usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Initial content commit

Browse Source
This commit is contained in:
Bob Gendler
2020-06-11 17:47:26 -04:00
parent 649c471d1e
commit 32452073de
266 changed files with 16375 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,46 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
<!---
Please read this!
Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate.
--->
### Summary
(Summarize the bug encountered concisely)
### Steps to reproduce
(How one can reproduce the issue - this is very important)
### Operating System version
(macOS Version and build)
### What is the current *bug* behavior?
(What actually happens)
### What is the expected *correct* behavior?
(What you should see instead)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
### Output of checks
(Paste any output that occurs with the bug)
### Possible fixes
(If you can, link to the line of code that might be responsible for the problem)

40
.github/ISSUE_TEMPLATE/feature-proposal.md vendored Normal file
View File

@@ -0,0 +1,40 @@
---
name: Feature Proposal
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
### Problem to solve
<!-- What problem do we solve? -->
### Intended users
<!-- Who will use this feature? If known, include any of the following: types of users (e.g. Member) -->
### Further details
<!-- Include use cases, benefits, and/or goals (contributes to our vision?) -->
### Proposal
<!-- How are we going to solve the problem? -->
### Documentation
<!-- Relevant documentation to the feature-->
### Testing
<!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? -->
### What does success look like, and how can we measure that?
<!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. -->
### Links / references
<!-- Any relevant links or references -->

2
.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
.DS_Store

12
CHANGELOG.adoc Normal file
View File

@@ -0,0 +1,12 @@
= Changelog
This document provides a high-level view of the changes to the macOS Security Compliance Project.
== [0.9.0] - 2020-06-11
Initial Public release (PRE-RELEASE)

57
README.adoc Normal file
View File

@@ -0,0 +1,57 @@
= macOS Security Compliance Project
// settings:
:idprefix:
:idseparator: -
ifndef::env-github[:icons: font]
ifdef::env-github[]
:status:
//:outfilesuffix: .adoc
:caution-caption: :fire:
:important-caption: :exclamation:
:note-caption: :paperclip:
:tip-caption: :bulb:
:warning-caption: :warning:
endif::[]
:uri-org: https://github.com/usnistgov
:uri-repo: {uri-org}/macos_security
ifdef::status[]
image:https://badgen.net/badge/icon/apple?icon=apple&label, link=[https://www.apple.com/]
image:https://badgen.net/badge/icon/10.15?icon=apple&label, link=[https://www.apple.com/macos]
endif::[]
The macOS security compliance project is an link:LICENSE.md[open source] effort that can be used to create customized security baselines of technical security controls, which are mapped to various compliance frameworks such as: NIST 800-53, DISA STIG, FINRA, and HIPAA requirements. This is a joint project of federal operational IT Security staff from the National Institute of Standards (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
To learn more about the project, please see the {uri-repo}/wiki[wiki].
== Usage
Civilian agencies are to use the National Checklist Program as required by https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final[NIST 800-70].
[NOTE]
====
Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) states, “In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technologys website at https://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.”
====
== Authors
[width="100%",cols="1,1"]
|===
|Bob Gendler|National Institute of Standards and Technology
|Allen Golbig|National Aeronautics and Space Administration
|Dan Brodjieski|Defense Information Systems Agency
|Jason Blake|National Institute of Standards and Technology
|Blair Heiserman|National Institute of Standards and Technology
|Joshua Glemza|National Aeronautics and Space Administration
|Elyse Anderson|National Aeronautics and Space Administration
|Paige Ramsey|Los Alamos National Laboratory
|===
== Changelog
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
== NIST Disclaimer
Any identification of commercial or open-source software in this document is done so purely in order to specify the methodology adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the software identified are necessarily the best available for the purpose.

4
README.md
View File

@@ -1,4 +0,0 @@
# macOS Security Compliance Project
[![](https://badgen.net/badge/icon/apple?icon=apple&label)](https://www.apple.com/)[![](https://badgen.net/badge/icon/10.15?icon=apple&label)](https://www.apple.com/macos)
The macOS security compliance project can be used to create customized security baselines of technical security controls, which are mapped to various compliance frameworks.

230
baselines/all_rules.yaml Normal file
View File

@@ -0,0 +1,230 @@
title: "Apple macOS 10.15 (Catalina) Security Configuration - All the rules"
description: |
This guide describes the actions to take when securing a macOS 10.15 system using every available rule.
profile:
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
- audit_acls_folders_configure
- audit_acls_folders_mode_configure
- audit_configure_capacity_notify
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_failed_file_read_restriction_enforced
- audit_flags_failed_file_write_access_restriction_enforced
- audit_flags_file_attr_mod_access_restriction_enforced
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_one_week_configure
- audit_settings_failure_notify
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_media_sharing_disabled
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_wifi_disable
- section: "iCloud"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "macOS"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_guest_account_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_parental_controls_enable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_root_disable
- os_root_disable_sshd
- os_screensaver_ask_for_password_delay_enforce
- os_screensaver_loginwindow_enforce
- os_screensaver_password_enforce
- os_screensaver_timeout_enforce
- os_secure_boot_verify
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_ssh_max_sessions_configure
- os_ssh_permit_root_login_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_uamdm_require
- os_unlock_active_user_session_disable
- os_user_app_installation_prohibit
- os_uucp_disable
- section: "PasswordPolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_emergency_accounts_disable
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "Permanent"
rules:
- audit_alert_processing_fail
- audit_enforce_dual_auth
- audit_off_load_records
- os_enforce_login_attempt_delay
- os_limit_dos_attacks
- os_limit_invalid_logons
- os_notify_account_created
- os_notify_account_disabled
- os_notify_account_enable
- os_notify_account_modified
- os_notify_account_removal
- os_notify_unauthorized_baseline_change
- os_protect_dos_attacks
- os_provide_automated_account_management
- os_reauth_devices_change_authenticators
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- pwpolicy_force_password_change
- section: "Not_Applicable"
rules:
- os_auth_peripherals
- os_identify_non-org_users
- os_prohibit_cached_authenticators
- os_react_security_anomalies
- os_request_verification_name_resolution
- os_verify_security_functions
- section: "Inherent"
rules:
- audit_auditd_enabled
- os_allow_info_passed
- os_change_security_attributes
- os_crypto_audit
- os_enforce_access_restrictions
- os_error_message
- os_fail_secure_state
- os_grant_privs
- os_implement_memory_protection
- os_implement_cryptography
- os_implement_random_address_space
- os_isolate_security_functions
- os_limit_auditable_events
- os_limit_gui_sessions
- os_logical_access
- os_logoff_capability_and_message
- os_map_pki_identity
- os_mfa_network_access
- os_mfa_network_non-priv
- os_obscure_password
- os_peripherals_identify
- os_predictable_behavior
- os_preserve_information_on_crash
- os_prevent_priv_execution
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_provide_disconnect_remote_access
- os_reauth_privilege
- os_reauth_users_change_authenticators
- os_remote_access_methods
- os_remove_software_components_after_updates
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session
- os_terminate_session_inactivity
- os_unique_identification
- os_verify_remote_disconnection
- section: "Supplemental"
rules:
- supplemental_smartcard
- supplemental_firewall_pf
- supplemental_password_policy

