usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Release

Browse Source
This commit is contained in:
Bob Gendler
2025-07-01 14:43:21 -04:00
parent 219b78040b 13d1e91698
commit 252852d3d2
74 changed files with 779 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
CHANGELOG.adoc
View File

@@ -1,96 +0,0 @@
= Changelog
This document provides a high-level view of the changes to the macOS Security Compliance Project.
== [Sequoia, Revision 1.1] - 2024-12-16]
* Rules
** Added Rules
*** os_iphone_mirroring_disable
*** os_mail_summary_disable
*** os_photos_enhanced_search_disable
*** system_settings_external_intelligence_disable
*** system_settings_external_intelligence_sign_in_disable
** Modified Rules
*** os_sleep_and_display_sleep_apple_silicon_enable
*** os_sudo_log_enforce
*** os_world_writable_library_folder_configure
*** os_password_autofill_disable
*** pwpolicy_alpha_numeric_enforce
*** pwpolicy_custom_regex_enforce
*** pwpolicy_lower_case_character_enforce.yaml
*** pwpolicy_max_lifetime_enforce
*** pwpolicy_minimum_lifetime_enforce
*** pwpolicy_history_enforce
*** pwpolicy_account_lockout_timeout_enforce
*** pwpolicy_account_lockout_enforce
*** pwpolicy_prevent_dictionary_words
*** pwpolicy_simple_sequence_disable
*** pwpolicy_special_character_enforce
*** pwpolicy_upper_case_character_enforce.yaml
*** system_settings_improve_assistive_voice_disable
** Removed Rules
*** system_settings_cd_dvd_sharing_disable
** Bug Fixes
* Baselines
** Added DISA STIG v1r1
** Added CIS Level (Draft -> Final)
** Updated CNSSI-1253
== [Sequoia, Revision 1.0] - 2024-09-12
* Rules
** Added Rules
*** os_genmoji_disable
*** os_image_generation_disable
*** os_iphone_mirroring_disable
*** os_sudo_log_enforce
*** os_writing_tools_disable
** Modified Rules
*** os_anti_virus_installed
*** os_gatekeeper_enable
*** os_ssh_fips_compliant
*** system_settings_firewall_enable
*** system_settings_firewall_stealth_mode_enable
*** system_settings_gatekeeper_identified_developers_allowed
*** system_settings_media_sharing_disabled
*** DDM Support
**** auth_pam_login_smartcard_enforce
**** auth_pam_su_smartcard_enforce
**** auth_pam_sudo_smartcard_enforce
**** auth_ssh_password_authentication_disable
**** os_external_storage_restriction
**** os_network_storage_restriction
**** os_policy_banner_ssh_enforce
**** os_sshd_channel_timeout_configure
**** os_sshd_client_alive_count_max_configure
**** os_sshd_client_alive_interval_configure
**** os_sshd_fips_compliant
**** os_sshd_login_grace_time_configure
**** os_sshd_permit_root_login_configure
**** os_sshd_unused_connection_timeout_configure
**** os_sudo_timeout_configure
**** pwpolicy_account_lockout_enforce
**** pwpolicy_account_lockout_timeout_enforce
**** pwpolicy_alpha_numeric_enforce
**** pwpolicy_custom_regex_enforce
**** pwpolicy_history_enforce
**** pwpolicy_max_lifetime_enforce
**** pwpolicy_minimum_length_enforce
**** pwpolicy_simple_sequence_disable
**** pwpolicy_special_character_enforce
** Removed Rules
*** os_firewall_log_enable
*** os_gatekeeper_rearm
*** os_safari_popups_disabled
** Bug Fixes
* Baselines
** Modified existing baselines
** Updated 800-171 to Revision 3
* Scripts
** generate_guidance
*** Support for Declarative Device Management (DDM)
*** Added support for severity
** generate_baseline
** generate_mappings
** generate_scap
*** Added support for severity

