usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-17 14:22:11 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

refactor[rules] Removed rules, removed newstig tag

Browse Source 
Removed unneeded rule files
Changed tags and references
This commit is contained in:
Bob Gendler
2023-09-01 10:58:58 -04:00
parent b6c92804e2
commit 24d3e6a523
9 changed files with 8 additions and 309 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
rules/icloud/icloud_appleid_preference_pane_disable.yaml
View File

@@ -1,44 +0,0 @@
id: icloud_appleid_preference_pane_disable
title: Disable the Preference Pane for Apple ID
discussion: |
This is required for compliance with the DISA STIG for macOS.
The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key.
link:https://developer.apple.com/documentation/devicemanagement/systempreferences[]
check: |
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.AppleIDPrefPane"
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- N/A
800-53r5:
- N/A
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
cis:
benchmark:
- N/A
controls v8:
- N/A
macOS:
- '14.0'
tags:
- none
severity: high
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:
DisabledPreferencePanes:
- com.apple.preferences.AppleIDPrefPane

1
rules/os/os_anti_virus_installed.yaml
View File

@@ -30,7 +30,6 @@ references:
macOS:
- '14.0'
tags:
- none
- newstig
severity: high
mobileconfig: false

1
rules/os/os_camera_disable.yaml
View File

@@ -28,7 +28,6 @@ references:
macOS:
- '14.0'
tags:
- none
- newstig
severity: medium
mobileconfig: true

8
rules/os/os_screensaver_timeout_loginwindow_enforce.yaml
View File

@@ -26,19 +26,18 @@ references:
cci:
- CCI-000057
800-53r5:
- AC-11
- IA-11
- N/A
srg:
- SRG-OS-000029-GPOS-00010
disa_stig:
- N/A
800-171r2:
- 3.1.10
- N/A
cis:
benchmark:
- N/A
controls v8:
- 4.3
- N/A
macOS:
- '14.0'
odv:
@@ -46,7 +45,6 @@ odv:
recommended: 1200
stig: 900
tags:
- none
- newstig
severity: medium
mobileconfig: true

7
rules/os/os_setup_assistant_filevault_enforce.yaml
View File

@@ -34,7 +34,7 @@ references:
- 3.13.16
cis:
benchmark:
- 2.6.5 (level 1)
- N/A
controls v8:
- 3.6
- 3.11
@@ -43,7 +43,10 @@ references:
macOS:
- '14.0'
tags:
- none
- 800-53r5_moderate
- 800-53r5_high
- cisv8
- cmmc_lvl2
- newstig
severity: high
mobileconfig: true

71
rules/os/os_sshd_fips_140_ciphers.yaml
View File

@@ -1,71 +0,0 @@
id: os_sshd_fips_140_ciphers
title: Limit SSHD to FIPS 140 Validated Ciphers
discussion: |
If SSHD is enabled then it _MUST_ be configured to limit the ciphers to specific algorithms. This is required for compliance with the DISA STIG for macOS.
In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on
link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[]
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/sbin/sshd -G | /usr/bin/grep -ci "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr"
result:
integer: 1
fix: |
[source,bash]
----
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
----
references:
cce:
- N/A
cci:
- N/A
800-53r5:
- AC-17(2)
- IA-7
- SC-13
- SC-8(1)
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
- MA-4(6)
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- 3.1.13
- 3.13.8
- 3.13.11
cmmc:
- AC.L2-3.1.13
- MP.L2-3.8.6
- SC.L2-3.13.8
- SC.L2-3.13.11
macOS:
- '14.0'
tags:
- none
severity: high
mobileconfig: false
mobileconfig_info:

71
rules/os/os_sshd_fips_140_macs.yaml
View File

@@ -1,71 +0,0 @@
id: os_sshd_fips_140_macs
title: Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms
discussion: |
If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms. This is required for compliance with the DISA STIG for macOS.
In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on
link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[]
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/sbin/sshd -G | /usr/bin/grep -ci "^MACs hmac-sha2-256,hmac-sha2-512"
result:
integer: 1
fix: |
[source,bash]
----
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'MACs hmac-sha2-256,hmac-sha2-512' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "MACs hmac-sha2-256,hmac-sha2-512" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
----
references:
cce:
- N/A
cci:
- N/A
800-53r5:
- AC-17(2)
- IA-7
- SC-13
- SC-8(1)
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
- MA-4(6)
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- 3.1.13
- 3.13.8
- 3.13.11
cmmc:
- AC.L2-3.1.13
- MP.L2-3.8.6
- SC.L2-3.13.8
- SC.L2-3.13.11
macOS:
- '14.0'
tags:
- none
severity: high
mobileconfig: false
mobileconfig_info:

66
rules/os/os_sshd_key_exchange_algorithm_configure.yaml
View File

@@ -1,66 +0,0 @@
id: os_sshd_key_exchange_algorithm_configure
title: Configure SSHD to Use Secure Key Exchange Algorithms
discussion: |
If SSHD is enabled then it _MUST_ be configured to limit the Message Key Exchange Algorithms. This is required for compliance with the DISA STIG for macOS.
In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on
link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[]
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/sbin/sshd -G | /usr/bin/grep -ci "^KexAlgorithms diffie-hellman-group-exchange-sha256"
result:
integer: 1
fix: |
[source,bash]
----
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'KexAlgorithms diffie-hellman-group-exchange-sha256' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "KexAlgorithms diffie-hellman-group-exchange-sha256" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
----
references:
cce:
- N/A
cci:
- N/A
800-53r5:
- AC-17(2)
- IA-7
- MA-4(6)
800-53r4:
- IA-7
- AC-17(2)
- MA-4(6)
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
cmmc:
- AC.L2-3.1.13
macOS:
- '14.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
severity: high
mobileconfig: false
mobileconfig_info:

48
rules/system_settings/system_settings_assistant_disable.yaml
View File

@@ -1,48 +0,0 @@
id: system_settings_assistant_disable
title: Disable Assistant
discussion: |
This is required for compliance with the DISA STIG for macOS.
This is not a documented setting for *com.apple.ironwood.support*.
link:https://developer.apple.com/documentation/devicemanagement/parentalcontroldictationandprofanity/[]
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\
.objectForKey('Assistant Allowed').js
EOS
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000381
- CCI-001774
800-53r5:
- N/A
800-53r4:
- N/A
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-171r2:
- N/A
cis:
benchmark:
- N/A
controls v8:
- N/A
macOS:
- '14.0'
tags:
- none
- newstig
severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.ironwood.support:
Assistant Allowed: false