From 24d3e6a52329c8d2a414cc52236c6697553ad786 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 1 Sep 2023 10:58:58 -0400 Subject: [PATCH] refactor[rules] Removed rules, removed newstig tag Removed unneeded rule files Changed tags and references --- ...cloud_appleid_preference_pane_disable.yaml | 44 ------------ rules/os/os_anti_virus_installed.yaml | 1 - rules/os/os_camera_disable.yaml | 1 - ...reensaver_timeout_loginwindow_enforce.yaml | 8 +-- .../os_setup_assistant_filevault_enforce.yaml | 7 +- rules/os/os_sshd_fips_140_ciphers.yaml | 71 ------------------- rules/os/os_sshd_fips_140_macs.yaml | 71 ------------------- ...sshd_key_exchange_algorithm_configure.yaml | 66 ----------------- .../system_settings_assistant_disable.yaml | 48 ------------- 9 files changed, 8 insertions(+), 309 deletions(-) delete mode 100644 rules/icloud/icloud_appleid_preference_pane_disable.yaml delete mode 100644 rules/os/os_sshd_fips_140_ciphers.yaml delete mode 100644 rules/os/os_sshd_fips_140_macs.yaml delete mode 100644 rules/os/os_sshd_key_exchange_algorithm_configure.yaml delete mode 100644 rules/system_settings/system_settings_assistant_disable.yaml diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml deleted file mode 100644 index 00e52f12..00000000 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: icloud_appleid_preference_pane_disable -title: Disable the Preference Pane for Apple ID -discussion: | - This is required for compliance with the DISA STIG for macOS. - - The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. - - link:https://developer.apple.com/documentation/devicemanagement/systempreferences[] -check: | - /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledPreferencePanes"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.preferences.AppleIDPrefPane" -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - '14.0' -tags: - - none -severity: high -mobileconfig: true -mobileconfig_info: - com.apple.systempreferences: - DisabledPreferencePanes: - - com.apple.preferences.AppleIDPrefPane diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index b42a26b9..1dfb4594 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -30,7 +30,6 @@ references: macOS: - '14.0' tags: - - none - newstig severity: high mobileconfig: false diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 8187ebc6..8b9797c8 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -28,7 +28,6 @@ references: macOS: - '14.0' tags: - - none - newstig severity: medium mobileconfig: true diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 79be7014..8f3c4118 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -26,19 +26,18 @@ references: cci: - CCI-000057 800-53r5: - - AC-11 - - IA-11 + - N/A srg: - SRG-OS-000029-GPOS-00010 disa_stig: - N/A 800-171r2: - - 3.1.10 + - N/A cis: benchmark: - N/A controls v8: - - 4.3 + - N/A macOS: - '14.0' odv: @@ -46,7 +45,6 @@ odv: recommended: 1200 stig: 900 tags: - - none - newstig severity: medium mobileconfig: true diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml index 05ffd6fb..d11b1d00 100644 --- a/rules/os/os_setup_assistant_filevault_enforce.yaml +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -34,7 +34,7 @@ references: - 3.13.16 cis: benchmark: - - 2.6.5 (level 1) + - N/A controls v8: - 3.6 - 3.11 @@ -43,7 +43,10 @@ references: macOS: - '14.0' tags: - - none + - 800-53r5_moderate + - 800-53r5_high + - cisv8 + - cmmc_lvl2 - newstig severity: high mobileconfig: true diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml deleted file mode 100644 index f4e7baa9..00000000 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: os_sshd_fips_140_ciphers -title: Limit SSHD to FIPS 140 Validated Ciphers -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the ciphers to specific algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -G | /usr/bin/grep -ci "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - SC-13 - - SC-8(1) - 800-53r4: - - AC-17(2) - - IA-7 - - SC-8(1) - - SC-13 - - MA-4(6) - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - 3.1.13 - - 3.13.8 - - 3.13.11 - cmmc: - - AC.L2-3.1.13 - - MP.L2-3.8.6 - - SC.L2-3.13.8 - - SC.L2-3.13.11 -macOS: - - '14.0' -tags: - - none -severity: high -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml deleted file mode 100644 index 3359a71b..00000000 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: os_sshd_fips_140_macs -title: Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -G | /usr/bin/grep -ci "^MACs hmac-sha2-256,hmac-sha2-512" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'MACs hmac-sha2-256,hmac-sha2-512' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "MACs hmac-sha2-256,hmac-sha2-512" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - SC-13 - - SC-8(1) - 800-53r4: - - AC-17(2) - - IA-7 - - SC-8(1) - - SC-13 - - MA-4(6) - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - 3.1.13 - - 3.13.8 - - 3.13.11 - cmmc: - - AC.L2-3.1.13 - - MP.L2-3.8.6 - - SC.L2-3.13.8 - - SC.L2-3.13.11 -macOS: - - '14.0' -tags: - - none -severity: high -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml deleted file mode 100644 index 7752afbf..00000000 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ /dev/null @@ -1,66 +0,0 @@ -id: os_sshd_key_exchange_algorithm_configure -title: Configure SSHD to Use Secure Key Exchange Algorithms -discussion: | - If SSHD is enabled then it _MUST_ be configured to limit the Message Key Exchange Algorithms. This is required for compliance with the DISA STIG for macOS. - - In order to meet FIPS 140-3 compliance, please use the configuration in *os_sshd_fips_compliant* which follows the recommended guidelines from Apple in the manpage *apple_ssh_and_fips* and found on - - link:https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web[] - - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. -check: | - /usr/sbin/sshd -G | /usr/bin/grep -ci "^KexAlgorithms diffie-hellman-group-exchange-sha256" -result: - integer: 1 -fix: | - [source,bash] - ---- - include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') - - if [[ -z $include_dir ]]; then - /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config - fi - - /usr/bin/grep -qxF 'KexAlgorithms diffie-hellman-group-exchange-sha256' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "KexAlgorithms diffie-hellman-group-exchange-sha256" >> "${include_dir}01-mscp-sshd.conf" - - for file in $(ls ${include_dir}); do - if [[ "$file" == "100-macos.conf" ]]; then - continue - fi - if [[ "$file" == "01-mscp-sshd.conf" ]]; then - break - fi - /bin/mv ${include_dir}${file} ${include_dir}20-${file} - done - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - AC-17(2) - - IA-7 - - MA-4(6) - 800-53r4: - - IA-7 - - AC-17(2) - - MA-4(6) - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cmmc: - - AC.L2-3.1.13 -macOS: - - '14.0' -tags: - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 -severity: high -mobileconfig: false -mobileconfig_info: diff --git a/rules/system_settings/system_settings_assistant_disable.yaml b/rules/system_settings/system_settings_assistant_disable.yaml deleted file mode 100644 index e7f6aee0..00000000 --- a/rules/system_settings/system_settings_assistant_disable.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: system_settings_assistant_disable -title: Disable Assistant -discussion: | - This is required for compliance with the DISA STIG for macOS. - - This is not a documented setting for *com.apple.ironwood.support*. - - link:https://developer.apple.com/documentation/devicemanagement/parentalcontroldictationandprofanity/[] -check: | - /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ - .objectForKey('Assistant Allowed').js - EOS -result: - string: 'false' -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - N/A - cci: - - CCI-000381 - - CCI-001774 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - N/A - controls v8: - - N/A -macOS: - - '14.0' -tags: - - none - - newstig -severity: medium -mobileconfig: true -mobileconfig_info: - com.apple.ironwood.support: - Assistant Allowed: false