197
baselines/cnssi.yaml Normal file
View File

@@ -0,0 +1,197 @@
title: "Apple macOS 10.15 (Catalina) Security Configuration - CNSSI"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the CNSSI baseline.
profile:
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
- audit_acls_folders_configure
- audit_acls_folders_mode_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_failed_file_read_restriction_enforced
- audit_flags_failed_file_write_access_restriction_enforced
- audit_flags_file_attr_mod_access_restriction_enforced
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_one_week_configure
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_media_sharing_disabled
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_wifi_disable
- section: "Permanent"
rules:
- audit_alert_processing_fail
- audit_enforce_dual_auth
- os_enforce_login_attempt_delay
- os_limit_invalid_logons
- os_notify_account_created
- os_notify_account_disabled
- os_notify_account_enable
- os_notify_account_modified
- os_notify_account_removal
- os_protect_dos_attacks
- os_provide_automated_account_management
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- pwpolicy_force_password_change
- section: "iCloud"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "Inherent"
rules:
- audit_auditd_enabled
- os_error_message
- os_implement_memory_protection
- os_implement_cryptography
- os_implement_random_address_space
- os_limit_auditable_events
- os_logical_access
- os_map_pki_identity
- os_mfa_network_access
- os_mfa_network_non-priv
- os_obscure_password
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_remote_access_methods
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session
- os_terminate_session_inactivity
- os_unique_identification
- section: "not_applicable"
rules:
- os_auth_peripherals
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "macOS"
rules:
- os_peripherals_identify
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_root_disable
- os_root_disable_sshd
- os_screensaver_ask_for_password_delay_enforce
- os_screensaver_loginwindow_enforce
- os_screensaver_password_enforce
- os_screensaver_timeout_enforce
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_uamdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_emergency_accounts_disable
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard

210
baselines/high.yaml Normal file
View File

@@ -0,0 +1,210 @@
title: "Apple macOS 10.15 (Catalina) Security Configuration - High"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the FISMA HIGH baseline.
profile:
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
- audit_acls_folders_configure
- audit_acls_folders_mode_configure
- audit_configure_capacity_notify
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_failed_file_read_restriction_enforced
- audit_flags_failed_file_write_access_restriction_enforced
- audit_flags_file_attr_mod_access_restriction_enforced
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_one_week_configure
- audit_settings_failure_notify
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_wifi_disable
- section: "Permanent"
rules:
- audit_alert_processing_fail
- audit_enforce_dual_auth
- os_enforce_login_attempt_delay
- os_limit_invalid_logons
- os_notify_account_created
- os_notify_account_disabled
- os_notify_account_enable
- os_notify_account_modified
- os_notify_account_removal
- os_protect_dos_attacks
- os_provide_automated_account_management
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- pwpolicy_force_password_change
- section: "iCloud"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "Inherent"
rules:
- audit_auditd_enabled
- os_crypto_audit
- os_enforce_access_restrictions
- os_error_message
- os_fail_secure_state
- os_implement_memory_protection
- os_implement_cryptography
- os_implement_random_address_space
- os_isolate_security_functions
- os_limit_auditable_events
- os_limit_gui_sessions
- os_logical_access
- os_map_pki_identity
- os_mfa_network_access
- os_mfa_network_non-priv
- os_obscure_password
- os_preserve_information_on_crash
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_remote_access_methods
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session
- os_terminate_session_inactivity
- os_unique_identification
- section: "not_applicable"
rules:
- os_auth_peripherals
- os_identify_non-org_users
- os_react_security_anomalies
- os_request_verification_name_resolution
- os_verify_security_functions
- section: "macOS"
rules:
- os_peripherals_identify
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_guest_account_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_root_disable
- os_root_disable_sshd
- os_screensaver_ask_for_password_delay_enforce
- os_screensaver_loginwindow_enforce
- os_screensaver_password_enforce
- os_screensaver_timeout_enforce
- os_secure_boot_verify
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_ssh_max_sessions_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_uamdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_emergency_accounts_disable
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard

155
baselines/low.yaml Normal file
View File

@@ -0,0 +1,155 @@
title: "Apple macOS 10.15 (Catalina) Security Configuration - Low"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the FISMA LOW baseline.
profile:
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
- audit_acls_folders_configure
- audit_acls_folders_mode_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_failed_file_read_restriction_enforced
- audit_flags_failed_file_write_access_restriction_enforced
- audit_flags_file_attr_mod_access_restriction_enforced
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_one_week_configure
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- section: "Permanent"
rules:
- audit_alert_processing_fail
- audit_enforce_dual_auth
- os_enforce_login_attempt_delay
- os_limit_invalid_logons
- os_protect_dos_attacks
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- pwpolicy_force_password_change
- section: "iCloud"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "Inherent"
rules:
- audit_auditd_enabled
- os_implement_cryptography
- os_limit_auditable_events
- os_logical_access
- os_mfa_network_access
- os_obscure_password
- os_required_crypto_module
- os_store_encrypted_passwords
- os_terminate_session
- os_unique_identification
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "macOS"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_root_disable
- os_root_disable_sshd
- os_siri_prompt_disable
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_sudoers_tty_configure
- os_touchid_prompt_disable
- os_uamdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard

195
baselines/moderate.yaml Normal file
View File

@@ -0,0 +1,195 @@
title: "Apple macOS 10.15 (Catalina) Security Configuration - Moderate"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the FISMA MODERATE baseline.
profile:
- section: "Auditing"
rules:
- audit_acls_files_configure
- audit_acls_files_mode_configure
- audit_acls_folder_wheel_configure
- audit_acls_folders_configure
- audit_acls_folders_mode_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_failed_file_read_restriction_enforced
- audit_flags_failed_file_write_access_restriction_enforced
- audit_flags_file_attr_mod_access_restriction_enforced
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_one_week_configure
- section: "Authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_wifi_disable
- section: "Permanent"
rules:
- audit_alert_processing_fail
- audit_enforce_dual_auth
- os_enforce_login_attempt_delay
- os_limit_invalid_logons
- os_notify_account_created
- os_notify_account_disabled
- os_notify_account_enable
- os_notify_account_modified
- os_notify_account_removal
- os_protect_dos_attacks
- os_provide_automated_account_management
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- pwpolicy_force_password_change
- section: "iCloud"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "Inherent"
rules:
- audit_auditd_enabled
- os_error_message
- os_implement_memory_protection
- os_implement_cryptography
- os_implement_random_address_space
- os_limit_auditable_events
- os_logical_access
- os_map_pki_identity
- os_mfa_network_access
- os_mfa_network_non-priv
- os_obscure_password
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_remote_access_methods
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session
- os_terminate_session_inactivity
- os_unique_identification
- section: "not_applicable"
rules:
- os_auth_peripherals
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "macOS"
rules:
- os_peripherals_identify
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_root_disable
- os_root_disable_sshd
- os_screensaver_ask_for_password_delay_enforce
- os_screensaver_loginwindow_enforce
- os_screensaver_password_enforce
- os_screensaver_timeout_enforce
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_uamdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_emergency_accounts_disable
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_temporary_accounts_disable
- pwpolicy_upper_case_character_enforce
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard

4
build/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore

6
custom/.gitignore vendored Normal file
View File

@@ -0,0 +1,6 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore
!sections
!rules

4
custom/rules/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore

4
custom/sections/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore

2237
includes/800-53_baselines.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