162
CHANGELOG.md Normal file
View File

@@ -0,0 +1,162 @@
# Changelog
This document provides a high-level view of the changes to the macOS Security Compliance Project.
## [Sequoia, Revision 2.0] - 2025-07-01
* Rules
* Added Rules
* os_mail_smart_reply_disable
* os_notes_transcription_disable
* os_notes_transcription_summary_disable
* os_safari_reader_summary_disable
* os_sshd_per_source_penalties_configure
* Modified Rules
* os_genmoji_disable.yaml
* os_implement_cryptography.yaml
* os_iphone_mirroring_disable.yaml
* os_mail_summary_disable.yaml
* os_nfsd_disable.yaml
* os_parental_controls_enable.yaml
* os_password_hint_remove.yaml
* os_power_nap_disable.yaml
* os_separate_functionality.yaml
* os_sleep_and_display_sleep_apple_silicon_enable.yaml
* os_sudo_log_enforce.yaml
* os_time_server_enabled.yaml
* os_unlock_active_user_session_disable
* os_writing_tools_disable.yaml
* pwpolicy_50_percent.yaml
* pwpolicy_history_enforce.yaml
* pwpolicy_upper_case_character_enforce.yaml
* supplemental_cis_manual.yaml
* system_settings_automatic_login_disable.yaml
* system_settings_bluetooth_sharing_disable.yaml
* system_settings_content_caching_disable.yaml
* system_settings_external_intelligence_disable.yaml
* system_settings_external_intelligence_sign_in_disable.yaml
* system_settings_guest_access_smb_disable.yaml
* system_settings_guest_account_disable.yaml
* system_settings_improve_assistive_voice_disable.yaml
* system_settings_improve_search_disable.yaml
* system_settings_internet_sharing_disable.yaml
* system_settings_loginwindow_loginwindowtext_enable.yaml
* system_settings_loginwindow_prompt_username_password_enforce.yaml
* system_settings_media_sharing_disabled.yaml
* system_settings_password_hints_disable.yaml
* system_settings_printer_sharing_disable.yaml
* system_settings_rae_disable.yaml
* system_settings_remote_management_disable.yaml
* system_settings_screen_sharing_disable.yaml
* system_settings_screensaver_ask_for_password_delay_enforce.yaml
* system_settings_screensaver_timeout_enforce.yaml
* system_settings_siri_disable.yaml
* system_settings_siri_listen_disable.yaml
* system_settings_smbd_disable.yaml
* system_settings_software_update_enforce.yaml
* system_settings_ssh_disable.yaml
* system_settings_time_server_configure.yaml
* system_settings_time_server_enforce.yaml
* system_settings_wake_network_access_disable.yaml
* Bug Fixes
* Baselines
* Updated CIS to v1.1.0
* Updated DISA STIG Ver 1, Rel 3
* Scripts
* generate_guidance
* bug fixes
* generate_scap.py
* bug fixes
## [Sequoia, Revision 1.1] - 2024-12-16
* Rules
* Added Rules
* os_iphone_mirroring_disable
* os_mail_summary_disable
* os_photos_enhanced_search_disable
* system_settings_external_intelligence_disable
* system_settings_external_intelligence_sign_in_disable
* Modified Rules
* os_sleep_and_display_sleep_apple_silicon_enable
* os_sudo_log_enforce
* os_world_writable_library_folder_configure
* os_password_autofill_disable
* pwpolicy_alpha_numeric_enforce
* pwpolicy_custom_regex_enforce
* pwpolicy_lower_case_character_enforce.yaml
* pwpolicy_max_lifetime_enforce
* pwpolicy_minimum_lifetime_enforce
* pwpolicy_history_enforce
* pwpolicy_account_lockout_timeout_enforce
* pwpolicy_account_lockout_enforce
* pwpolicy_prevent_dictionary_words
* pwpolicy_simple_sequence_disable
* pwpolicy_special_character_enforce
* pwpolicy_upper_case_character_enforce.yaml
* system_settings_improve_assistive_voice_disable
* Removed Rules
* system_settings_cd_dvd_sharing_disable
* Bug Fixes
* Baselines
* Added DISA STIG v1r1
* Added CIS Level (Draft -> Final)
* Updated CNSSI-1253
## [Sequoia, Revision 1.0] - 2024-09-12
* Rules
* Added Rules
* os_genmoji_disable
* os_image_generation_disable
* os_iphone_mirroring_disable
* os_sudo_log_enforce
* os_writing_tools_disable
* Modified Rules
* os_anti_virus_installed
* os_gatekeeper_enable
* os_ssh_fips_compliant
* system_settings_firewall_enable
* system_settings_firewall_stealth_mode_enable
* system_settings_gatekeeper_identified_developers_allowed
* system_settings_media_sharing_disabled
* DDM Support
* auth_pam_login_smartcard_enforce
* auth_pam_su_smartcard_enforce
* auth_pam_sudo_smartcard_enforce
* auth_ssh_password_authentication_disable
* os_external_storage_restriction
* os_network_storage_restriction
* os_policy_banner_ssh_enforce
* os_sshd_channel_timeout_configure
* os_sshd_client_alive_count_max_configure
* os_sshd_client_alive_interval_configure
* os_sshd_fips_compliant
* os_sshd_login_grace_time_configure
* os_sshd_permit_root_login_configure
* os_sshd_unused_connection_timeout_configure
* os_sudo_timeout_configure
* pwpolicy_account_lockout_enforce
* pwpolicy_account_lockout_timeout_enforce
* pwpolicy_alpha_numeric_enforce
* pwpolicy_custom_regex_enforce
* pwpolicy_history_enforce
* pwpolicy_max_lifetime_enforce
* pwpolicy_minimum_length_enforce
* pwpolicy_simple_sequence_disable
* pwpolicy_special_character_enforce
* Removed Rules
* os_firewall_log_enable
* os_gatekeeper_rearm
* os_safari_popups_disabled
* Bug Fixes
* Baselines
* Modified existing baselines
* Updated 800-171 to Revision 3
* Scripts
* generate_guidance
* Support for Declarative Device Management (DDM)
* Added support for severity
* generate_baseline
* generate_mappings
* generate_scap
* Added support for severity

16
CONTRIBUTING.adoc → CONTRIBUTING.md
View File

@@ -1,12 +1,12 @@
== Contributing
## Contributing
=== Engage
Contribute new content, share feedback and ask questions about resources in the repository using the https://github.com/usnistgov/macos_security/issues/new[Issues feature].
### Engage
Contribute new content, share feedback and ask questions about resources in the repository using the [Issues feature](https://github.com/usnistgov/macos_security/issues/new).
=== Operating Rules
### Operating Rules
These operating rules describe and govern NISTs management of this repository and contributors responsibilities. NIST reserves the right to modify this policy at any time.
=== Criteria for Contributions and Feedback
### Criteria for Contributions and Feedback
This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
@@ -15,12 +15,12 @@ NIST reserves the right to reject, remove, or edit any contribution or feedback,
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
* is clearly "off topic";
* makes unsupported accusations;
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government [guidelines](http://www.osec.doc.gov/opog/privacy/PII_BII.html); or,
* contains .exe or .jar file types.
_These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._
=== Contributor Responsibilities
### Contributor Responsibilities
NIST also reserves the right to reject or remove contributions from the repository if the contributor fails to carry out any of the following responsibilities:
* following the contribution instructions;
@@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito
* responding to NIST representatives in a timely manner;
* keeping contributions and contributor GitHub username up to date
*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].
**GitHub Help:** If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help [page](https://help.github.com/categories/collaborating-with-issues-and-pull-requests/).

71
README.adoc
View File

@@ -1,71 +0,0 @@
image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
ifndef::env-github[:icons: font]
ifdef::env-github[]
:status:
//:outfilesuffix: .adoc
:caution-caption: :fire:
:important-caption: :exclamation:
:note-caption: :paperclip:
:tip-caption: :bulb:
:warning-caption: :warning:
endif::[]
:uri-org: https://github.com/usnistgov
:uri-repo: {uri-org}/macos_security
ifdef::status[]
image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"]
image:https://badgen.net/badge/icon/14.0?icon=apple&label[link="https://www.apple.com/macos"]
endif::[]
IMPORTANT: We recommend working off of one of the OS branches, rather than the `main` branch.
The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
This project is the technical implementation of NIST Special Publication, 800-219 (Rev. 1) https://csrc.nist.gov/pubs/sp/800/219/r1/final[Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)]. NIST Special Publication 800-219 is the official guidance from for automated secure configuration for macOS.
Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the {uri-repo}/wiki[wiki].
If you are interested in supporting the development of the project, refer to the link:CONTRIBUTING.adoc[contributor guidance] for more information.
== Usage
Civilian agencies are to use the National Checklist Program as required by https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final[NIST 800-70].
[NOTE]
====
Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) states, “In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technologys website at https://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.”
====
== Authors
[width="100%",cols="1,1"]
|===
|Bob Gendler|NIST
|Allen Golbig|Jamf
|Dan Brodjieski|NASA
|John Mahlman IV|Leidos
|Aaron Kegerreis|DISA
|Henry Stamerjohann|Zentral Pro Services GmbH
|Marco A Piñeryo II|State Department
|Jason Blake|NIST
|Blair Heiserman|NIST
|Joshua Glemza|NASA
|Elyse Anderson|NASA
|Gary Gapinski|NASA
|===
== Changelog
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
== NIST Disclaimer
Any identification of commercial or open-source software in this document is done so purely in order to specify the methodology adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the software identified are necessarily the best available for the purpose.

