaml delete mode 100644 rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml delete mode 100644 rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml delete mode 100644 rules/system_settings/system_settings_siri_prefpane_disable.yaml delete mode 100644 rules/system_settings/system_settings_touch_id_pane_disable.yaml delete mode 100644 rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml delete mode 100644 rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml deleted file mode 100644 index c9ed5dac..00000000 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: icloud_appleid_preference_pane_disable -title: "Disable the Preference Pane for Apple ID" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.AppleIDPrefPane" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92741-8 - cci: - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000370-GPOS-00155 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "14.0" -tags: - - none -severity: "high" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.AppleIDPrefPane \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml deleted file mode 100644 index 871d2a9b..00000000 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: os_sshd_fips_140_ciphers -title: "Limit SSHD to FIPS 140 Validated Ciphers" -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the ciphers to specific algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -G | /usr/bin/grep -ci "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - CCE-92900-0 - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - SC-13 - - SC-8(1) - 800-53r4: - - AC-17(2) - - IA-7 - - SC-8(1) - - SC-13 - - MA-4(6) - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - 3.1.13 - - 3.13.8 - - 3.13.11 - cmmc: - - AC.L2-3.1.13 - - MP.L2-3.8.6 - - SC.L2-3.13.8 - - SC.L2-3.13.11 -macOS: - - "14.0" -tags: - - none -severity: "high" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml deleted file mode 100644 index 7a77dd57..00000000 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ /dev/null @@ -1,66 +0,0 @@ -id: os_sshd_key_exchange_algorithm_configure -title: "Configure SSHD to Use Secure Key Exchange Algorithms" -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the Message Key Exchange Algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -G | /usr/bin/grep -ci "^KexAlgorithms diffie-hellman-group-exchange-sha256" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'KexAlgorithms diffie-hellman-group-exchange-sha256' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "KexAlgorithms diffie-hellman-group-exchange-sha256" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - CCE-92903-4 - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - MA-4(6) - 800-53r4: - - IA-7 - - AC-17(2) - - MA-4(6) - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cmmc: - - AC.L2-3.1.13 -macOS: - - "14.0" -tags: - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 -severity: "high" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml b/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml deleted file mode 100644 index 43d792a4..00000000 --- a/rules/system_settings/system_settings_bluetooth_prefpane_disable.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: system_settings_bluetooth_prefpane_disable -title: "Disable the Bluetooth System Preference Pane" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preferences.Bluetooth -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92951-3 - cci: - - CCI-002418 - - CCI-001967 - 800-53r5: - - N/A - 800-53r4: - - SC-8 - srg: - - SRG-OS-000379-GPOS-00164 - - SRG-OS-000481-GPOS-00481 - disa_stig: - - N/A - 800-171r2: - - N/A -macOS: - - "12.0" -tags: - - none -severity: "low" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.Bluetooth \ No newline at end of file diff --git a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml b/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml deleted file mode 100644 index a27db767..00000000 --- a/rules/system_settings/system_settings_internet_accounts_preference_pane_disable.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: system_settings_internet_accounts_preference_pane_disable -title: "Disable the Internet Accounts Preference Pane" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] - - [IMPORTANT] - ==== - Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. - ==== -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.internetaccounts" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92970-3 - cci: - - CCI-000381 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "14.0" -tags: - - none -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.internetaccounts diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 76bfdebe..3b7ea012 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -3,14 +3,14 @@ title: "Ensure Location Services Is In the Menu Bar" discussion: | Location Services menu item _MUST_ be enabled. check: | - /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationmenu')\ - .objectForKey('ShowSystemServices').js - EOS + /usr/bin/defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices result: - string: "true" + boolean: 1 fix: | - This is implemented by a Configuration Profile. + [source,bash] + ---- + /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true + ---- references: cce: - CCE-92974-5 @@ -36,7 +36,5 @@ macOS: - "14.0" tags: - cis_lvl2 -mobileconfig: true -mobileconfig_info: - com.apple.locationmenu: - ShowSystemServices: true +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml deleted file mode 100644 index eced38cd..00000000 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_siri_prefpane_disable -title: "Disable the System Preference Pane for Siri" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preference.speech -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-92988-5 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "14.0" -tags: - - none -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preference.speech \ No newline at end of file diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml deleted file mode 100644 index 32ba99e9..00000000 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_touch_id_pane_disable -title: "Disable the Touch ID and Password Preference Pane" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.password" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-93002-4 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "14.0" -tags: - - none -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.password diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml deleted file mode 100644 index 262aa522..00000000 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_wallet_applepay_prefpane_disable -title: "Disable the System Preference Pane for Wallet and Apple Pay" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preferences.wallet -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-93006-5 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "14.0" -tags: - - none -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.wallet \ No newline at end of file diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml deleted file mode 100644 index cec8336c..00000000 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_hide.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_wallet_applepay_prefpane_hide -title: "Hide the System Preference Pane for Wallet and Apple Pay" -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. Addtionally, hiding System Settings Preference Panes are not possible in macOS 13. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="HiddenPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.preferences.wallet -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-93007-3 - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - "14.0" -tags: - - none -severity: "medium" -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - HiddenPreferencePanes: - - com.apple.preferences.wallet From 22701650115a2550c1b3c278987690743a46e2e7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 18 Sep 2023 21:25:51 -0400 Subject: [PATCH 39/62] updated changelog --- CHANGELOG.adoc | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 31a6c793..9e5682f2 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -17,16 +17,23 @@ This document provides a high-level view of the changes to the macOS Security Co *** os_policy_banner_ssh_enforce *** os_sshd_client_alive_count_max_configure *** os_sshd_client_alive_interval_configure -*** os_sshd_fips_140_ciphers -*** os_sshd_fips_140_macs *** os_sshd_fips_compliant -*** os_sshd_key_exchange_algorithm_configure *** os_sshd_login_grace_time_configure *** os_sshd_permit_root_login_configure *** system_settings_location_services_menu_enforce *** system_settings_siri_disable ** Deleted Rules +*** icloud_appleid_preference_pane_disable.yaml *** os_efi_integrity_validated +*** os_sshd_key_exchange_algorithm_configure +*** os_sshd_fips_140_ciphers +*** os_sshd_fips_140_macs +*** system_settings_bluetooth_prefpane_disable +*** system_settings_internet_accounts_preference_pane_disable +*** system_settings_siri_prefpane_disable +*** system_settings_touch_id_pane_disable +*** system_settings_wallet_applepay_prefpane_disable +*** system_settings_wallet_applepay_prefpane_hide ** Bug Fixes * Baselines From d25a6d31ac3050b458ddb77064f2d4437e2b8407 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 19 Sep 2023 12:43:51 -0400 Subject: [PATCH 40/62] Added baseline files --- baselines/800-171.yaml | 183 +++++++++++++++++++ baselines/800-53r5_high.yaml | 234 ++++++++++++++++++++++++ baselines/800-53r5_low.yaml | 181 +++++++++++++++++++ baselines/800-53r5_moderate.yaml | 225 +++++++++++++++++++++++ baselines/all_rules.yaml | 23 ++- baselines/cis_lvl1.yaml | 113 ++++++++++++ baselines/cis_lvl2.yaml | 139 +++++++++++++++ baselines/cisv8.yaml | 205 +++++++++++++++++++++ baselines/cmmc_lvl1.yaml | 100 +++++++++++ baselines/cmmc_lvl2.yaml | 224 +++++++++++++++++++++++ baselines/cnssi-1253_high.yaml | 277 +++++++++++++++++++++++++++++ baselines/cnssi-1253_low.yaml | 258 +++++++++++++++++++++++++++ baselines/cnssi-1253_moderate.yaml | 271 ++++++++++++++++++++++++++++ 13 files changed, 2420 insertions(+), 13 deletions(-) create mode 100644 baselines/800-171.yaml create mode 100644 baselines/800-53r5_high.yaml create mode 100644 baselines/800-53r5_low.yaml create mode 100644 baselines/800-53r5_moderate.yaml create mode 100644 baselines/cis_lvl1.yaml create mode 100644 baselines/cis_lvl2.yaml create mode 100644 baselines/cisv8.yaml create mode 100644 baselines/cmmc_lvl1.yaml create mode 100644 baselines/cmmc_lvl2.yaml create mode 100644 baselines/cnssi-1253_high.yaml create mode 100644 baselines/cnssi-1253_low.yaml create mode 100644 baselines/cnssi-1253_moderate.yaml diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml new file mode 100644 index 00000000..c725766d --- /dev/null +++ b/baselines/800-171.yaml @@ -0,0 +1,183 @@ +title: "macOS 14.0: Security Configuration - NIST 800-171 Rev 2" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the NIST 800-171 Rev 2 security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_bonjour_disable + - os_config_profile_ui_install_disable + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_ir_support_disable + - os_mdm_require + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_autofill_disable + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_root_disable + - os_screensaver_loginwindow_enforce + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_unused_connection_timeout_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - section: "systemsettings" + rules: + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_content_caching_disable + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_rae_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - section: "Inherent" + rules: + - os_implement_cryptography + - os_logical_access + - os_obscure_password + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_separate_functionality + - os_store_encrypted_passwords + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - pwpolicy_50_percent + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml new file mode 100644 index 00000000..a963f3c1 --- /dev/null +++ b/baselines/800-53r5_high.yaml @@ -0,0 +1,234 @@ +title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_high + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_bonjour_disable + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_filevault_authorized_users + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_ir_support_disable + - os_mdm_require + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_autofill_disable + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_root_disable + - os_screensaver_loginwindow_enforce + - os_secure_boot_verify + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_read_only + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - audit_record_reduction_report_generation + - os_application_sandboxing + - os_crypto_audit + - os_enforce_access_restrictions + - os_fail_secure_state + - os_implement_cryptography + - os_implement_memory_protection + - os_isolate_security_functions + - os_limit_gui_sessions + - os_logical_access + - os_malicious_code_prevention + - os_obscure_password + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_reauth_users_change_authenticators + - os_required_crypto_module + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_emergency_accounts_disable + - pwpolicy_force_password_change + - pwpolicy_temporary_accounts_disable + - section: "Permanent" + rules: + - audit_records_processing + - os_auth_peripherals + - os_continuous_monitoring + - os_protect_dos_attacks + - os_provide_automated_account_management + - os_reauth_devices_change_authenticators + - os_secure_name_resolution + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_identify_non-org_users + - os_information_validation + - os_managed_access_control_points + - os_non_repudiation + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml new file mode 100644 index 00000000..9d337456 --- /dev/null +++ b/baselines/800-53r5_low.yaml @@ -0,0 +1,181 @@ +title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_bonjour_disable + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_filevault_autologin_disable + - os_firewall_log_enable + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_ir_support_disable + - os_mdm_require + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_autofill_disable + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_root_disable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_sshd_fips_compliant + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_automatic_login_disable + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_enable + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - os_application_sandboxing + - os_implement_cryptography + - os_logical_access + - os_malicious_code_prevention + - os_obscure_password + - os_prohibit_remote_activation_collab_devices + - os_reauth_users_change_authenticators + - os_required_crypto_module + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - os_protect_dos_attacks + - os_reauth_devices_change_authenticators + - os_secure_name_resolution + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_identify_non-org_users + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml new file mode 100644 index 00000000..23fa64d4 --- /dev/null +++ b/baselines/800-53r5_moderate.yaml @@ -0,0 +1,225 @@ +title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_bonjour_disable + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_ir_support_disable + - os_mdm_require + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_autofill_disable + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_root_disable + - os_screensaver_loginwindow_enforce + - os_secure_boot_verify + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_unused_connection_timeout_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_read_only + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - audit_record_reduction_report_generation + - os_application_sandboxing + - os_implement_cryptography + - os_implement_memory_protection + - os_logical_access + - os_malicious_code_prevention + - os_obscure_password + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_reauth_users_change_authenticators + - os_required_crypto_module + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_emergency_accounts_disable + - pwpolicy_force_password_change + - pwpolicy_temporary_accounts_disable + - section: "Permanent" + rules: + - audit_records_processing + - os_auth_peripherals + - os_continuous_monitoring + - os_protect_dos_attacks + - os_provide_automated_account_management + - os_reauth_devices_change_authenticators + - os_secure_name_resolution + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_identify_non-org_users + - os_information_validation + - os_managed_access_control_points + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index b5675245..0b25f16f 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -54,11 +54,11 @@ profile: - section: "icloud" rules: - icloud_addressbook_disable - - icloud_appleid_preference_pane_disable - icloud_appleid_system_settings_disable - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -69,6 +69,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_anti_virus_installed - os_appleid_prompt_disable @@ -90,7 +91,6 @@ profile: - os_directory_services_configured - os_disk_image_disable - os_dvdram_disable - - os_efi_integrity_validated - os_erase_content_and_settings_disable - os_ess_installed - os_facetime_app_disable @@ -103,8 +103,9 @@ profile: - os_gatekeeper_rearm - os_guest_folder_removed - os_handoff_disable + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_default - os_home_folders_secure - os_httpd_disable @@ -119,6 +120,7 @@ profile: - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_on_device_dictation_enforce - os_parental_controls_enable - os_password_autofill_disable - os_password_hint_remove @@ -143,6 +145,7 @@ profile: - os_screensaver_loginwindow_enforce - os_screensaver_timeout_loginwindow_enforce - os_secure_boot_verify + - os_setup_assistant_filevault_enforce - os_show_filename_extensions_enable - os_sip_enable - os_siri_prompt_disable @@ -152,14 +155,14 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - os_sshd_fips_140_macs - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only @@ -180,6 +183,7 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce @@ -198,7 +202,6 @@ profile: - system_settings_automatic_logout_enforce - system_settings_bluetooth_disable - system_settings_bluetooth_menu_enable - - system_settings_bluetooth_prefpane_disable - system_settings_bluetooth_sharing_disable - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable @@ -217,7 +220,6 @@ profile: - system_settings_improve_siri_dictation_disable - system_settings_install_macos_updates_enforce - system_settings_internet_accounts_disable - - system_settings_internet_accounts_preference_pane_disable - system_settings_internet_sharing_disable - system_settings_location_services_disable - system_settings_location_services_enable @@ -235,7 +237,6 @@ profile: - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - - system_settings_siri_prefpane_disable - system_settings_smbd_disable - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce @@ -249,12 +250,9 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_token_removal_enforce - - system_settings_touch_id_pane_disable - system_settings_touchid_unlock_disable - system_settings_usb_restricted_mode - system_settings_wake_network_access_disable - - system_settings_wallet_applepay_prefpane_disable - - system_settings_wallet_applepay_prefpane_hide - system_settings_wifi_disable - system_settings_wifi_menu_enable - section: "Inherent" @@ -324,7 +322,7 @@ profile: - pwpolicy_prevent_dictionary_words - system_settings_wifi_disable_when_connected_to_ethernet - section: "not_applicable" - rules: + rules: - os_access_control_mobile_devices - os_identify_non-org_users - os_information_validation @@ -342,4 +340,3 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard - - supplemental_stig diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml new file mode 100644 index 00000000..1f215a09 --- /dev/null +++ b/baselines/cis_lvl1.yaml @@ -0,0 +1,113 @@ +title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) security baseline. +authors: | + *macOS Security Compliance Project* + + The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) + |=== + |Edward Byrd|Center for Internet Security + |Ron Colvin|Center for Internet Security + |Allen Golbig|Jamf + |=== +parent_values: "cis_lvl1" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - section: "macos" + rules: + - os_airdrop_disable + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_firewall_log_enable + - os_gatekeeper_enable + - os_guest_folder_removed + - os_home_folders_secure + - os_httpd_disable + - os_install_log_retention_configure + - os_mobile_file_integrity_enable + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_hint_remove + - os_power_nap_disable + - os_root_disable + - os_safari_advertising_privacy_protection_enable + - os_safari_open_safe_downloads_disable + - os_safari_prevent_cross-site_tracking_enable + - os_safari_show_full_website_address_enable + - os_safari_warn_fraudulent_website_enable + - os_show_filename_extensions_enable + - os_sip_enable + - os_software_update_deferral + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_wide_applications_configure + - os_terminal_secure_keyboard_enable + - os_time_offset_limit_configure + - os_unlock_active_user_session_disable + - os_world_writable_system_folder_configure + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_automatic_login_disable + - system_settings_bluetooth_menu_enable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_critical_update_install_enforce + - system_settings_filevault_enforce + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_install_macos_updates_enforce + - system_settings_internet_sharing_disable + - system_settings_loginwindow_loginwindowtext_enable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_smbd_disable + - system_settings_software_update_app_update_enforce + - system_settings_software_update_download_enforce + - system_settings_software_update_enforce + - system_settings_softwareupdate_current + - system_settings_ssh_disable + - system_settings_system_wide_preferences_configure + - system_settings_time_machine_encrypted_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_wake_network_access_disable + - system_settings_wifi_menu_enable + - section: "Supplemental" + rules: + - supplemental_cis_manual + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml new file mode 100644 index 00000000..2c723965 --- /dev/null +++ b/baselines/cis_lvl2.yaml @@ -0,0 +1,139 @@ +title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) security baseline. +authors: | + *macOS Security Compliance Project* + + The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) + |=== + |Edward Byrd|Center for Internet Security + |Ron Colvin|Center for Internet Security + |Allen Golbig|Jamf + |=== +parent_values: "cis_lvl2" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - section: "icloud" + rules: + - icloud_sync_disable + - section: "macos" + rules: + - os_airdrop_disable + - os_authenticated_root_enable + - os_bonjour_disable + - os_config_data_install_enforce + - os_firewall_log_enable + - os_gatekeeper_enable + - os_guest_folder_removed + - os_hibernate_mode_apple_silicon_enable + - os_hibernate_mode_destroyfvkeyonstandby_enable + - os_hibernate_mode_intel_enable + - os_home_folders_secure + - os_httpd_disable + - os_install_log_retention_configure + - os_mobile_file_integrity_enable + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_hint_remove + - os_policy_banner_loginwindow_enforce + - os_power_nap_disable + - os_root_disable + - os_safari_advertising_privacy_protection_enable + - os_safari_open_safe_downloads_disable + - os_safari_prevent_cross-site_tracking_enable + - os_safari_show_full_website_address_enable + - os_safari_warn_fraudulent_website_enable + - os_show_filename_extensions_enable + - os_sip_enable + - os_software_update_deferral + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_wide_applications_configure + - os_terminal_secure_keyboard_enable + - os_time_offset_limit_configure + - os_unlock_active_user_session_disable + - os_world_writable_library_folder_configure + - os_world_writable_system_folder_configure + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_special_character_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_automatic_login_disable + - system_settings_bluetooth_menu_enable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_secure + - system_settings_install_macos_updates_enforce + - system_settings_internet_sharing_disable + - system_settings_location_services_enable + - system_settings_location_services_menu_enforce + - system_settings_loginwindow_loginwindowtext_enable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_smbd_disable + - system_settings_software_update_app_update_enforce + - system_settings_software_update_download_enforce + - system_settings_software_update_enforce + - system_settings_softwareupdate_current + - system_settings_ssh_disable + - system_settings_system_wide_preferences_configure + - system_settings_time_machine_auto_backup_enable + - system_settings_time_machine_encrypted_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_wake_network_access_disable + - system_settings_wifi_menu_enable + - section: "Supplemental" + rules: + - supplemental_cis_manual + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml new file mode 100644 index 00000000..804afed9 --- /dev/null +++ b/baselines/cisv8.yaml @@ -0,0 +1,205 @@ +title: "macOS 14.0: Security Configuration - CIS Controls Version 8" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Controls Version 8 security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + CIS Critical Security Controls® (CIS Controls®) are referenced with the permission and support of the Center for Internet Security® (CIS®) + |=== + |Edward Byrd|Center for Internet Security + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_bonjour_disable + - os_config_data_install_enforce + - os_directory_services_configured + - os_ess_installed + - os_filevault_autologin_disable + - os_firewall_log_enable + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_hibernate_mode_apple_silicon_enable + - os_hibernate_mode_destroyfvkeyonstandby_enable + - os_hibernate_mode_intel_enable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_install_log_retention_configure + - os_ir_support_disable + - os_library_validation_enabled + - os_mdm_require + - os_mobile_file_integrity_enable + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_autofill_disable + - os_password_hint_remove + - os_password_proximity_disable + - os_password_sharing_disable + - os_power_nap_disable + - os_privacy_setup_prompt_disable + - os_root_disable + - os_safari_advertising_privacy_protection_enable + - os_safari_open_safe_downloads_disable + - os_safari_prevent_cross-site_tracking_enable + - os_safari_show_full_website_address_enable + - os_safari_warn_fraudulent_website_enable + - os_show_filename_extensions_enable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_wide_applications_configure + - os_terminal_secure_keyboard_enable + - os_tftpd_disable + - os_time_offset_limit_configure + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - os_world_writable_library_folder_configure + - os_world_writable_system_folder_configure + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_automatic_login_disable + - system_settings_bluetooth_disable + - system_settings_bluetooth_menu_enable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_secure + - system_settings_improve_siri_dictation_disable + - system_settings_install_macos_updates_enforce + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_enable + - system_settings_loginwindow_loginwindowtext_enable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_software_update_app_update_enforce + - system_settings_software_update_download_enforce + - system_settings_software_update_enforce + - system_settings_softwareupdate_current + - system_settings_ssh_disable + - system_settings_system_wide_preferences_configure + - system_settings_time_machine_auto_backup_enable + - system_settings_time_machine_encrypted_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_wake_network_access_disable + - system_settings_wifi_disable + - system_settings_wifi_menu_enable + - section: "Inherent" + rules: + - os_logical_access + - os_malicious_code_prevention + - os_mfa_network_access + - os_obscure_password + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - audit_off_load_records + - os_auth_peripherals + - os_secure_name_resolution + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml new file mode 100644 index 00000000..dbd17c3f --- /dev/null +++ b/baselines/cmmc_lvl1.yaml @@ -0,0 +1,100 @@ +title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 1" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 1 security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |John Mahlman|Leidos + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "authentication" + rules: + - auth_smartcard_allow + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_filevault_autologin_disable + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_root_disable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enable + - os_tftpd_disable + - os_unlock_active_user_session_disable + - os_uucp_disable + - section: "systemsettings" + rules: + - system_settings_automatic_login_disable + - system_settings_bluetooth_sharing_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_personalized_advertising_disable + - system_settings_rae_disable + - system_settings_screen_sharing_disable + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - section: "Inherent" + rules: + - os_logical_access + - os_malicious_code_prevention + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml new file mode 100644 index 00000000..c3c265e9 --- /dev/null +++ b/baselines/cmmc_lvl2.yaml @@ -0,0 +1,224 @@ +title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 2" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 2 security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |John Mahlman|Leidos + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce + - os_bonjour_disable + - os_burn_support_disable + - os_cd_read_only_enforce + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_disk_image_disable + - os_dvdram_disable + - os_erase_content_and_settings_disable + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_install_log_retention_configure + - os_ir_support_disable + - os_mdm_require + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_autofill_disable + - os_password_hint_remove + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_power_nap_disable + - os_privacy_setup_prompt_disable + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_removable_media_disable + - os_root_disable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_login_grace_time_configure + - os_sshd_unused_connection_timeout_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - audit_record_reduction_report_generation + - os_implement_cryptography + - os_logical_access + - os_malicious_code_prevention + - os_obscure_password + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - audit_records_processing + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_managed_access_control_points + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml new file mode 100644 index 00000000..634ab13a --- /dev/null +++ b/baselines/cnssi-1253_high.yaml @@ -0,0 +1,277 @@ +title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Rob Lamb|Los Alamos National Laboratory + |Ekkehard Koch| + |Bob Gendler|National Institute of Standards and Technology + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_high + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce + - os_bonjour_disable + - os_burn_support_disable + - os_calendar_app_disable + - os_cd_read_only_enforce + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_disk_image_disable + - os_dvdram_disable + - os_erase_content_and_settings_disable + - os_facetime_app_disable + - os_filevault_authorized_users + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_install_log_retention_configure + - os_ir_support_disable + - os_mail_app_disable + - os_mdm_require + - os_messages_app_disable + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_parental_controls_enable + - os_password_autofill_disable + - os_password_hint_remove + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_power_nap_disable + - os_privacy_setup_prompt_disable + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_removable_media_disable + - os_root_disable + - os_screensaver_loginwindow_enforce + - os_secure_boot_verify + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_login_grace_time_configure + - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_read_only + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_hot_corners_secure + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - audit_record_reduction_report_generation + - os_allow_info_passed + - os_application_sandboxing + - os_change_security_attributes + - os_crypto_audit + - os_enforce_access_restrictions + - os_fail_secure_state + - os_grant_privs + - os_implement_cryptography + - os_implement_memory_protection + - os_isolate_security_functions + - os_limit_gui_sessions + - os_logical_access + - os_logoff_capability_and_message + - os_malicious_code_prevention + - os_obscure_password + - os_predictable_behavior + - os_prevent_priv_execution + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_provide_disconnect_remote_access + - os_reauth_privilege + - os_reauth_users_change_authenticators + - os_remove_software_components_after_updates + - os_required_crypto_module + - os_secure_enclave + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - os_verify_remote_disconnection + - pwpolicy_emergency_accounts_disable + - pwpolicy_force_password_change + - pwpolicy_temporary_accounts_disable + - section: "Permanent" + rules: + - audit_enforce_dual_auth + - audit_off_load_records + - audit_records_processing + - os_auth_peripherals + - os_continuous_monitoring + - os_limit_dos_attacks + - os_notify_unauthorized_baseline_change + - os_protect_dos_attacks + - os_provide_automated_account_management + - os_reauth_devices_change_authenticators + - os_secure_name_resolution + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_identify_non-org_users + - os_information_validation + - os_managed_access_control_points + - os_non_repudiation + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml new file mode 100644 index 00000000..85a35897 --- /dev/null +++ b/baselines/cnssi-1253_low.yaml @@ -0,0 +1,258 @@ +title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Rob Lamb|Los Alamos National Laboratory + |Ekkehard Koch| + |Bob Gendler|National Institute of Standards and Technology + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce + - os_bonjour_disable + - os_burn_support_disable + - os_calendar_app_disable + - os_cd_read_only_enforce + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_disk_image_disable + - os_dvdram_disable + - os_erase_content_and_settings_disable + - os_facetime_app_disable + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_install_log_retention_configure + - os_ir_support_disable + - os_mail_app_disable + - os_mdm_require + - os_messages_app_disable + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_parental_controls_enable + - os_password_autofill_disable + - os_password_hint_remove + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_power_nap_disable + - os_privacy_setup_prompt_disable + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_removable_media_disable + - os_root_disable + - os_screensaver_loginwindow_enforce + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_login_grace_time_configure + - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_read_only + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_hot_corners_secure + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - os_allow_info_passed + - os_application_sandboxing + - os_change_security_attributes + - os_grant_privs + - os_implement_cryptography + - os_logical_access + - os_logoff_capability_and_message + - os_malicious_code_prevention + - os_obscure_password + - os_predictable_behavior + - os_prevent_priv_execution + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_provide_disconnect_remote_access + - os_reauth_privilege + - os_reauth_users_change_authenticators + - os_remove_software_components_after_updates + - os_required_crypto_module + - os_secure_enclave + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - os_verify_remote_disconnection + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - audit_off_load_records + - os_auth_peripherals + - os_continuous_monitoring + - os_protect_dos_attacks + - os_reauth_devices_change_authenticators + - os_secure_name_resolution + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_identify_non-org_users + - os_information_validation + - os_managed_access_control_points + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml new file mode 100644 index 00000000..0a3d1f83 --- /dev/null +++ b/baselines/cnssi-1253_moderate.yaml @@ -0,0 +1,271 @@ +title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)" +description: | + This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. +authors: | + *macOS Security Compliance Project* + + |=== + |Rob Lamb|Los Alamos National Laboratory + |Ekkehard Koch| + |Bob Gendler|National Institute of Standards and Technology + |=== +parent_values: "recommended" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fm_failed_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_system_settings_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce + - os_bonjour_disable + - os_burn_support_disable + - os_calendar_app_disable + - os_cd_read_only_enforce + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_config_profile_ui_install_disable + - os_disk_image_disable + - os_dvdram_disable + - os_erase_content_and_settings_disable + - os_facetime_app_disable + - os_filevault_autologin_disable + - os_firewall_default_deny_require + - os_firewall_log_enable + - os_firmware_password_require + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_install_log_retention_configure + - os_ir_support_disable + - os_mail_app_disable + - os_mdm_require + - os_messages_app_disable + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_parental_controls_enable + - os_password_autofill_disable + - os_password_hint_remove + - os_password_proximity_disable + - os_password_sharing_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_power_nap_disable + - os_privacy_setup_prompt_disable + - os_rapid_security_response_allow + - os_rapid_security_response_removal_disable + - os_recovery_lock_enable + - os_removable_media_disable + - os_root_disable + - os_screensaver_loginwindow_enforce + - os_secure_boot_verify + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_login_grace_time_configure + - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure + - os_sudoers_timestamp_type_configure + - os_system_read_only + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable + - system_settings_content_caching_disable + - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_firewall_stealth_mode_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_hot_corners_secure + - system_settings_improve_siri_dictation_disable + - system_settings_internet_accounts_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_smbd_disable + - system_settings_ssh_disable + - system_settings_ssh_enable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wifi_disable + - section: "Inherent" + rules: + - audit_record_reduction_report_generation + - os_allow_info_passed + - os_application_sandboxing + - os_change_security_attributes + - os_enforce_access_restrictions + - os_grant_privs + - os_implement_cryptography + - os_implement_memory_protection + - os_limit_gui_sessions + - os_logical_access + - os_logoff_capability_and_message + - os_malicious_code_prevention + - os_obscure_password + - os_predictable_behavior + - os_prevent_priv_execution + - os_prevent_priv_functions + - os_prevent_unauthorized_disclosure + - os_prohibit_remote_activation_collab_devices + - os_provide_disconnect_remote_access + - os_reauth_privilege + - os_reauth_users_change_authenticators + - os_remove_software_components_after_updates + - os_required_crypto_module + - os_secure_enclave + - os_separate_functionality + - os_store_encrypted_passwords + - os_unique_identification + - os_verify_remote_disconnection + - pwpolicy_emergency_accounts_disable + - pwpolicy_force_password_change + - pwpolicy_temporary_accounts_disable + - section: "Permanent" + rules: + - audit_off_load_records + - audit_records_processing + - os_auth_peripherals + - os_continuous_monitoring + - os_limit_dos_attacks + - os_protect_dos_attacks + - os_provide_automated_account_management + - os_reauth_devices_change_authenticators + - os_secure_name_resolution + - system_settings_wifi_disable_when_connected_to_ethernet + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - os_identify_non-org_users + - os_information_validation + - os_managed_access_control_points + - os_non_repudiation + - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard From adb21421fc8456171120f56441a44e426b679320 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 19 Sep 2023 14:30:13 -0400 Subject: [PATCH 41/62] CCEs added --- rules/os/os_account_modification_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml index 524fc77a..738ead5d 100644 --- a/rules/os/os_account_modification_disable.yaml +++ b/rules/os/os_account_modification_disable.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93012-3 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml index 8e0994ab..c55795d9 100644 --- a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93011-5 cci: - N/A 800-53r5: From 19b76b02e144a36f6a25f65b376c495cc89cbd23 Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Tue, 19 Sep 2023 15:27:24 -0400 Subject: [PATCH 42/62] Syncing level 1 baseline (and updates) --- baselines/cmmc_lvl1.yaml | 6 ++++-- baselines/cmmc_lvl2.yaml | 2 -- rules/os/os_auth_peripherals.yaml | 1 + rules/os/os_calendar_app_disable.yaml | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index 20150aee..4ce8d551 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -4,8 +4,6 @@ description: | Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | - *macOS Security Compliance Project* - |=== |John Mahlman|Leidos |Bob Gendler|National Institute of Standards and Technology @@ -26,6 +24,7 @@ profile: - icloud_bookmarks_disable - icloud_calendar_disable - icloud_drive_disable + - icloud_freeform_disable - icloud_game_center_disable - icloud_keychain_disable - icloud_mail_disable @@ -38,6 +37,7 @@ profile: rules: - os_airdrop_disable - os_appleid_prompt_disable + - os_auth_peripherals - os_authenticated_root_enable - os_config_data_install_enforce - os_filevault_autologin_disable @@ -50,6 +50,7 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_nfsd_disable + - os_on_device_dictation_enforce - os_rapid_security_response_allow - os_rapid_security_response_removal_disable - os_recovery_lock_enable @@ -95,3 +96,4 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard + \ No newline at end of file diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 9191b337..17f7e85e 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -4,8 +4,6 @@ description: | Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | - *macOS Security Compliance Project* - |=== |John Mahlman|Leidos |Bob Gendler|National Institute of Standards and Technology diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 759d6017..94537daa 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -42,5 +42,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cmmc_lvl1 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index f627acd7..e898e85c 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -5,7 +5,7 @@ discussion: | [IMPORTANT] ==== - Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Calendar.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] From 3d6b52d1931a8ff92d9c881658a71fa16c6be191 Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Tue, 19 Sep 2023 15:51:00 -0400 Subject: [PATCH 43/62] Adding os_account_modification_disable --- rules/os/os_account_modification_disable.yaml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 rules/os/os_account_modification_disable.yaml diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml new file mode 100644 index 00000000..738ead5d --- /dev/null +++ b/rules/os/os_account_modification_disable.yaml @@ -0,0 +1,73 @@ +id: os_account_modification_disable +title: "Disable AppleID and Internet Account Modifications" +discussion: | + The system _MUST_ disable account modification. + + Account modification includes adding additional or modifying internet acounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane. + + This prevents the addition of unauthorized accounts. + + [IMPORTANT] + ==== + Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAccountModification').js + EOS +result: + string: "false" +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-93012-3 + cci: + - N/A + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + - AC-20(1) + - SC-7(10) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.20 + - 3.4.6 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + cmmc: + - N/A +macOS: + - "14.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAccountModification: false \ No newline at end of file From cbf3cfe65cd705e37a47582836db0f1d81d3eb1e Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Tue, 19 Sep 2023 15:51:11 -0400 Subject: [PATCH 44/62] Updateing baselines with new rule --- baselines/cmmc_lvl1.yaml | 1 + baselines/cmmc_lvl2.yaml | 1 + rules/os/os_account_modification_disable.yaml | 4 +++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index 4ce8d551..53dc3e96 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -35,6 +35,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_auth_peripherals diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 17f7e85e..6c36ec3e 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -66,6 +66,7 @@ profile: - icloud_sync_disable - section: "macos" rules: + - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - os_auth_peripherals diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml index 738ead5d..b8c63014 100644 --- a/rules/os/os_account_modification_disable.yaml +++ b/rules/os/os_account_modification_disable.yaml @@ -50,7 +50,9 @@ references: - 4.1 - 4.8 cmmc: - - N/A + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 macOS: - "14.0" tags: From 8ba1987b9f75c89b4b614823b268f6d6ed794a31 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 13:45:39 -0400 Subject: [PATCH 45/62] refactor[rules] CIS re-numbering Updated CIS benchmark numbers --- rules/os/os_anti_virus_installed.yaml | 13 +++++++++++-- rules/os/os_gatekeeper_enable.yaml | 2 +- rules/os/os_guest_folder_removed.yaml | 2 +- rules/os/os_mdm_require.yaml | 4 +++- rules/os/os_setup_assistant_filevault_enforce.yaml | 2 +- .../pwpolicy_account_lockout_timeout_enforce.yaml | 8 ++++++-- rules/supplemental/supplemental_cis_manual.yaml | 4 +++- ...system_settings_diagnostics_reports_disable.yaml | 2 +- .../system_settings_filevault_enforce.yaml | 2 +- ...m_settings_personalized_advertising_disable.yaml | 2 +- ..._settings_system_wide_preferences_configure.yaml | 2 +- 11 files changed, 30 insertions(+), 13 deletions(-) diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 2fc1ba99..605b8b19 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -24,13 +24,22 @@ references: 800-53r4: - SI-2 srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - N/A + cis: + benchmark: + - 5.10 (level 1) + controls v8: + - 10.5 + - 10.1 + - 10.2 macOS: - "14.0" tags: - - none + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 51e1c2df..05736d17 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -39,7 +39,7 @@ references: - 3.4.5 cis: benchmark: - - 2.6.4 (level 1) + - 2.6.5 (level 1) controls v8: - 10.1 - 10.2 diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 