155
includes/enablePF-mscp.sh Normal file
View File

@@ -0,0 +1,155 @@
#!/bin/bash
#enabling macos application firewall
enable_macos_application_firewall () {
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
}
#enabling pf firewall with macsec rules
enable_pf_firewall_with_macsec_rules () {
macsec_pfctl_plist="/Library/LaunchDaemons/macsec.pfctl.plist"
if [[ -e "$macsec_pfctl_plist" ]]; then
echo "LaunchDaemon already exists, flushing and reloading rules..."
pfctl -e 2> /dev/null
pfctl -f /etc/pf.conf 2> /dev/null
return 0
fi
# copy system provided launchd for custom ruleset
cp "/System/Library/LaunchDaemons/com.apple.pfctl.plist" "$macsec_pfctl_plist"
#allow pf to be enabled when the job is loaded
/usr/libexec/PlistBuddy -c "Add :ProgramArguments:1 string -e" $macsec_pfctl_plist
#use new label to not conflict with System's pfctl
/usr/libexec/PlistBuddy -c "Set :Label macsec.pfctl" $macsec_pfctl_plist
# enable the firewall
pfctl -e 2> /dev/null
#make pf run at system startup
launchctl enable system/macsec.pfctl
launchctl bootstrap system $macsec_pfctl_plist
pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)
}
# append the macsec anchors to pf.conf
configure_pf_config_add_macsec_anchors () {
# check to see if macsec anchors exists
anchors_exist=$(grep -c '^anchor "macsec_pf_anchors"' /etc/pf.conf)
if [[ $anchors_exist == "0" ]];then
echo 'anchor "macsec_pf_anchors"' >> /etc/pf.conf
echo 'load anchor "macsec_pf_anchors" from "/etc/pf.anchors/macsec_pf_anchors"' >> /etc/pf.conf
else
echo "macsec anchors exist, continuing..."
fi
}
# Create /etc/pf.anchors/macsec_pf_anchors
create_macsec_pf_anchors () {
if [[ -e /etc/pf.anchors/macsec_pf_anchors ]]; then
echo "macsec Anchor file exists, deleting and recreating..."
rm -f /etc/pf.anchors/macsec_pf_anchors
fi
cat > /etc/pf.anchors/macsec_pf_anchors <<'ENDCONFIG'
anchor macsec_pf_anchors
#default deny all in, allow all out and keep state
block in all
pass out all keep state
## Allow DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546
## Allow incoming SSH
pass in proto tcp to any port 22
#apple file service --port 548-- pf firewall rule
block in log proto tcp to any port { 548 }
#bonjour component SSDP --port 1900-- pf firewall rule
block log proto udp to any port 1900
#finger --port 79-- pf firewall rule
block log proto tcp to any port 79
#ftp --ports 20 21-- pf firewall rule
block in log proto { tcp udp } to any port { 20 21 }
#http --port 80-- pf firewall rule
block in log proto { tcp udp } to any port 80
#icmp pf firewall rule
block in log proto icmp
#imap --port 143-- pf firewall rule
block in log proto tcp to any port 143
#imaps --port 993-- pf firewall rule
block in log proto tcp to any port 993
#iTunes sharing --port 3689-- pf firewall rule
block log proto tcp to any port 3689
#mDNSResponder --port 5353-- pf firewall rule
block log proto udp to any port 5353
#nfs --port 2049-- pf firewall rule
block log proto tcp to any port 2049
#optical drive sharing --port 49152-- pf firewall rule
block log proto tcp to any port 49152
#pop3 --port 110-- pf firewall rule
block in log proto tcp to any port 110
#pop3s --port 995-- pf firewall rule
block in log proto tcp to any port 995
#remote apple events --port 3031-- pf firewall rule
block in log proto tcp to any port 3031
#screen_sharing --port 5900-- pf firewall rule
block in log proto tcp to any port 5900
#allow screen sharing from localhost while tunneled via SSH
pass in quick on lo0 proto tcp from any to any port 5900
#smb --ports 139 445 137 138-- pf firewall rule
block in log proto tcp to any port { 139 445 }
block in log proto udp to any port { 137 138 }
#smtp --port 25-- pf firewall rule
block in log proto tcp to any port 25
#telnet --port 23-- pf firewall rule
block in log proto { tcp udp } to any port 23
#tftp --port 69-- pf firewall rule
block log proto { tcp udp } to any port 69
#uucp --port 540-- pf firewall rule
block log proto tcp to any port 540
ENDCONFIG
}
####
enable_macos_application_firewall
create_macsec_pf_anchors
configure_pf_config_add_macsec_anchors
enable_pf_firewall_with_macsec_rules

138
includes/pwpolicy.xml Normal file
View File

@@ -0,0 +1,138 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>policyCategoryAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>(policyAttributeFailedAuthentications &lt; policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime &gt; (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string>
<key>policyIdentifier</key>
<string>Authentication Lockout</string>
<key>policyParameters</key>
<dict>
<key>autoEnableInSeconds</key>
<integer>300</integer>
<key>policyAttributeMaximumFailedAuthentications</key>
<integer>3</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributeLastAuthenticationTime &gt; policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Inactive Account</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeInactiveDays</key>
<integer>35</integer>
</dict>
</dict>
</array>
<key>policyCategoryPasswordChange</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime &gt; policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Password Expires after 60 days</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeExpiresEveryNDays</key>
<integer>60</integer>
</dict>
</dict>
</array>
<key>policyCategoryPasswordContent</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Must have at least 1 uppercase letter</string>
<key>policyParameters</key>
<dict>
<key>minimumAlphaCharactersUpperCase</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributeLastPasswordChangeTime &lt; policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Minimum Password Lifetime</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeMinimumLifetimeHours</key>
<integer>24</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '.{15,}+'</string>
<key>policyIdentifier</key>
<string>Must be at least 15 characters</string>
<key>policyParameters</key>
<dict>
<key>minimumLength</key>
<integer>15</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Must have at least 1 numeric value</string>
<key>policyParameters</key>
<dict>
<key>minimumNumericCharacters</key>
<integer>2</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[a-z].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Must have at least 1 lowercase letter</string>
<key>policyParameters</key>
<dict>
<key>minimumAlphaCharactersLowerCase</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Must have at least 1 uppercase letter</string>
<key>policyParameters</key>
<dict>
<key>minimumAlphaCharacters</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[^a-zA-Z0-9].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Must have at least 1 special characters</string>
<key>policyParameters</key>
<dict>
<key>minimumSymbols</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>
<key>policyIdentifier</key>
<string>Cannot match the last 5 passwords</string>
<key>policyParameters</key>
<dict>
<key>policyAttributePasswordHistoryDepth</key>
<integer>5</integer>
</dict>
</dict>
</array>
</dict>
</plist>

111
includes/supported_payloads.yaml Normal file
View File

@@ -0,0 +1,111 @@
payloads_types:
- com.apple.ADCertificate.managed
- com.apple.AIM.account
- com.apple.AssetCache.managed
- com.apple.Compressor
- com.apple.Dictionary
- com.apple.DirectoryService.managed
- com.apple.DiscRecording
- com.apple.Enterprise-Connect
- com.apple.FinalCut
- com.apple.MCX
- com.apple.MCX.FileVault2
- com.apple.MCX.TimeMachine
- com.apple.ManagedClient.preferences
- com.apple.NSExtension
- com.apple.NetworkBrowser
- com.apple.Safari
- com.apple.SetupAssistant.managed
- com.apple.Siri
- com.apple.SoftwareUpdate
- com.apple.Spotlight
- com.apple.SubmitDiagInfo
- com.apple.SystemConfiguration
- com.apple.TCC.configuration-profile-policy
- com.apple.TextEdit
- com.apple.TimeMachine
- com.apple.airplay
- com.apple.airplay.security
- com.apple.airprint
- com.apple.app.lock
- com.apple.applicationaccess
- com.apple.applicationaccess.new
- com.apple.appstore
- com.apple.asam
- com.apple.assistant.support
- com.apple.caldav.account
- com.apple.carddav.account
- com.apple.cellular
- com.apple.conferenceroomdisplay
- com.apple.configurationprofile.identification
- com.apple.coreservices.uiagent
- com.apple.dashboard
- com.apple.desktop
- com.apple.desktopservices
- com.apple.dnsProxy.managed
- com.apple.dock
- com.apple.domains
- com.apple.eas.account
- com.apple.education
- com.apple.ews.account
- com.apple.familycontrols.contentfilter
- com.apple.finder
- com.apple.font
- com.apple.gamed
- com.apple.garageband10
- com.apple.google-oauth
- com.apple.iBooksX
- com.apple.iMovieApp
- com.apple.iTunes
- com.apple.iWork.Keynote
- com.apple.iWork.Numbers
- com.apple.iWork.Pages
- com.apple.icloud.managed
- com.apple.ironwood.support
- com.apple.jabber.account
- com.apple.ldap.account
- com.apple.logic10
- com.apple.loginitems.managed
- com.apple.loginwindow
- com.apple.mDNSResponder
- com.apple.mail.managed
- com.apple.mcxloginscripts
- com.apple.mobiledevice.passwordpolicy
- com.apple.motionapp
- com.apple.networkusagerules
- com.apple.notificationsettings
- com.apple.osxserver.account
- com.apple.preference.security
- com.apple.profileRemovalPassword
- com.apple.proxy.http.global
- com.apple.screencapture
- com.apple.screensaver
- com.apple.screensaver.user
- com.apple.security
- com.apple.security.FDERecoveryKeyEscrow
- com.apple.security.FDERecoveryRedirect
- com.apple.security.certificatetransparency
- com.apple.security.firewall
- com.apple.security.pem
- com.apple.security.pkcs1
- com.apple.security.pkcs12
- com.apple.security.scep
- com.apple.security.smartcard
- com.apple.shareddeviceconfiguration
- com.apple.sso
- com.apple.subscribedcalendar.account
- com.apple.syspolicy.kernel-extension-policy
- com.apple.systemmigration
- com.apple.systempolicy.control
- com.apple.systempolicy.managed
- com.apple.systempreferences
- com.apple.systemuiserver
- com.apple.touristd
- com.apple.tvremote
- com.apple.universalaccess
- com.apple.webClip.managed
- com.apple.webcontent-filter
- com.apple.wifi.managed
- com.apple.xsan
- com.apple.smb.server
- com.apple.AppleFileServer