52
README.md Normal file
View File

@@ -0,0 +1,52 @@
![Alt text](templates/images/mscp_banner_outline.png)
![Alt text](https://badgen.net/badge/icon/apple?icon=apple&label)
![Alt text](https://badgen.net/badge/icon/15.0?icon=apple&label)
> [!IMPORTANT]
> We recommend working off of one of the OS branches, rather than the `main` branch.
The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
This project is the technical implementation of NIST Special Publication, 800-219 (Rev. 1) [Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)](https://csrc.nist.gov/pubs/sp/800/219/r1/final). NIST Special Publication 800-219 is the official guidance from for automated secure configuration for macOS.
Apple acknowledges the macOS Security Compliance Project with information on their [Platform Certifications](https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web) page.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the [wiki](https://github.com/usnistgov/macos_security/wiki).
If you are interested in supporting the development of the project, refer to the [contributor guidance](CONTRIBUTING.md) for more information.
## Usage
Civilian agencies are to use the National Checklist Program as required by [NIST 800-70](https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final).
> [!NOTE]
> Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) states, “In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technologys website at https://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.”
## Authors
|||
|----|----|
|Bob Gendler|NIST|
|Allen Golbig|Jamf
|Dan Brodjieski|NASA
|John Mahlman IV|Leidos
|Aaron Kegerreis|DISA
|Henry Stamerjohann|Zentral Pro Services GmbH
|Marco A Piñeryo II|State Department
|Jason Blake|NIST
|Blair Heiserman|NIST
|Joshua Glemza|NASA
|Elyse Anderson|NASA
|Gary Gapinski|NASA
## Changelog
Refer to the [CHANGELOG](CHANGELOG.md) for a complete list of changes.
## NIST Disclaimer
Any identification of commercial or open-source software in this document is done so purely in order to specify the methodology adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the software identified are necessarily the best available for the purpose.

4
VERSION.yaml
View File

@@ -1,5 +1,5 @@
os: "15.0"
platform: macOS
version: "Sequoia Guidance, Revision 1.1"
version: "Sequoia Guidance, Revision 2.0"
cpe: o:apple:macos:15.0
date: "2024-12-16"
date: "2025-07-01"

5
baselines/800-171.yaml
View File

@@ -82,9 +82,12 @@ profile:
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_proximity_disable
- os_password_sharing_disable
@@ -97,6 +100,7 @@ profile:
- os_rapid_security_response_removal_disable
- os_recovery_lock_enable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_sip_enable
- os_siri_prompt_disable
@@ -163,6 +167,7 @@ profile:
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure
- system_settings_time_server_configure

6
baselines/800-53r5_high.yaml
View File

@@ -89,11 +89,14 @@ profile:
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_proximity_disable
- os_password_sharing_disable
@@ -105,6 +108,7 @@ profile:
- os_rapid_security_response_removal_disable
- os_recovery_lock_enable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
- os_setup_assistant_filevault_enforce
@@ -118,6 +122,7 @@ profile:
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_per_source_penalties_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce
@@ -182,6 +187,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure
- system_settings_time_server_configure

6
baselines/800-53r5_low.yaml
View File

@@ -79,9 +79,12 @@ profile:
- os_image_generation_disable
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_proximity_disable
- os_password_sharing_disable
@@ -92,11 +95,13 @@ profile:
- os_rapid_security_response_allow
- os_rapid_security_response_removal_disable
- os_root_disable
- os_safari_reader_summary_disable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_sshd_fips_compliant
- os_sshd_per_source_penalties_configure
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_tftpd_disable
@@ -149,6 +154,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_time_server_configure
- system_settings_time_server_enforce

6
baselines/800-53r5_moderate.yaml
View File

@@ -87,11 +87,14 @@ profile:
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_proximity_disable
- os_password_sharing_disable
@@ -103,6 +106,7 @@ profile:
- os_rapid_security_response_removal_disable
- os_recovery_lock_enable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
- os_setup_assistant_filevault_enforce
@@ -116,6 +120,7 @@ profile:
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_per_source_penalties_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce
- os_sudo_timeout_configure
@@ -179,6 +184,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure
- system_settings_time_server_configure

4
baselines/DISA-STIG.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 1"
title: "macOS 15.0: Security Configuration - Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 1 security baseline.
This guide describes the actions to take when securing a macOS 15.0 system against the Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3 security baseline.
authors: |
*macOS Security Compliance Project*

5
baselines/all_rules.yaml
View File

@@ -117,6 +117,7 @@ profile:
- os_library_validation_enabled
- os_loginwindow_adminhostinfo_undefined
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_messages_app_disable
@@ -125,6 +126,8 @@ profile:
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
@@ -146,6 +149,7 @@ profile:
- os_safari_advertising_privacy_protection_enable
- os_safari_open_safe_downloads_disable
- os_safari_prevent_cross-site_tracking_enable
- os_safari_reader_summary_disable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
@@ -168,6 +172,7 @@ profile:
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_per_source_penalties_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce

13
baselines/cis_lvl1.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1)"
title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1)"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1) security baseline.
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -39,10 +39,12 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_mail_summary_disable
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_power_nap_disable
@@ -64,6 +66,7 @@ profile:
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_world_writable_system_folder_configure
- os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
@@ -79,6 +82,8 @@ profile:
- system_settings_bluetooth_sharing_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
- system_settings_external_intelligence_disable
- system_settings_external_intelligence_sign_in_disable
- system_settings_filevault_enforce
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
@@ -98,7 +103,7 @@ profile:
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_listen_disable
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce

14
baselines/cis_lvl2.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2)"
title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2)"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2) security baseline.
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -50,10 +50,12 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_mail_summary_disable
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_policy_banner_loginwindow_enforce
@@ -78,6 +80,7 @@ profile:
- os_unlock_active_user_session_disable
- os_world_writable_library_folder_configure
- os_world_writable_system_folder_configure
- os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
@@ -97,6 +100,8 @@ profile:
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
- system_settings_external_intelligence_disable
- system_settings_external_intelligence_sign_in_disable
- system_settings_filevault_enforce
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
@@ -104,6 +109,7 @@ profile:
- system_settings_guest_account_disable
- system_settings_hot_corners_secure
- system_settings_improve_assistive_voice_disable
- system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_install_macos_updates_enforce
- system_settings_internet_sharing_disable
@@ -120,7 +126,7 @@ profile:
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_listen_disable
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce

4
baselines/cmmc_lvl1.yaml
View File

@@ -53,14 +53,18 @@ profile:
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_iphone_mirroring_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_photos_enhanced_search_disable
- os_rapid_security_response_allow
- os_rapid_security_response_removal_disable
- os_recovery_lock_enable
- os_root_disable
- os_safari_reader_summary_disable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_unlock_with_watch_enable

4
baselines/cmmc_lvl2.yaml
View File

@@ -100,9 +100,12 @@ profile:
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_password_proximity_disable
@@ -118,6 +121,7 @@ profile:
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_setup_assistant_filevault_enforce
- os_sip_enable