02c3ac50..83692f3c 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 5.10 (level 1) + - 5.9 (level 1) controls v8: - 4.1 macOS: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index f64e8e85..81d5391c 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -44,7 +44,7 @@ references: - 3.4.2 cis: benchmark: - - N/A + - 1.8 (level 1) controls v8: - 4.1 - 5.1 @@ -60,6 +60,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 + - cis_lvl1 + - cis_lvl2 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml index c7280288..691a80b6 100644 --- a/rules/os/os_setup_assistant_filevault_enforce.yaml +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -34,7 +34,7 @@ references: - 3.13.16 cis: benchmark: - - 2.6.5 (level 1) + - N/A controls v8: - 3.6 - 3.11 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index b3f34303..4d9cab9b 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -27,9 +27,9 @@ references: - 3.1.8 cis: benchmark: - - N/A + - 5.2.1 (level 1) controls v8: - - 4.1 + - 6.2 cmmc: - AC.L2-3.1.8 macOS: @@ -38,6 +38,8 @@ odv: hint: "Number of minutes." recommended: 15 stig: 15 + cis_lvl1: 15 + cis_lvl2: 15 tags: - 800-171 - 800-53r4_low @@ -47,6 +49,8 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - cis_lvl1 + - cis_lvl2 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index fb30797e..11c312af 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -16,13 +16,15 @@ discussion: | 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + 2.6.1.3 Audit Location Services Access + - 2.6.6 Audit Lockdown Mode + + 2.6.2.1 Audit Full Disk Access for Applications + + 2.6.7 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + 2.14.1 Audit Game Center Settings + 2.15.1 Audit Notification & Focus Settings + 2.16.1 Audit Wallet & Apple Pay Settings + + 2.17.1 Audit Internet Accounts for Authorized Use + |=== [cols="15%h, 85%a"] diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index 326f5e0b..13851c97 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -42,7 +42,7 @@ references: - 3.1.20 cis: benchmark: - - 2.6.2 (level 2) + - 2.6.3 (level 2) controls v8: - 4.1 - 4.8 diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index 13257a44..a416b27c 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -43,7 +43,7 @@ references: - 3.13.16 cis: benchmark: - - 2.6.5 (level 1) + - 2.6.6 (level 1) controls v8: - 3.6 - 3.11 diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index f5498016..672f96f4 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -36,7 +36,7 @@ references: - 3.4.6 cis: benchmark: - - 2.6.3 (level 1) + - 2.6.4 (level 1) controls v8: - 4.8 cmmc: diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index 0a7a5910..7a4252ae 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -53,7 +53,7 @@ references: - 3.1.6 cis: benchmark: - - 2.6.7 (level 1) + - 2.6.8 (level 1) controls v8: - 4.1 cmmc: From 93805368697c9df5948f2d5ace159303e37f0765 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 13:54:17 -0400 Subject: [PATCH 46/62] refractor[rules] cmmc merge --- custom/rules/.gitignore | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 custom/rules/.gitignore diff --git a/custom/rules/.gitignore b/custom/rules/.gitignore new file mode 100644 index 00000000..86d0cb27 --- /dev/null +++ b/custom/rules/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore \ No newline at end of file From be766ebd062f8d3f1c401ed33dca8736736b83c3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 13:57:14 -0400 Subject: [PATCH 47/62] added *macOS Security Compliance Project* --- baselines/cmmc_lvl1.yaml | 2 ++ baselines/cmmc_lvl2.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index ccbaae41..d15dcf3b 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -4,6 +4,8 @@ description: | Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | + *macOS Security Compliance Project* + |=== |John Mahlman|Leidos |Bob Gendler|National Institute of Standards and Technology diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 6c36ec3e..41fe3fb0 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -4,6 +4,8 @@ description: | Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | + *macOS Security Compliance Project* + |=== |John Mahlman|Leidos |Bob Gendler|National Institute of Standards and Technology From 06e9c53a075e99ee80bb014e362c9f5153e8c94a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 14:37:32 -0400 Subject: [PATCH 48/62] cnssi-1253 tags added --- rules/audit/audit_acls_files_configure.yaml | 1 - ...reensaver_timeout_loginwindow_enforce.yaml | 2 +- rules/os/os_sshd_fips_140_macs.yaml | 71 ------------------- 3 files changed, 1 insertion(+), 73 deletions(-) delete mode 100644 rules/os/os_sshd_fips_140_macs.yaml diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index c148e263..1bd86415 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -52,7 +52,6 @@ tags: - cisv8 - cnssi-1253_moderate - cnssi-1253_low - - cnssi-1253_high - cmmc_lvl2 severity: "medium" mobileconfig: false diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 1e567d30..b1adbb12 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -48,7 +48,7 @@ odv: recommended: 1200 stig: 900 tags: - - none + - cnssi-1253_moderate severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml deleted file mode 100644 index 27399c51..00000000 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: os_sshd_fips_140_macs -title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms" -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -G | /usr/bin/grep -ci "^MACs hmac-sha2-256,hmac-sha2-512" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'MACs hmac-sha2-256,hmac-sha2-512' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "MACs hmac-sha2-256,hmac-sha2-512" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - CCE-92901-8 - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - SC-13 - - SC-8(1) - 800-53r4: - - AC-17(2) - - IA-7 - - SC-8(1) - - SC-13 - - MA-4(6) - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - 3.1.13 - - 3.13.8 - - 3.13.11 - cmmc: - - AC.L2-3.1.13 - - MP.L2-3.8.6 - - SC.L2-3.13.8 - - SC.L2-3.13.11 -macOS: - - "14.0" -tags: - - none -severity: "high" -mobileconfig: false -mobileconfig_info: \ No newline at end of file From 225f2fa6f4dfa1686ee123b910dc3da6e00de346 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 14:43:52 -0400 Subject: [PATCH 49/62] set release date 9-21-23 --- VERSION.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.yaml b/VERSION.yaml index 595e0022..b2d8fd1a 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -2,4 +2,4 @@ os: "14.0" platform: macOS version: "Sonoma Guidance, Revision 1.0" cpe: o:apple:macos:14.0 -date: "2023-XX-XX" +date: "2023-09-21" From ed1eb1b890a20a53fc1ff64ec6946cb885610b77 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 14:44:04 -0400 Subject: [PATCH 50/62] updated baselines --- baselines/800-171.yaml | 1 + baselines/800-53r5_high.yaml | 1 + baselines/800-53r5_low.yaml | 1 + baselines/800-53r5_moderate.yaml | 1 + baselines/all_rules.yaml | 1 - baselines/cis_lvl1.yaml | 3 +++ baselines/cis_lvl2.yaml | 3 +++ baselines/cisv8.yaml | 2 ++ baselines/cmmc_lvl1.yaml | 6 ++++-- baselines/cmmc_lvl2.yaml | 11 +++-------- baselines/cnssi-1253_high.yaml | 2 +- baselines/cnssi-1253_low.yaml | 1 + baselines/cnssi-1253_moderate.yaml | 2 ++ 13 files changed, 23 insertions(+), 12 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index c725766d..c8c226d5 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -176,6 +176,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index a963f3c1..c4d77c6a 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -227,6 +227,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 9d337456..93a93410 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -174,6 +174,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index 23fa64d4..4de3812d 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -218,6 +218,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 0b25f16f..47d9bda9 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -158,7 +158,6 @@ profile: - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_macs - os_sshd_fips_compliant - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 1f215a09..84b6d315 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -31,6 +31,7 @@ profile: - section: "macos" rules: - os_airdrop_disable + - os_anti_virus_installed - os_authenticated_root_enable - os_config_data_install_enforce - os_firewall_log_enable @@ -39,6 +40,7 @@ profile: - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable - os_on_device_dictation_enforce @@ -63,6 +65,7 @@ profile: - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_history_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 2c723965..6d5f7208 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -41,6 +41,7 @@ profile: - section: "macos" rules: - os_airdrop_disable + - os_anti_virus_installed - os_authenticated_root_enable - os_bonjour_disable - os_config_data_install_enforce @@ -53,6 +54,7 @@ profile: - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable - os_on_device_dictation_enforce @@ -79,6 +81,7 @@ profile: - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 804afed9..6f2f273f 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -65,6 +65,7 @@ profile: rules: - os_account_modification_disable - os_airdrop_disable + - os_anti_virus_installed - os_appleid_prompt_disable - os_authenticated_root_enable - os_bonjour_disable @@ -198,6 +199,7 @@ profile: - os_access_control_mobile_devices - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index d15dcf3b..c4210edc 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -40,7 +40,6 @@ profile: - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - - os_auth_peripherals - os_authenticated_root_enable - os_config_data_install_enforce - os_filevault_autologin_disable @@ -92,11 +91,14 @@ profile: rules: - os_logical_access - os_malicious_code_prevention + - section: "Permanent" + rules: + - os_auth_peripherals - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard - diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 41fe3fb0..d52ffd41 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -71,7 +71,6 @@ profile: - os_account_modification_disable - os_airdrop_disable - os_appleid_prompt_disable - - os_auth_peripherals - os_authenticated_root_enable - os_blank_bluray_disable - os_blank_cd_disable @@ -116,8 +115,6 @@ profile: - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce - - os_screensaver_timeout_loginwindow_enforce - - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable - os_skip_screen_time_prompt_enable @@ -128,10 +125,7 @@ profile: - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - - os_sshd_fips_140_macs - os_sshd_fips_compliant - - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_unused_connection_timeout_configure - os_tftpd_disable @@ -146,14 +140,13 @@ profile: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -220,6 +213,7 @@ profile: - section: "Permanent" rules: - audit_records_processing + - os_auth_peripherals - system_settings_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: @@ -228,6 +222,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml index 634ab13a..61fc5487 100644 --- a/baselines/cnssi-1253_high.yaml +++ b/baselines/cnssi-1253_high.yaml @@ -15,7 +15,6 @@ parent_values: "recommended" profile: - section: "auditing" rules: - - audit_acls_files_configure - audit_acls_folders_configure - audit_auditd_enabled - audit_configure_capacity_notify @@ -270,6 +269,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml index 85a35897..db6af6a6 100644 --- a/baselines/cnssi-1253_low.yaml +++ b/baselines/cnssi-1253_low.yaml @@ -251,6 +251,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml index 0a3d1f83..ce9608b0 100644 --- a/baselines/cnssi-1253_moderate.yaml +++ b/baselines/cnssi-1253_moderate.yaml @@ -124,6 +124,7 @@ profile: - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce + - os_screensaver_timeout_loginwindow_enforce - os_secure_boot_verify - os_sip_enable - os_siri_prompt_disable @@ -264,6 +265,7 @@ profile: - os_nonlocal_maintenance - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf From 894f99dc8306b020037965337c788f162e345eac Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 16:02:28 -0400 Subject: [PATCH 51/62] refactor[rules] audit_auditd_enabled fix Updated auditd fix to no longer require a restart to start the auditd service. --- rules/audit/audit_auditd_enabled.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index fe5a78dc..95f67005 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -9,7 +9,7 @@ discussion: | The information system initiates session audits at system start-up. - NOTE: Security auditing is enabled by default on macOS. + NOTE: Security auditing is NOT enabled by default on macOS Sonoma. check: | LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then @@ -22,17 +22,19 @@ result: fix: | [source,bash] ---- - LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) - - if [[ ! $LAUNCHD_RUNNING == 1 ]]; then - /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist - fi - if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control else /usr/bin/touch /etc/security/audit_control fi + + LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) + + if [[ ! $LAUNCHD_RUNNING == 1 ]]; then + /bin/launchctl enable system/com.apple.auditd + /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist + /usr/sbin/audit -i + fi ---- references: cce: From c4d28b13503c38b5cea64e56c14695a10d9f8857 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 16:09:20 -0400 Subject: [PATCH 52/62] refactor[rules] auditd check/fix update --- rules/audit/audit_auditd_enabled.yaml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 95f67005..a9e8603c 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -12,7 +12,8 @@ discussion: | NOTE: Security auditing is NOT enabled by default on macOS Sonoma. check: | LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) - if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then + AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING") + if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then echo "pass" else echo "fail" @@ -27,14 +28,10 @@ fix: | else /usr/bin/touch /etc/security/audit_control fi - - LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) - if [[ ! $LAUNCHD_RUNNING == 1 ]]; then - /bin/launchctl enable system/com.apple.auditd - /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist - /usr/sbin/audit -i - fi + /bin/launchctl enable system/com.apple.auditd + /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist + /usr/sbin/audit -i ---- references: cce: From 6f27ac219caaffb0284be516b1524dc26f52e8ce Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Sep 2023 20:35:28 -0400 Subject: [PATCH 53/62] removed touch to blank audit_control --- rules/audit/audit_auditd_enabled.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index a9e8603c..6fe7e4d2 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -25,8 +25,6 @@ fix: | ---- if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control - else - /usr/bin/touch /etc/security/audit_control fi /bin/launchctl enable system/com.apple.auditd From 58a57956c388cf2902916eab36cfd0800c579e9a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 21 Sep 2023 09:46:24 -0400 Subject: [PATCH 54/62] fixed regex in launchd test --- scripts/generate_scap.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index f719aa94..21e5ed37 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -2986,7 +2986,7 @@ def generate_scap(all_rules, all_baselines, args): - '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain) + '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain.replace('(','').replace(')','')) status = "" if "enable" in rule_yaml["fix"]: @@ -3029,7 +3029,7 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' - '''.format(x, rule_yaml['id'] + "_" + odv_label,domain) + '''.format(x, rule_yaml['id'] + "_" + odv_label,domain.replace('(','').replace(')','')) @@ -3250,11 +3250,16 @@ def generate_scap(all_rules, all_baselines, args): domain = command[5].split()[2] domain = domain.replace('"','').replace("'",'') - + ########### + label_obj = '