39
rules/audit/audit_acls_files_configure.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: audit_acls_files_configure
title: "Configure Audit Service to Create Log Files and Folder which prevent unauthorized access"
discussion: |
Audit information and audit tools must be configured to prevent unauthorized access, modification, and deletion. The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
The audit log files must not have access control list (ACL) privileges set.
check: |
/bin/ls -le $(/usr/bin/awk -F: '/^dir/{print $2}' /etc/security/audit_control) | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
result:
integer: 0
fix: |
[source,bash]
----
/bin/chmod -RN $(/usr/bin/awk -F: '/^dir/{print $2}' /etc/security/audit_control)
----
references:
cce:
- CCE-84701-2
cci:
- CCI-000162
- CCI-001314
800-53r4:
- AU-9
- SI-11(b)
srg:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000206-GPOS-00084
disa_stig:
- AOSX-14-000030
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

35
rules/audit/audit_acls_files_mode_configure.yaml Normal file
View File

@@ -0,0 +1,35 @@
id: audit_acls_files_mode_configure
title: "Configure Audit Log Files to Mode 440 or Less Permissive"
discussion: |
The audit service must be configured to create log files with permissions which prevent normal users from reading, modifying or deleting audit logs. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
The audit log files must only be readable by the Root user and by the group Wheel.
check: |
/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | tr -d ' '
result:
integer: 0
fix: |
[source,bash]
----
/bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}')
----
references:
cce:
- CCE-84702-0
cci:
- CCI-000162
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001016
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:

36
rules/audit/audit_acls_folder_wheel_configure.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: audit_acls_folder_wheel_configure
title: "Configure Audit Log Files Group ownership to Wheel"
discussion: |
The audit service must be configured to create log files with permissions which prevent normal users from reading, modifying or deleting audit logs. If log files are set to only be readable and writable by root or administrative users with sudo, the risk is mitigated.
The audit log files must have the group ownership set to Wheel.
check: |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'
result:
integer: 0
fix: |
[source,bash]
----
/usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
----
references:
cce:
- CCE-84703-8
cci:
- CCI-000162
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001012
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

39
rules/audit/audit_acls_folders_configure.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: audit_acls_folders_configure
title: "Configure Audit Log Folder to Not Contain Access Control Lists (ACLs)"
discussion: |
The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
The audit log folder must not contain ACLs.
check: |
/bin/ls -lde $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
result:
integer: 0
fix: |
[source,bash]
----
/bin/chmod -N $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
----
references:
cce:
- CCE-84704-6
cci:
- CCI-000162
- CCI-001314
800-53r4:
- AU-9
- SI-11(b)
srg:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000206-GPOS-00084
disa_stig:
- AOSX-14-000030
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

39
rules/audit/audit_acls_folders_mode_configure.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: audit_acls_folders_mode_configure
title: "Configure Audit Log Folders to Mode 700 or Less Permissive"
discussion: |
The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
The audit log folder must only allow read, write, and execute by Root.
check: |
/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}')
result:
integer: 700
fix: |
[source,bash]
----
/bin/chmod 700 $(/usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}')
----
references:
cce:
- CCE-84705-3
cci:
- CCI-000162
- CCI-000163
- CCI-000164
800-53r4:
- AU-9
srg:
- SRG-OS-000058-GPOS-00028
- SRG-OS-000059-GPOS-00029
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001017
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:

75
rules/audit/audit_auditd_enabled.yaml Normal file
View File

@@ -0,0 +1,75 @@
id: audit_auditd_enabled
title: "Enable Security Auditing (auditd)"
discussion: |
Without establishing what type of events occurred, when they occurred, and by whom it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
Associating event types with detected events in the operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured operating system.
The information system initiates session audits at system start-up.
check: |
/bin/launchctl list | /usr/bin/grep -c com.apple.auditd
result:
integer: 1
fix: |
To enable the audit service, run the following command:
[source,bash]
----
/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
----
references:
cce:
- CCE-84706-1
cci:
- CCI-000130
- CCI-000131
- CCI-000132
- CCI-000133
- CCI-000134
- CCI-000135
- CCI-000159
- CCI-001464
- CCI-001487
- CCI-001889
- CCI-001890
- CCI-001914
- CCI-002130
800-53r4:
- AU-3
- AU-3(1)
- AU-8
- AU-8(a)
- AU-8(b)
- AU-12
- AU-12(3)
- AU-14(1)
srg:
- SRG-OS-000037-GPOS-00015
- SRG-OS-000038-GPOS-00016
- SRG-OS-000039-GPOS-00017
- SRG-OS-000040-GPOS-00018
- SRG-OS-000041-GPOS-00019
- SRG-OS-000042-GPOS-00020
- SRG-OS-000042-GPOS-00021
- SRG-OS-000055-GPOS-00026
- SRG-OS-000254-GPOS-00095
- SRG-OS-000255-GPOS-00096
- SRG-OS-000303-GPOS-00120
- SRG-OS-000337-GPOS-00129
- SRG-OS-000358-GPOS-00145
- SRG-OS-000359-GPOS-00146
disa_stig:
- AOSX-14-001003
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

32
rules/audit/audit_configure_capacity_notify.yaml Normal file
View File

@@ -0,0 +1,32 @@
id: audit_configure_capacity_notify
title: "Configure Audit Capacity Warning"
discussion: |
The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs.
check: |
/usr/bin/grep -c "^minfree:25" /etc/security/audit_control
result:
integer: 1
fix: |
Edit the "/etc/security/audit_control" file and change the value for "minfree" to "25" using the following command:
[source,bash]
----
/usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-84707-9
cci:
- CCI-001855
800-53r4:
- AU-5(1)
srg:
- SRG-OS-000343-GPOS-00134
disa_stig:
- AOSX-14-001030
macOS:
- "10.15"
tags:
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

35
rules/audit/audit_failure_halt.yaml Normal file
View File

@@ -0,0 +1,35 @@
id: audit_failure_halt
title: "Configure System to Shut Down Upon Audit Failure"
discussion: |
The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity is no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.
check: |
/usr/bin/grep -Ec "^policy.*ahlt" /etc/security/audit_control
result:
integer: 1
fix: |
Edit the "/etc/security/audit_control file" and change the value for policy to include the setting "ahlt".
[source,bash]
----
/usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-84708-7
cci:
- CCI-000140
800-53r4:
- AU-5(b)
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- AOSX-14-001010
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

36
rules/audit/audit_files_group_configure.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: audit_files_group_configure
title: "Configure Audit Log Files Group to Wheel"
discussion: |
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Audit log files must have the group set to Wheel.
check: |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'
result:
integer: 0
fix: |
[source,bash]
----
/usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
----
references:
cce:
- CCE-84709-5
cci:
- CCI-000162
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001014
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

36
rules/audit/audit_files_owner_configure.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: audit_files_owner_configure
title: "Configure Audit Log Files to be Owned by Root"
discussion: |
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by root or administrative users with sudo, the risk is mitigated.
Audit log files must be owned by root.
check: |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
result:
integer: 0
fix: |
[source,bash]
----
/usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
----
references:
cce:
- CCE-84710-3
cci:
- CCI-000162
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001012
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