5
baselines/cnssi-1253_high.yaml
View File

@@ -109,11 +109,14 @@ profile:
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mdm_require
- os_messages_app_disable
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
@@ -130,6 +133,7 @@ profile:
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
- os_setup_assistant_filevault_enforce
@@ -145,6 +149,7 @@ profile:
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_per_source_penalties_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce

5
baselines/cnssi-1253_low.yaml
View File

@@ -108,11 +108,14 @@ profile:
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mdm_require
- os_messages_app_disable
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
@@ -129,6 +132,7 @@ profile:
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_setup_assistant_filevault_enforce
- os_sip_enable
@@ -143,6 +147,7 @@ profile:
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_per_source_penalties_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce

5
baselines/cnssi-1253_moderate.yaml
View File

@@ -107,11 +107,14 @@ profile:
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mdm_require
- os_messages_app_disable
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_parental_controls_enable
- os_password_autofill_disable
@@ -128,6 +131,7 @@ profile:
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
- os_safari_reader_summary_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
- os_setup_assistant_filevault_enforce
@@ -143,6 +147,7 @@ profile:
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_per_source_penalties_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce

6
includes/mscp-data.yaml
View File

@@ -83,15 +83,15 @@ titles:
800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
800-171: NIST 800-171 Rev 3
cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1)
cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2)
cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1)
cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2)
cmmc_lvl1: US CMMC 2.0 Level 1
cmmc_lvl2: US CMMC 2.0 Level 2
cisv8: CIS Controls Version 8
cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low)
cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 1
stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3
ddm:
supported_types:
- com.apple.configuration.services.configuration-files

1
includes/supported_payloads.yaml
View File

@@ -117,3 +117,4 @@ payloads_types:
- com.apple.preferences.sharing.SharingPrefsExtension
- com.apple.controlcenter
- com.apple.Accessibility
- com.apple.photos.shareddefaults

2
rules/os/os_genmoji_disable.yaml
View File

@@ -1,7 +1,7 @@
id: os_genmoji_disable
title: Disable Genmoji AI Creation
discussion: |-
Apple Intelligence features that use off device AI _MUST_ be disabled.
Apple Intelligence features such as Genmoji that use off device AI _MUST_ be disabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

1
rules/os/os_implement_cryptography.yaml
View File

@@ -48,7 +48,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- srg
- cnssi-1253_moderate
mobileconfig: false
mobileconfig_info:

6
rules/os/os_iphone_mirroring_disable.yaml
View File

@@ -33,14 +33,14 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
- APPL-15-002271
800-171r3:
- 03.01.02
- 03.01.20
- 03.04.06
cis:
benchmark:
- 2.3.1.1 (level 1)
- N/A
controls v8:
- 4.1
- 4.8
@@ -60,8 +60,6 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cis_lvl1
- cis_lvl2
- cisv8
- cnssi-1253_low
- cnssi-1253_high

52
rules/os/os_mail_smart_reply_disable.yaml Normal file
View File

@@ -0,0 +1,52 @@
id: os_mail_smart_reply_disable
title: Disable Apple Intelligence Mail Smart Replies
discussion: |-
Apple Intelligence features such as Mail Smart Replies that use off device AI _MUST_ be disabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowMailSmartReplies').js
EOS
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94567-5
cci:
- CCI-000381
- CCI-001774
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-171r3:
- 03.01.20
- 03.04.06
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.4'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- cnssi-1253_moderate
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowMailSmartReplies: false

7
rules/os/os_mail_summary_disable.yaml
View File

@@ -25,6 +25,11 @@ references:
800-171r3:
- 03.01.20
- 03.04.06
cis:
benchmark:
- 2.5.1.3 (level 1)
controls v8:
- N/A
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
@@ -38,6 +43,8 @@ tags:
- 800-171
- cmmc_lvl2
- cmmc_lvl1
- cis_lvl1
- cis_lvl2
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

10
rules/os/os_nfsd_disable.yaml
View File

@@ -3,13 +3,19 @@ title: Disable Network File System Service
discussion: |
Support for Network File Systems (NFS) services is non-essential and, therefore, _MUST_ be disabled.
check: |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => disabled'
isDisabled=$(/sbin/nfsd status | /usr/bin/awk '/nfsd service/ {print $NF}')
if [[ "$isDisabled" == "disabled" ]] && [[ -z $(/usr/bin/pgrep nfsd) ]]; then
echo "pass"
else
echo "fail"
fi
result:
integer: 1
string: "pass"
fix: |
[source,bash]
----
/bin/launchctl disable system/com.apple.nfsd
/bin/rm -rf /etc/exports
----
The system may need to be restarted for the update to take effect.
references:

59
rules/os/os_notes_transcription_disable.yaml Normal file
View File

@@ -0,0 +1,59 @@
id: os_notes_transcription_disable
title: Disable Apple Intelligence Notes Transcription
discussion: |-
Apple Intelligence features such as Notes Transcription that use off device AI _MUST_ be disabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowNotesTranscription').js
EOS
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94568-3
cci:
- CCI-000381
- CCI-001774
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-171r3:
- 03.01.20
- 03.04.06
cis:
benchmark:
- 2.5.1.4 (level 1)
controls v8:
- N/A
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.4'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowNotesTranscription: false

59
rules/os/os_notes_transcription_summary_disable.yaml Normal file
View File

@@ -0,0 +1,59 @@
id: os_notes_transcription_summary_disable
title: Disable Apple Intelligence Notes Transcription Summary
discussion: |-
Apple Intelligence features such as Notes Transcription Summary that use off device AI _MUST_ be disabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowNotesTranscriptionSummary').js
EOS
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94569-1
cci:
- CCI-000381
- CCI-001774
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-171r3:
- 03.01.20
- 03.04.06
cis:
benchmark:
- 2.5.1.4 (level 1)
controls v8:
- N/A
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.3'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowNotesTranscriptionSummary: false

2
rules/os/os_parental_controls_enable.yaml
View File

@@ -29,7 +29,7 @@ references:
disa_stig:
- N/A
800-171r3:
- 3.4.7
- 03.04.06
cis:
benchmark:
- N/A

2
rules/os/os_password_hint_remove.yaml
View File

@@ -32,7 +32,7 @@ references:
- 03.05.11
cis:
benchmark:
- 2.11.1 (level 1)
- 2.12.1 (level 1)
controls v8:
- 5.2
cmmc:

2
rules/os/os_power_nap_disable.yaml
View File

@@ -41,7 +41,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.9.2 (level 1)
- 2.10.2 (level 1)
controls v8:
- 4.1
- 4.8

52
rules/os/os_safari_reader_summary_disable.yaml Normal file
View File

@@ -0,0 +1,52 @@
id: os_safari_reader_summary_disable
title: Disable Apple Intelligence Safari Reader Summary
discussion: |-
Apple Intelligence features such as Safari Reader Summary that use off device AI _MUST_ be disabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowSafariSummary').js
EOS
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94570-9
cci:
- CCI-000381
- CCI-001774
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-171r3:
- 03.01.20
- 03.04.06
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.4'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- cnssi-1253_moderate
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowSafariSummary: false