37
rules/audit/audit_flags_aa_configure.yaml Normal file
View File

@@ -0,0 +1,37 @@
id: audit_flags_aa_configure
title: 'Add "aa" Flag to audit_control Configuration'
discussion: |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
check: |
/usr/bin/grep -Ec "^flags.*aa" /etc/security/audit_control
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cci:
- N/A
cce:
- CCE-84711-1
800-53r4:
- AU-12(c)
srg:
- SRG-OS-000470-GPOS-00214
- SRG-OS-000472-GPOS-00217
- SRG-OS-000473-GPOS-00218
- SRG-OS-000475-GPOS-00220
disa_stig:
- AOSX-14-001044
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

59
rules/audit/audit_flags_ad_configure.yaml Normal file
View File

@@ -0,0 +1,59 @@
id: audit_flags_ad_configure
title: 'Add "ad" Flag to audit_control Configuration'
discussion: |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
The information system audits the execution of privileged functions.
check: |
/usr/bin/grep -Ec "^flags.*ad" /etc/security/audit_control
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-84712-9
cci:
- CCI-000018
- CCI-000172
- CCI-001403
- CCI-001404
- CCI-001405
- CCI-002234
- CCI-002884
800-53r4:
- AC-2(4)
- AC-6(9)
- AU-12(c)
- MA-4(1)(a)
srg:
- SRG-OS-000004-GPOS-00004
- SRG-OS-000239-GPOS-00089
- SRG-OS-000240-GPOS-00090
- SRG-OS-000241-GPOS-00091
- SRG-OS-000327-GPOS-00127
- SRG-OS-000392-GPOS-00172
- SRG-OS-000471-GPOS-00215
- SRG-OS-000471-GPOS-00216
- SRG-OS-000476-GPOS-00221
- SRG-OS-000477-GPOS-00222
- SRG-OS-000304-GPOS-00121
- SRG-OS-000277-GPOS-00107
- SRG-OS-000275-GPOS-00105
- SRG-OS-000276-GPOS-00106
- SRG-OS-000274-GPOS-00104
disa_stig:
- AOSX-14-001001
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

48
rules/audit/audit_flags_failed_file_read_restriction_enforced.yaml Normal file
View File

@@ -0,0 +1,48 @@
id: audit_flags_failed_file_read_restriction_enforced
title: "Configure System to Audit All Failed Read Actions on the System"
discussion: |
By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
check: |
/usr/bin/grep -Ec "^flags.*-fr" /etc/security/audit_control
result:
integer: 1
fix: |
To set the file read failed audit flag to the recommended setting, run the following command to add the flag "-fr".
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
- CCE-84713-7
cci:
- CCI-000162
800-53r4:
- AU-12(c)
- AU-9
- CM-5(1)
srg:
- SRG-OS-000365-GPOS-00152
- SRG-OS-000458-GPOS-00203
- SRG-OS-000461-GPOS-00205
- SRG-OS-000463-GPOS-00207
- SRG-OS-000465-GPOS-00209
- SRG-OS-000466-GPOS-00210
- SRG-OS-000467-GPOS-00211
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001016
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

48
rules/audit/audit_flags_failed_file_write_access_restriction_enforced.yaml Normal file
View File

@@ -0,0 +1,48 @@
id: audit_flags_failed_file_write_access_restriction_enforced
title: "Configure System to Audit All Failed Write Actions on the System"
discussion: |
By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
check: |
/usr/bin/grep -Ec "^flags.*-fw" /etc/security/audit_control
result:
integer: 1
fix: |
To set the file read failed audit flag to the recommended setting, run the following command to add the flag "-fw".
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
- CCE-84714-5
cci:
- CCI-000162
800-53r4:
- AU-12(c)
- AU-9
- CM-5(1)
srg:
- SRG-OS-000365-GPOS-00152
- SRG-OS-000458-GPOS-00203
- SRG-OS-000461-GPOS-00205
- SRG-OS-000463-GPOS-00207
- SRG-OS-000465-GPOS-00209
- SRG-OS-000466-GPOS-00210
- SRG-OS-000467-GPOS-00211
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001016
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

48
rules/audit/audit_flags_file_attr_mod_access_restriction_enforced.yaml Normal file
View File

@@ -0,0 +1,48 @@
id: audit_flags_file_attr_mod_access_restriction_enforced
title: "Configure System to Audit All Change of Object Attributes"
discussion: |
By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
check: |
/usr/bin/grep -Ec "^flags.*fm" /etc/security/audit_control
result:
integer: 1
fix: |
To set the file read failed audit flag to the recommended setting, run the following command to add the flag "fm".
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
- CCE-84715-2
cci:
- CCI-000162
800-53r4:
- AU-12(c)
- AU-9
- CM-5(1)
srg:
- SRG-OS-000365-GPOS-00152
- SRG-OS-000458-GPOS-00203
- SRG-OS-000461-GPOS-00205
- SRG-OS-000463-GPOS-00207
- SRG-OS-000465-GPOS-00209
- SRG-OS-000466-GPOS-00210
- SRG-OS-000467-GPOS-00211
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001016
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

40
rules/audit/audit_flags_lo_configure.yaml Normal file
View File

@@ -0,0 +1,40 @@
id: audit_flags_lo_configure
title: 'Add "lo" Flag to audit_control Configuration'
discussion: |
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing successful and unsuccessful attempts to switch to another user account and the escalation of privileges mitigates this risk.
The information system monitors and login and logout events.
check: |
/usr/bin/grep -Ec "^flags*.lo" /etc/security/audit_control
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-84716-0
cci:
- CCI-000067
- CCI-000172
800-53r4:
- AC-17(1)
- AU-12(c)
srg:
- SRG-OS-000032-GPOS-00013
- SRG-OS-000064-GPOS-00033
- SRG-OS-000462-GPOS-00206
disa_stig:
- AOSX-14-001002
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

35
rules/audit/audit_folder_group_configure.yaml Normal file
View File

@@ -0,0 +1,35 @@
id: audit_folder_group_configure
title: "Configure Audit Log Folders Group to Wheel"
discussion: |
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
The audit log folder must have the group set to Wheel.
check: |
/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | awk '{print $4}'
result:
integer: 0
fix: |
----
/usr/sbin/chgrp wheel $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control)
----
references:
cce:
- CCE-84717-8
cci:
- CCI-000162
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001015
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

35
rules/audit/audit_folder_owner_configure.yaml Normal file
View File

@@ -0,0 +1,35 @@
id: audit_folder_owner_configure
title: "Configure Audit Log Folders to be Owned by Root"
discussion: |
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
The audit log folder must be owned by Root.
check: |
/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | awk '{print $3}'
result:
integer: 0
fix: |
----
/usr/sbin/chown root $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control)
----
references:
cce:
- CCE-84718-6
cci:
- CCI-000162
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-14-001013
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig:
mobileconfig_info:

34
rules/audit/audit_retention_one_week_configure.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: audit_retention_one_week_configure
title: "Configure Audit Retention to a Minimum of 7 Days"
discussion: |
The audit service must be configured to require that records are kept for seven days or longer before deletion when there is no central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.
check: |
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control
result:
string: 7d
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-84719-4
cci:
- CCI-001849
800-53r4:
- AU-4
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- AOSX-14-001029
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

32
rules/audit/audit_settings_failure_notify.yaml Normal file
View File

@@ -0,0 +1,32 @@
id: audit_settings_failure_notify
title: "Configure Audit Failure Notification"
discussion: |
The audit service should be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.
check: |
/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s
----
references:
cce:
- CCE-84720-2
cci:
- CCI-001858
800-53r4:
- AU-5(2)
srg:
- SRG-OS-000344-GPOS-00135
disa_stig:
- AOSX-14-001031
macOS:
- "10.15"
tags:
- fisma-high
- STIG
mobileconfig:

60
rules/auth/auth_pam_login_smartcard_enforce.yaml Normal file
View File

@@ -0,0 +1,60 @@
id: auth_pam_login_smartcard_enforce
title: "Enforce Multifactor Authentication for Login"
discussion: |
Privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Ensure that the login process enforces mutlifactor authentication.
NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login
result:
integer: 2
fix: |
[source,bash]
----
/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
LOGIN_END
/bin/chmod 644 /etc/pam.d/login
/usr/sbin/chown root:wheel /etc/pam.d/login
----
references:
cce:
- CCE-84721-0
cci:
- CCI-000366
800-53r4:
- IA-2(3)
- CM-6(b)
srg:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-14-003050
- AOSX-14-003051
- AOSX-14-003052
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

55
rules/auth/auth_pam_su_smartcard_enforce.yaml Normal file
View File

@@ -0,0 +1,55 @@
id: auth_pam_su_smartcard_enforce
title: "Enforce Multifactor Authentication for Privilege Escalation for the su process"
discussion: |
To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Ensure that use of su to elevate privilege enforces mutlifactor authentication.
NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su
result:
integer: 2
fix: |
[source,bash]
----
/bin/cat > /etc/pam.d/su << SU_END
# su: auth account password session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
SU_END
# Fix new file ownership and permissions
/bin/chmod 644 /etc/pam.d/su
/usr/sbin/chown root:wheel /etc/pam.d/su
----
references:
cce:
- CCE-84722-8
cci:
- CCI-000366
800-53r4:
- IA-2(3)
- CM-6(b)
srg:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-14-003050
- AOSX-14-003051
- AOSX-14-003052
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

54
rules/auth/auth_pam_sudo_smartcard_enforce.yaml Normal file
View File

@@ -0,0 +1,54 @@
id: auth_pam_sudo_smartcard_enforce
title: "Enforce Multifactor Authentication for Priveledge Escalation through the sudo process"
discussion: |
To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Ensure that use of sudo to elevate privilege enforces mutlifactor authentication.
NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo
result:
integer: 2
fix: |
[source,bash]
----
/bin/cat > /etc/pam.d/sudo << SUDO_END
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
SUDO_END
/bin/chmod 444 /etc/pam.d/sudo
/usr/sbin/chown root:wheel /etc/pam.d/sudo
----
references:
cce:
- CCE-84723-6
cci:
- CCI-000366
800-53r4:
- IA-2(3)
- CM-6(b)
srg:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-14-003050
- AOSX-14-003051
- AOSX-14-003052
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

34
rules/auth/auth_smartcard_allow.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: auth_smartcard_allow
title: "Allow Smartcard Authentication"
discussion: |
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
When enabled the smartcard can be used for login, authorization, and screen saver unlocking.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84724-4
cci:
- N/A
800-53r4:
- IA-2(12)
srg:
- SRG-OS-000376-GPOS-00161
disa_stig:
- N/A
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
allowSmartCard: true

36
rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: auth_smartcard_certificate_trust_enforce_high
title: "Set Smartcard Certificate Trust to High"
discussion: |
The macOS system must be configured to not allow access to users who are no longer authorized (users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card must meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes CRL and OCSP checking.
This is a hard revocation, a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed.
NOTE: Before applying this setting, please see the smartcard supplemental guidance.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/awk '/checkCertificateTrust/{print substr($3, 1, length($3)-1)}'
result:
intger: 3
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84725-1
cci:
- CCI-000186
800-53r4:
- IA-2(12)
- IA-5(2)
- IA-5(2)(d)
srg:
- SRG-OS-000067-GPOS-00035
disa_stig:
- AOSX-14-003002
macOS:
- "10.15"
tags:
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
checkCertificateTrust: 3

36
rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: auth_smartcard_certificate_trust_enforce_moderate
title: "Set Smartcard Certificate Trust to Moderate"
discussion: |
The macOS system must be configured to not allow access to users who are no longer authorized (users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card must meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes CRL and OCSP checking.
This is a soft revocation. If the OCSP/CRL server is unreachable, authentication will still succeed.
NOTE: Before applying this setting, please see the smartcard supplemental guidance.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/awk '/checkCertificateTrust/{print substr($3, 1, length($3)-1)}'
result:
integer: 2
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84726-9
cci:
- CCI-000186
800-53r4:
- IA-2(12)
- IA-5(2)
- IA-5(2)(d)
srg:
- SRG-OS-000067-GPOS-00035
disa_stig:
- AOSX-14-003002
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
checkCertificateTrust: 2

61
rules/auth/auth_smartcard_enforce.yaml Normal file
View File

@@ -0,0 +1,61 @@
id: auth_smartcard_enforce
title: "Enforce Smartcard Authentication"
discussion: |
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
When enforceSmartCard is set to true the smartcard must be used for login, authorization, and screen saver unlocking.
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a member of the NotEnforced group.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'enforceSmartCard = 1'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84727-7
cci:
- CCI-000187
- CCI-000765
- CCI-000766
- CCI-000767
- CCI-000768
- CCI-000877
- CCI-001948
800-53r4:
- IA-2
- IA-2(1)
- IA-2(2)
- IA-2(3)
- IA-2(4)
- IA-2(6)
- IA-2(11)
- IA-5(2)(b)
- IA-5(2)(c)
- MA-4(c)
srg:
- SRG-OS-000068-GPOS-00036
- SRG-OS-000105-GPOS-00052
- SRG-OS-000106-GPOS-00053
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
- SRG-OS-000125-GPOS-00065
- SRG-OS-000375-GPOS-00160
disa_stig:
- AOSX-14-003020
- AOSX-14-003024
- AOSX-14-003005
- AOSX-14-003025
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
enforceSmartCard: true

65
rules/auth/auth_ssh_smartcard_enforce.yaml Normal file
View File

@@ -0,0 +1,65 @@
id: auth_ssh_smartcard_enforce
title: "Enforce Smartcard Authentication for SSH"
discussion: |
To ensure accountability and prevent unauthorized access, users must utilize multifactor authentication.
Enforce Smartcard Authentication for user login via SSH.
NOTE: Before applying this setting, please see the smartcard supplemental guidance.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)' /etc/ssh/sshd_config
result:
integer: 2
fix: |
The following commands must be run to disable passcode based authentication for SSHD:
[source,bash]
----
/usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----
references:
cce:
- CCE-84729-3
cci:
- CCI-000187
- CCI-000765
- CCI-000766
- CCI-000767
- CCI-000768
- CCI-000877
- CCI-001948
800-53r4:
- IA-2
- IA-2(1)
- IA-2(2)
- IA-2(3)
- IA-2(4)
- IA-2(6)
- IA-2(11)
- IA-5(2)(b)
- IA-5(2)(c)
- MA-4(c)
srg:
- SRG-OS-000068-GPOS-00036
- SRG-OS-000105-GPOS-00052
- SRG-OS-000106-GPOS-00053
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
- SRG-OS-000125-GPOS-00065
- SRG-OS-000375-GPOS-00160
disa_stig:
- AOSX-14-003020
- AOSX-14-003024
- AOSX-14-003005
- AOSX-14-003025
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

36
rules/icloud/icloud_addressbook_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_addressbook_disable
title: "Disable iCloud Address Book"
discussion: |
The macOS built-in Contacts.app connection to Apple's iCloud service, which is not a organizationally approved cloud, must be disabled. Automated contact synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudAddressBook = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84730-1
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002014
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudAddressBook: false

36
rules/icloud/icloud_appleid_prefpane_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_appleid_prefpane_disable
title: "Disable the system preference pane for Apple ID"
discussion: |
The system preference panel for Apple ID must be disabled as it is not an organizationally approved cloud service.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84731-9
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(5)(b)
- CM-7(a)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002018
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:
DisabledPreferencePanes:
- com.apple.preferences.AppleIDPrefPane

36
rules/icloud/icloud_bookmarks_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_bookmarks_disable
title: "Disable iCloud Bookmarks"
discussion: |
The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled as it is not an organizationally approved cloud service. Automated bookmark synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudBookmarks = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84732-7
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002042
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudBookmarks: false

36
rules/icloud/icloud_calendar_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_calendar_disable
title: "Disable the iCloud Calendar services"
discussion: |
The macOS built-in Calendar.app connection to Apple's iCloud service, which is not a organizationally approved cloud, must be disabled. Automated calendar synchronization shall be planned and controlled to approved storage.
check:
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudCalendar = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84733-5
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002012
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudCalendar: false

37
rules/icloud/icloud_drive_disable.yaml Normal file
View File

@@ -0,0 +1,37 @@
id: icloud_drive_disable
title: "Disable iCloud Document Sync"
discussion: |
The macOS built-in iCloud document synchronization service must disabled to prevent organizational data from being synchronized to personal or non-approved storage. Automated synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDocumentSync = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84734-3
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002041
- AOSX-14-002049
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudDocumentSync: false

36
rules/icloud/icloud_keychain_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_keychain_disable
title: "Disable iCloud Keychain Sync"
discussion: |
The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled. Password management and synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudKeychainSync = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84735-0
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002040
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudKeychainSync: false

36
rules/icloud/icloud_mail_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_mail_disable
title: "Disable iCloud Mail"
discussion: |
The macOS built-in Mail.app connection to Apple's iCloud service must be disabled as it is not an organizationally approved service. Automated Mail synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudMail = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84736-8
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002015
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudMail: false

36
rules/icloud/icloud_notes_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_notes_disable
title: "Disable iCloud Notes"
discussion: |
The macOS built-in Notes.app connection to Apple's iCloud service must be disabled. Automated Note synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudNotes = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84737-6
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002016
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudNotes: false

36
rules/icloud/icloud_photos_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_photos_disable
title: "Disable iCloud Photo Library"
discussion: |
The macOS built-in Photos.app connection to Apple's iCloud service must be disabled. Automated file snychronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPhotoLibrary = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84738-4
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002043
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudPhotoLibrary: false

36
rules/icloud/icloud_reminders_disable.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: icloud_reminders_disable
title: "Disable iCloud Reminders"
discussion: |
The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled. Automated reminder synchronization shall be planned and controlled to approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudReminders = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84739-2
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-14-002013
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudReminders: false

34
rules/icloud/icloud_sync_disable.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: icloud_sync_disable
title: "Disable iCloud Desktop and Document Folder Sync"
discussion: |
The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive must be disabled. Automated file synchronization shall be planned and controlled to Agency approved storage.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDesktopAndDocuments = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-84740-0
cci:
- N/A
800-53r4:
- CM-7(a)
- CM-7(5)(b)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- N/A
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCloudDesktopAndDocuments: false

28
rules/inherent/os_allow_info_passed.yaml Normal file
View File

@@ -0,0 +1,28 @@
id: os_allow_info_passed
title: "Must allow information passed to other operating systems or users"
discussion: |
The macOS is a UNIX 03-compliant operating system which allows owners of object to have discretion over who should be authorized to access information.
link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84863-0
cci:
- CCI-002165
800-53r4:
- AC-3(4)
disa_stig:
- AOSX-15-100024
srg:
- SRG-OS-000312-GPOS-00122
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

28
rules/inherent/os_change_security_attributes.yaml Normal file
View File

@@ -0,0 +1,28 @@
id: os_change_security_attributes
title: "Must allow admins to change security settings and attributes"
discussion: |
The macOS is a UNIX 03-compliant operating system which allows administrators of the system to change security settings and attributes of the system.
link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84882-0
cci:
- CCI-002165
800-53r4:
- AC-3(4)
disa_stig:
- AOSX-15-100026
srg:
- SRG-OS-000312-GPOS-00124
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

27
rules/inherent/os_crypto_audit.yaml Normal file
View File

@@ -0,0 +1,27 @@
id: os_crypto_audit
title: "Must use cryptographic mechanisms to protect integrity of audit tools"
discussion: |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84889-5
cci:
- CCI-001496
800-53r4:
- AU-9(3)
disa_stig:
- AOSX-15-100018
srg:
- SRG-OS-000278-GPOS-00108
macOS:
- "10.15"
tags:
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

27
rules/inherent/os_enforce_access_restrictions.yaml Normal file
View File

@@ -0,0 +1,27 @@
id: os_enforce_access_restrictions
title: "Enforce access restrictions"
discussion: |
The information system enforces access restrictions and supports auditing of the enforcement actions.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84854-9
cci:
- CCI-001813
800-53r4:
- CM-5(1)
disa_stig:
- AOSX-15-100029
srg:
- SRG-OS-000364-GPOS-00151
macOS:
- "10.15"
tags:
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_error_message.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_error_message
title: "Generate error messages without expoitable information"
discussion: |
Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84887-9
cci:
- CCI-001312
800-53r4:
- SI-11(a)
disa_stig:
- AOSX-15-100016
srg:
- SRG-OS-000205-GPOS-00083
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

27
rules/inherent/os_fail_secure_state.yaml Normal file
View File

@@ -0,0 +1,27 @@
id: os_fail_secure_state
title: "Shutdown if system initialization fails, shutdown fails, or aborts fails"
discussion: |
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Operating systems that fail suddenly and with no incorporated failure state planning may leave the system available but with a reduced security protection capability. Preserving operating system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes. Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84860-6
cci:
- CCI-001190
800-53r4:
- SC-24
disa_stig:
- AOSX-15-100015
srg:
- SRG-OS-000184-GPOS-00078
macOS:
- "10.15"
tags:
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

28
rules/inherent/os_grant_privs.yaml Normal file
View File

@@ -0,0 +1,28 @@
id: os_grant_privs
title: "Must allow admins to promote users to admins"
discussion: |
The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users.
link: https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84878-8
cci:
- CCI-002165
800-53r4:
- AC-3(4)
disa_stig:
- AOSX-15-100025
srg:
- SRG-OS-000312-GPOS-00123
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_implement_cryptography.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_implement_cryptography
title: "Implement approved cryptography to protect information"
discussion: |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84867-1
cci:
- CCI-002450
800-53r4:
- SC-13
disa_stig:
- AOSX-15-100035
srg:
- SRG-OS-000396-GPOS-00176
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_implement_memory_protection.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_implement_memory_protection
title: "Must implement non-executable data to protect memory from code execution"
discussion: |
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.Examples of attacks are buffer overflow attacks.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84866-3
cci:
- CCI-002824
800-53r4:
- SI-16
disa_stig:
- AOSX-15-100037
srg:
- SRG-OS-000433-GPOS-00192
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_implement_random_address_space.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_implement_random_address_space
title: "Must implement random address space to protect memory from unauthorized code execution"
discussion: |
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.Examples of attacks are buffer overflow attacks.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84891-1
cci:
- CCI-002824
800-53r4:
- SI-16
disa_stig:
- AOSX-15-100038
srg:
- SRG-OS-000433-GPOS-00193
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

27
rules/inherent/os_isolate_security_functions.yaml Normal file
View File

@@ -0,0 +1,27 @@
id: os_isolate_security_functions
title: "Isolate security functions from non-security functions"
discussion: |
The information system isolates security functions from nonsecurity functions.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84876-2
cci:
- CCI-001084
800-53r4:
- SC-3
disa_stig:
- AOSX-15-100013
srg:
- SRG-OS-000134-GPOS-00068
macOS:
- "10.15"
tags:
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_limit_auditable_events.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_limit_auditable_events
title: "Only allow authorized users to select auditable events"
discussion: |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84861-4
cci:
- CCI-000171
800-53r4:
- AU-12(b)
disa_stig:
- AOSX-15-100002
srg:
- SRG-OS-000063-GPOS-00032
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

27
rules/inherent/os_limit_gui_sessions.yaml Normal file
View File

@@ -0,0 +1,27 @@
id: os_limit_gui_sessions
title: "Limit number of concurrent GUI sessions to 10 for all accounts"
discussion: |
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84855-6
cci:
- CCI-000054
800-53r4:
- AC-10
disa_stig:
- AOSX-15-100001
srg:
- SRG-OS-000027-GPOS-00008
macOS:
- "10.15"
tags:
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_logical_access.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_logical_access
title: "Enforce approved authorization for logical access"
discussion: |
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84857-2
cci:
- CCI-000213
800-53r4:
- AC-3
disa_stig:
- AOSX-15-100006
srg:
- SRG-OS-000080-GPOS-00048
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