4
rules/os/os_separate_functionality.yaml
View File

@@ -27,7 +27,9 @@ references:
srg:
- SRG-OS-000132-GPOS-00067
800-171r3:
- 3.13.3
- 03.01.03
- 03.01.05
- 03.01.07
cmmc:
- SC.L2-3.13.3
macOS:

2
rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml
View File

@@ -41,7 +41,7 @@ references:
- N/A
cis:
benchmark:
- 2.9.1.2 (level 2)
- 2.10.1.1 (level 2)
controls v8:
- 4.1
macOS:

68
rules/os/os_sshd_per_source_penalties_configure.yaml Normal file
View File

@@ -0,0 +1,68 @@
id: os_sshd_per_source_penalties_configure
title: Configure SSHD PerSourcePenalties
discussion: |
If SSHD is enabled then it _MUST_ be configured with the Per Source Penalties configured.
Per Source Penalities controls penalties for various conditions that may represent attacks on sshd.
Penalties are enabled by default.
NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration.
check: |
/usr/sbin/sshd -G | /usr/bin/grep -q "persourcepenalties no" && echo "no" || echo "yes"
result:
string: "yes"
fix: |
[source,bash]
----
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'persourcepenalties yes' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "persourcepenalties yes" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
----
references:
cce:
- CCE-94589-9
cci:
- N/A
800-53r5:
- SC-5
srg:
- N/A
disa_stig:
- N/A
800-171r3:
- N/A
cmmc:
- N/A
macOS:
- '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_low
- cnssi-1253_high
- cnssi-1253_moderate
severity: medium
mobileconfig: false
mobileconfig_info:
ddm_info:
declarationtype: com.apple.configuration.services.configuration-files
service: com.apple.sshd
config_file: sshd_config
configuration_key: persourcepenalties
configuration_value: "yes"

2
rules/os/os_sudo_log_enforce.yaml
View File

@@ -9,7 +9,7 @@ result:
fix: |
[source,bash]
----
/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/^Defaults[[:blank:]]*\!log_allowed/s/^/# /' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp
----
references:

2
rules/os/os_time_server_enabled.yaml
View File

@@ -36,7 +36,7 @@ references:
disa_stig:
- APPL-15-000180
800-171r3:
- 3.3.7
- 03.03.07
cis:
benchmark:
- 2.3.2.2 (level 1)

2
rules/os/os_unlock_active_user_session_disable.yaml
View File

@@ -6,6 +6,8 @@ discussion: |
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. This setting can also be deployed with a configuration profile.
WARNING: This rule may cause issues when platformSSO is configured.
check: |
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>$ODV</string>'
result:

7
rules/os/os_writing_tools_disable.yaml
View File

@@ -34,6 +34,11 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
cis:
benchmark:
- 2.5.1.2 (level 1)
controls v8:
- N/A
macOS:
- '15.0'
tags:
@@ -47,6 +52,8 @@ tags:
- cmmc_lvl2
- cmmc_lvl1
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

1
rules/pwpolicy/pwpolicy_50_percent.yaml
View File

@@ -35,6 +35,5 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- permanent
- srg
mobileconfig: false
mobileconfig_info:

2
rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
View File

@@ -66,7 +66,7 @@ references:
macOS:
- '15.0'
odv:
hint: Number of special characters.
hint: Number of Upper Case characters.
recommended: 1
tags:
- none

10
rules/supplemental/supplemental_cis_manual.yaml
View File

@@ -15,21 +15,21 @@ discussion: |
2.1.1.5 Audit Freeform Sync to iCloud +
2.1.1.6 Audit Find My Mac +
2.1.2 Audit App Store Password Settings +
2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +
2.5.1 Audit Siri Settings +
2.3.3.11 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +
2.5.2.2 Ensure Listen for Siri is Disabled +
2.6.1.3 Audit Location Services Access +
2.6.2.1 Audit Full Disk Access for Applications +
2.6.3.5 Ensure Share iCloud Analytics Is Disabled +
2.6.7 Audit Lockdown Mode +
2.7.2 Audit iPhone Mirroring +
2.8.1 Audit Universal Control Settings +
2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel) +
2.11.2 Audit Touch ID +
2.13.1 Audit Passwords System Preference Setting +
2.10.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel) +
2.12.2 Audit Touch ID +
2.14.1 Audit Game Center Settings +
2.15.1 Audit Notification & Focus Settings +
2.16.1 Audit Wallet & Apple Pay Settings +
2.17.1 Audit Internet Accounts for Authorized Use +
6.5.1 Audit Passwords System Preference Setting +
|===
[cols="15%h, 85%a"]

2
rules/system_settings/system_settings_automatic_login_disable.yaml
View File

@@ -34,7 +34,7 @@ references:
- 03.05.01
cis:
benchmark:
- 2.12.3 (level 1)
- 2.13.3 (level 1)
controls v8:
- 4.7
cmmc:

2
rules/system_settings/system_settings_bluetooth_sharing_disable.yaml
View File

@@ -47,7 +47,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.11 (level 1)
- 2.3.3.10 (level 1)
controls v8:
- 3.3
- 4.1

2
rules/system_settings/system_settings_content_caching_disable.yaml
View File

@@ -32,7 +32,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.9 (level 2)
- 2.3.3.8 (level 2)
controls v8:
- 4.8
cmmc:

6
rules/system_settings/system_settings_external_intelligence_disable.yaml
View File

@@ -1,7 +1,7 @@
id: system_settings_external_intelligence_disable
title: Disable External Intelligence Integrations
discussion: |
Integration with external intelligence systems _MUST_ be disabled unless approved by the organiztion. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party.
Integration with external intelligence systems _MUST_ be disabled unless approved by the organization. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party.
The information system _MUST_ be configured to provide only essential capabilities.
check: |
@@ -35,7 +35,7 @@ references:
- 03.04.06
cis:
benchmark:
- N/A
- 2.5.1.1 (level 1)
controls v8:
- 4.1
- 4.8
@@ -58,6 +58,8 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
severity: medium
mobileconfig: true
mobileconfig_info:

6
rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml
View File

@@ -10,7 +10,7 @@ check: |
.objectForKey('allowExternalIntelligenceIntegrationsSignIn').js
EOS
result:
string: 'true'
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
@@ -35,7 +35,7 @@ references:
- 03.04.06
cis:
benchmark:
- N/A
- 2.5.1.1 (level 1)
controls v8:
- 4.1
- 4.8
@@ -58,6 +58,8 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
severity: medium
mobileconfig: true
mobileconfig_info:

4
rules/system_settings/system_settings_guest_access_smb_disable.yaml
View File

@@ -20,7 +20,7 @@ references:
- N/A
800-171r3:
- 03.01.01
r5:
800-53r5:
- AC-2(9)
- AC-2
800-53r4:
@@ -32,7 +32,7 @@ references:
- N/A
cis:
benchmark:
- 2.12.2 (level 1)
- 2.13.2 (level 1)
controls v8:
- 3.3
cmmc:

2
rules/system_settings/system_settings_guest_account_disable.yaml
View File

@@ -42,7 +42,7 @@ references:
- 03.01.01
cis:
benchmark:
- 2.12.1 (level 1)
- 2.13.1 (level 1)
controls v8:
- 5.2
- 6.2

2
rules/system_settings/system_settings_improve_assistive_voice_disable.yaml
View File

@@ -1,7 +1,7 @@
id: system_settings_improve_assistive_voice_disable
title: Disable Sending Audio Recordings and Transcripts to Apple
discussion: |
The ability for Apple to store and review audio of your audio recordings and transcripts of your vocal shortcuts and voice control interactions _MUST_ be disabled.
The ability for Apple to store and review audio of your audio recordings and transcripts of your vocal shortcuts and voice control interactions _MUST_ be disabled. This will disable "Improve Assistive Voice Features" in Privacy & Security within System Settings.
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of this information will mitigate the risk of unwanted data being sent to Apple.
check: |

7
rules/system_settings/system_settings_improve_search_disable.yaml
View File

@@ -1,9 +1,10 @@
id: system_settings_improve_search_disable
title: Disable Improve Search Information to Apple
discussion: |
Sending data to Apple to help improve search _MUST_ be disabled.
Sending data to Apple to help improve search _MUST_ be disabled. This will disable "Improve Search" within Spotlight in System Settings.
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of search data will mitigate the risk of unwanted data being sent to Apple.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\
@@ -37,7 +38,7 @@ references:
- APPL-15-002024
cis:
benchmark:
- N/A
- 2.9.1 (level 1)
controls v8:
- 4.1
- 4.8
@@ -62,6 +63,8 @@ tags:
- cmmc_lvl1
- stig
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
severity: medium
mobileconfig: true
mobileconfig_info:

2
rules/system_settings/system_settings_internet_sharing_disable.yaml
View File

@@ -33,7 +33,7 @@ references:
- 03.01.20
cis:
benchmark:
- 2.3.3.8 (level 1)
- 2.3.3.7 (level 1)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
View File

@@ -28,7 +28,7 @@ references:
- N/A
cis:
benchmark:
- 2.10.3 (level 1)
- 2.11.3 (level 1)
controls v8:
- 4.1
macOS:

2
rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
View File

@@ -30,7 +30,7 @@ references:
- 03.05.01
cis:
benchmark:
- 2.10.4 (level 1)
- 2.11.4 (level 1)
controls v8:
- 4.1
cmmc:

2
rules/system_settings/system_settings_media_sharing_disabled.yaml
View File

@@ -43,7 +43,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.10 (level 2)
- 2.3.3.9 (level 2)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_password_hints_disable.yaml
View File

@@ -30,7 +30,7 @@ references:
- 03.05.11
cis:
benchmark:
- 2.10.5 (level 1)
- 2.11.5 (level 1)
controls v8:
- 4.1
cmmc:

2
rules/system_settings/system_settings_printer_sharing_disable.yaml
View File

@@ -31,7 +31,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.4 (level 1)
- 2.3.3.3 (level 1)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_rae_disable.yaml
View File

@@ -36,7 +36,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.7 (level 1)
- 2.3.3.6 (level 1)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_remote_management_disable.yaml
View File

@@ -31,7 +31,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.6 (level 1)
- 2.3.3.5 (level 1)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_screen_sharing_disable.yaml
View File

@@ -34,7 +34,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.2 (level 1)
- 2.3.3.1 (level 1)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
View File

@@ -37,7 +37,7 @@ references:
- 03.01.10
cis:
benchmark:
- 2.10.2 (level 1)
- 2.11.2 (level 1)
controls v8:
- 4.7
cmmc:

2
rules/system_settings/system_settings_screensaver_timeout_enforce.yaml
View File

@@ -39,7 +39,7 @@ references:
- 03.05.01
cis:
benchmark:
- 2.10.1 (level 1)
- 2.11.1 (level 1)
controls v8:
- 4.3
cmmc:

4
rules/system_settings/system_settings_siri_disable.yaml
View File

@@ -38,7 +38,7 @@ references:
- 03.04.08
cis:
benchmark:
- N/A
- 2.5.2.1 (level 1)
controls v8:
- 4.1
- 4.8
@@ -63,6 +63,8 @@ tags:
- cmmc_lvl1
- stig
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
severity: medium
mobileconfig: true
mobileconfig_info:

4
rules/system_settings/system_settings_siri_listen_disable.yaml
View File

@@ -26,15 +26,13 @@ references:
- N/A
cis:
benchmark:
- 2.5.2 (level 1)
- N/A
controls v8:
- 4.1
- 4.8
macOS:
- "15.0"
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:

2
rules/system_settings/system_settings_smbd_disable.yaml
View File

@@ -33,7 +33,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.3 (level 1)
- 2.3.3.2 (level 1)
controls v8:
- 4.1
- 4.8

6
rules/system_settings/system_settings_software_update_enforce.yaml
View File

@@ -25,9 +25,9 @@ references:
disa_stig:
- N/A
800-171r3:
- 3.14.1
- 3.14.2
- 3.13.3
- 03.14.01
- 03.14.02
- 03.13.03
cis:
benchmark:
- 1.2 (level 1)

6
rules/system_settings/system_settings_ssh_disable.yaml
View File

@@ -35,7 +35,7 @@ references:
- 03.04.06
cis:
benchmark:
- 2.3.3.5 (level 1)
- 2.3.3.4 (level 1)
controls v8:
- 4.1
- 4.8
@@ -46,6 +46,10 @@ references:
macOS:
- '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cis_lvl1
- cis_lvl2
- cisv8

2
rules/system_settings/system_settings_time_server_configure.yaml
View File

@@ -34,7 +34,7 @@ references:
disa_stig:
- APPL-15-000170
800-171r3:
- 3.3.7
- 03.03.07
cis:
benchmark:
- 2.3.2.1 (level 1)

2
rules/system_settings/system_settings_time_server_enforce.yaml
View File

@@ -33,7 +33,7 @@ references:
disa_stig:
- APPL-15-000014
800-171r3:
- 3.3.7
- 03.03.07
cis:
benchmark:
- 2.3.2.1 (level 1)

2
rules/system_settings/system_settings_wake_network_access_disable.yaml
View File

@@ -28,7 +28,7 @@ references:
- N/A
cis:
benchmark:
- 2.9.3 (level 1)
- 2.10.3 (level 1)
controls v8:
- 4.8
macOS:

5
scripts/generate_guidance.py
View File

@@ -1829,14 +1829,15 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
# determine severity
# uses 'parent_values' from baseline.yaml file to determine which/if any severity to use
# while support for a dictionary will work for generating the excel sheet, having a dictionary in severity may break third-party apps
severity = ""
# if isinstance(rule.rule_severity, str):
# severity = f'{rule.rule_severity}'
if isinstance(rule.rule_severity, dict):
try:
severity = f'{rule.rule_severity[baseline_yaml["parent_values"]]}'
except KeyError:
severity = ""
elif isinstance(rule.rule_severity, str):
severity = f'{rule.rule_severity}'
sheet1.write(counter, 18, severity, topWrap)
sheet1.col(18).width = 400 * 15

141
scripts/generate_scap.py
View File

@@ -18,6 +18,12 @@ from xml.sax.saxutils import escape
warnings.filterwarnings("ignore", category=DeprecationWarning)
def validate_file(arg):
if (file := Path(arg)).is_file():
return file
else:
raise FileNotFoundError(arg)
def format_mobileconfig_fix(mobileconfig):
"""Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.
"""
@@ -88,6 +94,22 @@ def replace_ocil(xccdf, x):
result = re.sub(regex, substr, xccdf, 0, re.MULTILINE)
return result
def disa_stig_rules(stig_id, stig):
newtitle = str()
regex = r"<title>(SRG.*\d)<\/title>.*.{}".format(stig_id)
matches = re.search(regex,stig)
#SRG
if matches:
newtitle = str(matches.group(1))
regex = r"Rule id=\"(.*\S)\" we.*.{}".format(stig_id)
matches = re.search(regex,stig)
#RuleID
if matches:
newtitle = newtitle + ", " + str(matches.group(1).split("_")[0])
# srg-123-456. SV-7891234
return newtitle
def create_args():
@@ -101,10 +123,11 @@ def create_args():
help="List the available keyword tags to search for.", action="store_true")
parser.add_argument("-b", "--baseline", default="None",
help="Choose a baseline to generate an xml file for, if none is specified it will generate for every rule found.", action="store")
parser.add_argument('--disastig','-d', default=None, type=validate_file, help="DISA STIG File", required=False)
return parser.parse_args()
def generate_scap(all_rules, all_baselines, args):
def generate_scap(all_rules, all_baselines, args, stig):
export_as = ""
@@ -306,6 +329,9 @@ def generate_scap(all_rules, all_baselines, args):
rule_yaml['fix'] = rule_yaml['fix'].replace("$ODV",odv_value)
if "result" in rule_yaml:
for result_value in rule_yaml['result']:
if "$ODV" == rule_yaml['result'][result_value]:
@@ -327,6 +353,8 @@ def generate_scap(all_rules, all_baselines, args):
except:
odv_label = "recommended"
if args.disastig and args.oval:
rule_yaml['title'] = disa_stig_rules(rule_yaml['references']['disa_stig'][0], stig)
for baseline in all_baselines:
found_rules = []
@@ -735,7 +763,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -824,7 +852,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -890,7 +918,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -955,7 +983,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -1021,7 +1049,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -1092,7 +1120,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -1176,7 +1204,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="com.apple.syspolicy.kernel-extension-policy" test_ref="oval:mscp:tst:{}" />
<criterion comment="com.apple.TCC.configuration-profile-policy" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],x,x+899,x+799)
</definition>'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),x,x+899,x+799)
oval_test = oval_test + '''
<file_test id="oval:mscp:tst:{}" version="1" comment="com.apple.extensiblesso_test" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
@@ -1223,7 +1251,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<systemprofiler_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -1294,7 +1322,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888)
oval_test = oval_test + '''
@@ -1395,18 +1423,18 @@ def generate_scap(all_rules, all_baselines, args):
if "grep" in rule_yaml['check'].split("|")[1]:
oval_definition = oval_definition + '''
<definition id="oval:mscp:def:{}" version="1" class="compliance">
<definition id="oval:mscp:def:{0}" version="1" class="compliance">
<metadata>
<title>{}</title>
<reference source="CCE" ref_id="{}"/>
<reference source="macos_security" ref_id="{}"/>
<description>{}</description>
<title>{1}</title>
<reference source="CCE" ref_id="{2}"/>
<reference source="macos_security" ref_id="{3}"/>
<description>{4}</description>
</metadata>
<criteria operator="OR">
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}_sudoers.d" test_ref="oval:mscp:tst:{}"/>
<criterion comment="{5}" test_ref="oval:mscp:tst:{6}" />
<criterion comment="{7}_sudoers.d" test_ref="oval:mscp:tst:{8}"/>
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x, rule_yaml['id'] + "_" + odv_label,x+5051)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5051)
oval_test = oval_test + '''
<textfilecontent54_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1435,7 +1463,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sudoers.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/sudoers.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">{}</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+5051, rule_yaml['id'] + "_" + odv_label, check_string)
@@ -1460,7 +1488,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}_tty_ticket" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}_sudoers.d_tty_ticket" test_ref="oval:mscp:tst:{}"/>
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003)
oval_test = oval_test + '''
<textfilecontent54_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="none_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1500,7 +1528,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sudoers.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/sudoers.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">timestamp_type</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+8000, rule_yaml['id'] + "_" + odv_label)
@@ -1509,7 +1537,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sudoers.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/sudoers.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">!tty_tickets</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+8001, rule_yaml['id'] + "_" + odv_label)
@@ -1517,7 +1545,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sudoers.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/sudoers.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">!tty_tickets</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+8002, rule_yaml['id'] + "_" + odv_label)
@@ -1538,7 +1566,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}_sudoers.d" test_ref="oval:mscp:tst:{}"/>
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003)
oval_test = oval_test + '''
<textfilecontent54_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="at_least_one_exists" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1565,7 +1593,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sudoers.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/sudoers.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">{}</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+7000, rule_yaml['id'] + "_" + odv_label, check_string)
@@ -1587,7 +1615,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}_ssh_config.d" test_ref="oval:mscp:tst:{}"/>
<criterion comment="{}_.ssh" test_ref="oval:mscp:tst:{}"/>
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5010, rule_yaml['id'] + "_" + odv_label,x+5025)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5010, rule_yaml['id'] + "_" + odv_label,x+5025)
oval_test = oval_test + '''
<textfilecontent54_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1627,7 +1655,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__ssh_config.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/ssh/ssh_config.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">{}</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+5010, rule_yaml['id'] + "_" + odv_label, ssh_config_pattern)
@@ -1679,7 +1707,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}_sshd_config.d" test_ref="oval:mscp:tst:{}"/>
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+6000, rule_yaml['id'] + "_" + odv_label,x+6001)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+6000, rule_yaml['id'] + "_" + odv_label,x+6001)
oval_test = oval_test + '''
<textfilecontent54_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1706,7 +1734,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sshd_config.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/ssh/sshd_config.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">{}</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+6000, rule_yaml['id'] + "_" + odv_label, fipslist)
@@ -1727,7 +1755,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}_sshd_config.d" test_ref="oval:mscp:tst:{}"/>
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+6000, rule_yaml['id'] + "_" + odv_label,x+6001)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+6000, rule_yaml['id'] + "_" + odv_label,x+6001)
oval_test = oval_test + '''
<textfilecontent54_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1771,7 +1799,7 @@ def generate_scap(all_rules, all_baselines, args):
<textfilecontent54_object id="oval:mscp:obj:{}" version="1" comment="{}__sshd_config.d_object" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<behaviors ignore_case="true"/>
<path>/etc/ssh/sshd_config.d/</path>
<filename operation="pattern match">*</filename>
<filename operation="pattern match">.*</filename>
<pattern operation="pattern match">{}</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>'''.format(x+6000, rule_yaml['id'] + "_" + odv_label, sshd_config_pattern)
@@ -1793,7 +1821,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="at_least_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -1836,7 +1864,7 @@ def generate_scap(all_rules, all_baselines, args):
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
<object object_ref="oval:mscp:obj:{}" />
@@ -1878,7 +1906,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<systemsetup_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -1928,7 +1956,7 @@ def generate_scap(all_rules, all_baselines, args):
<description>{}</description>
</metadata>
<criteria>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
for multi_grep in matchy_match.split("|"):
@@ -2030,7 +2058,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}_3" test_ref="oval:mscp:tst:{}" />
<criterion comment="{}_4" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+5000,rule_yaml['id'] + "_" + odv_label,x+5001,rule_yaml['id'] + "_" + odv_label,x+5002)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+5000,rule_yaml['id'] + "_" + odv_label,x+5001,rule_yaml['id'] + "_" + odv_label,x+5002)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="all_exist" comment="{}_1_test" id="oval:mscp:tst:{}" version="2">
@@ -2152,7 +2180,7 @@ def generate_scap(all_rules, all_baselines, args):
<criteria>
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="all_exist" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -2361,7 +2389,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<authorizationdb_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -2394,7 +2422,7 @@ def generate_scap(all_rules, all_baselines, args):
<criteria>
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<authorizationdb_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -2429,7 +2457,7 @@ def generate_scap(all_rules, all_baselines, args):
<reference source="macos_security" ref_id="{}"/>
<description>{}</description>
</metadata>
<criteria operator="AND">'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'])
<criteria operator="AND">'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"))
for match in matchy_match:
@@ -2479,7 +2507,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<file_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="none_exist" check="none satisfy" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
<object object_ref="oval:mscp:obj:{}"/>
@@ -2587,7 +2615,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;").rstrip(),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<file_test id="oval:mscp:tst:{}" version="1" comment="{}_test" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
@@ -2795,7 +2823,7 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition>
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x)
'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&amp;"),rule_yaml['id'] + "_" + odv_label,x)
oval_test = oval_test + '''
<accountinfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
@@ -2970,7 +2998,7 @@ def generate_scap(all_rules, all_baselines, args):
pass
try:
if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']:
if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix'] or "disable" in command[2] and "=> disabled" in rule_yaml['check']:
if ("disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix'] or "disable" in command[2] and "=> disabled" in rule_yaml['check']) or ("disable" in rule_yaml['fix']):
oval_definition = oval_definition + '''
<definition id="oval:mscp:def:{}" version="1" class="compliance">
<metadata>
@@ -2984,7 +3012,6 @@ def generate_scap(all_rules, all_baselines, args):
<criterion comment="{}_launchctl" test_ref="oval:mscp:tst:{}" />
</criteria>
</definition> '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+999)
oval_test = oval_test + '''
<plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_plist_test" id="oval:mscp:tst:{}" version="2">
<object object_ref="oval:mscp:obj:{}" />
@@ -2997,8 +3024,10 @@ def generate_scap(all_rules, all_baselines, args):
domain = str()
if "launchctl" not in rule_yaml['check']:
domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","")
if "launchctl disable system/" in rule_yaml["fix"]:
domain = rule_yaml['fix'].split()[4].split('/')[1]
else:
domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","")
else:
s = command[5].split()[2]
domain = re.search('"(.*?)"', s).group(1)
@@ -3022,7 +3051,7 @@ def generate_scap(all_rules, all_baselines, args):
<value_of datatype="boolean" operation="equals">{}</value_of>
</plist511_state>'''.format(rule_yaml['id'] + "_" + odv_label,x,status)
elif "launchctl unload" in rule_yaml['fix']:
elif "launchctl unload" in rule_yaml['fix'] or "launchctl disable" in rule_yaml['fix']:
oval_definition = oval_definition + '''
<definition id="oval:mscp:def:{}" version="1" class="compliance">
<metadata>
@@ -3078,7 +3107,6 @@ def generate_scap(all_rules, all_baselines, args):
<state state_ref="oval:mscp:ste:{}" />
</plist511_test>'''.format(rule_yaml['id'] + "_" + odv_label,x,x,x)
plist = rule_yaml['fix'].split(" ")[2].replace(".plist","")
# plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","")
if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']:
@@ -3250,10 +3278,7 @@ def generate_scap(all_rules, all_baselines, args):
x = x+1
continue
else:
oval_definition = oval_definition + '''
<definition id="oval:mscp:def:{}" version="1" class="compliance">
<metadata>
@@ -3446,6 +3471,11 @@ def generate_scap(all_rules, all_baselines, args):
</oval_definitions>
</component>
</data-stream-collection>'''.format(date_time_string,version_yaml['cpe'],version_yaml['os'])
# total_scap = total_scap.replace("&", "&amp;")
# total_scap = total_scap.replace("<", "&lt;")
# total_scap = total_scap.replace(">", "&gt;")
# total_scap = total_scap.replace("\"", "&quot;")
# total_scap = total_scap.replace("'", "&apos;")
scap_file = output
with open(scap_file + "temp",'w') as rite:
if export_as == "scap":
@@ -3698,8 +3728,11 @@ def main():
original_working_directory = os.getcwd()
os.chdir(file_dir)
stig = ''
all_rules = collect_rules()
if args.disastig:
file = open(args.disastig, "r")
stig = file.read()
all_rules_pruned = []
@@ -3726,7 +3759,7 @@ def main():
if rule.rule_id not in all_rules_pruned:
all_rules_pruned.append(rule.rule_id)
generate_scap(all_rules_pruned, all_baselines, args)
generate_scap(all_rules_pruned, all_baselines, args, stig)
os.chdir(original_working_directory)

4
templates/adoc_additional_docs.adoc
View File

@@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 15 (Sequoia) STIG_
|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R3_STIG.zip[STIG Ver 1, Rel 3]|_Apple macOS 15 (Sequoia) STIG_
|===
[%header, cols=2*a]
@@ -64,5 +64,5 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 14.0]|_CIS Apple macOS 14.0 Benchmark version 1.1.0_
|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 15.0]|_CIS Apple macOS 15.0 Benchmark version 1.1.0_
|===