32
rules/inherent/os_logoff_capability_and_message.yaml Normal file
View File

@@ -0,0 +1,32 @@
id: os_logoff_capability_and_message
title: "Display logoff capability and message to prevent exploitation"
discussion: |
Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to the system.
Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84859-8
cci:
- CCI-002363
- CCI-002364
800-53r4:
- AC-12(1)(a)
- AC-12(1)(b)
disa_stig:
- AOSX-15-100020
- AOSX-15-100021
srg:
- SRG-OS-000280-GPOS-00110
- SRG-OS-000281-GPOS-00111
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_map_pki_identity.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_map_pki_identity
title: "Map identity for PKI based authentication"
discussion: |
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
check: |
For directory bound systems, the technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
For directory bound systems, the technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84873-9
cci:
- CCI-000187
800-53r4:
- IA-5(2)(c)
disa_stig:
- AOSX-15-100003
srg:
- SRG-OS-000068-GPOS-00036
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

31
rules/inherent/os_mfa_network_access.yaml Normal file
View File

@@ -0,0 +1,31 @@
id: os_mfa_network_access
title: "Enforce multifactor authentication for network access to priviledged accounts"
discussion: |
The information system implements multifactor authentication for network access to privileged accounts.
check: |
For directory bound systems:
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
For directory bound systems, the technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84883-8
cci:
- CCI-000765
800-53r4:
- IA-2(1)
disa_stig:
- AOSX-15-100008
srg:
- SRG-OS-000105-GPOS-00052
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_mfa_network_non-priv.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_mfa_network_non-priv
title: "Enforce multifactor authentication for network access to non-priviledged accounts"
discussion: |
The information system implements multifactor authentication for network access to non-privileged accounts.
check: |
For directory bound systems:
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
For directory bound systems, the technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84864-8
cci:
- CCI-000766
800-53r4:
- IA-2(2)
disa_stig:
- AOSX-15-100009
srg:
- SRG-OS-000106-GPOS-00053
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_obscure_password.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_obscure_password
title: "Obscure passwords"
discussion: |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84869-7
cci:
- CCI-000206
800-53r4:
- IA-6
disa_stig:
- AOSX-15-100005
srg:
- SRG-OS-000079-GPOS-00047
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

31
rules/inherent/os_peripherals_identify.yaml Normal file
View File

@@ -0,0 +1,31 @@
id: os_peripherals_identify
title: The macOS system must uniquely identify peripherals before establishing a connection.
discussion: |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84885-3
cci:
- CCI-000778
800-53r4:
- IA-3
srg:
- SRG-OS-000114-GPOS-00059
disa_stig:
- AOSX-14-002069
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig:
mobileconfig_info:

26
rules/inherent/os_predictable_behavior.yaml Normal file
View File

@@ -0,0 +1,26 @@
id: os_predictable_behavior
title: "Must behave in predictable and documented manner"
discussion: |
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84871-3
cci:
- CCI-002754
800-53r4:
- SI-10(3)
disa_stig:
- AOSX-15-100036
srg:
- SRG-OS-000432-GPOS-00191
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

27
rules/inherent/os_preserve_information_on_crash.yaml Normal file
View File

@@ -0,0 +1,27 @@
id: os_preserve_information_on_crash
title: "Must preserve crash log information"
discussion: |
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84884-6
cci:
- CCI-001665
800-53r4:
- SC-24
disa_stig:
- AOSX-15-100017
srg:
- SRG-OS-000269-GPOS-00103
macOS:
- "10.15"
tags:
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

26
rules/inherent/os_prevent_priv_execution.yaml Normal file
View File

@@ -0,0 +1,26 @@
id: os_prevent_priv_execution
title: "Prevent all software from executing at higher privilege levels than users executing the software"
discussion: |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84862-2
cci:
- CCI-002233
800-53r4:
- AC-6(8)
disa_stig:
- AOSX-15-100028
srg:
- SRG-OS-000326-GPOS-00126
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_prevent_priv_functions.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_prevent_priv_functions
title: "Preventing non-privileged users from executing privileged functions"
discussion: |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84856-4
cci:
- CCI-002235
800-53r4:
- AC-6(10)
disa_stig:
- AOSX-15-100027
srg:
- SRG-OS-000324-GPOS-00125
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_prevent_restricted_software.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_prevent_restricted_software
title: "Prevent program execution in accordance with policy"
discussion: |
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level.Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84886-1
cci:
- CCI-001764
800-53r4:
- CM-7(2)
disa_stig:
- AOSX-15-100030
srg:
- SRG-OS-000368-GPOS-00154
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_prevent_unauthorized_disclosure.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_prevent_unauthorized_disclosure
title: "Prevent unauthorized disclosure of data via shared resources"
discussion: |
The information system prevents unauthorized and unintended information transfer via shared system resources.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84880-4
cci:
- CCI-001090
800-53r4:
- SC-4
disa_stig:
- AOSX-15-100014
srg:
- SRG-OS-000138-GPOS-00069
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

26
rules/inherent/os_provide_disconnect_remote_access.yaml Normal file
View File

@@ -0,0 +1,26 @@
id: os_provide_disconnect_remote_access
title: "Provide ability to disconnect or disable remote access"
discussion: |
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84875-4
cci:
- CCI-002322
800-53r4:
- AC-17(9)
disa_stig:
- AOSX-15-100023
srg:
- SRG-OS-000298-GPOS-00116
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

28
rules/inherent/os_reauth_privilege.yaml Normal file
View File

@@ -0,0 +1,28 @@
id: os_reauth_privilege
title: "Require users to reauthenticate for privilege escalation"
discussion: |
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84890-3
cci:
- CCI-002038
800-53r4:
- IA-11
disa_stig:
- AOSX-15-100031
- AOSX-15-100032
srg:
- SRG-OS-000373-GPOS-00156
- SRG-OS-000373-GPOS-00157
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

26
rules/inherent/os_reauth_users_change_authenticators.yaml Normal file
View File

@@ -0,0 +1,26 @@
id: os_reauth_users_change_authenticators
title: "Require users to reauthenticate when changing authenticators"
discussion: |
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change user authenticators, it is critical the user reauthenticate.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84872-1
cci:
- CCI-002038
800-53r4:
- IA-11
disa_stig:
- AOSX-15-100033
srg:
- SRG-OS-000373-GPOS-00158
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_remote_access_methods.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_remote_access_methods
title: "Control remote access methods"
discussion: |
The information system monitors and controls remote access methods.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84868-9
cci:
- CCI-002314
800-53r4:
- AC-17(1)
disa_stig:
- AOSX-15-100022
srg:
- SRG-OS-000297-GPOS-00115
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

26
rules/inherent/os_remove_software_components_after_updates.yaml Normal file
View File

@@ -0,0 +1,26 @@
id: os_remove_software_components_after_updates
title: "Must remove all software components after updated versions installed"
discussion: |
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84865-5
cci:
- CCI-002617
800-53r4:
- SI-2(6)
disa_stig:
- AOSX-15-100039
srg:
- SRG-OS-000437-GPOS-00194
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_required_crypto_module.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_required_crypto_module
title: "Must meet federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module"
discussion: |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84877-0
cci:
- CCI-000803
800-53r4:
- IA-7
disa_stig:
- AOSX-15-100010
srg:
- SRG-OS-000120-GPOS-00061
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

29
rules/inherent/os_separate_fuctionality.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_separate_fuctionality
title: "Must separate user and system functionality"
discussion: |
Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges.Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate.An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84888-7
cci:
- CCI-001082
800-53r4:
- SC-2
disa_stig:
- AOSX-15-100012
srg:
- SRG-OS-000132-GPOS-00067
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_store_encrypted_passwords.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_store_encrypted_passwords
title: "Store passwords encrypted"
discussion: |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84879-6
cci:
- CCI-000196
800-53r4:
- IA-5(1)(c)
disa_stig:
- AOSX-15-100004
srg:
- SRG-OS-000073-GPOS-00041
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_terminate_session.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_terminate_session
title: "Terminate all sessions and network connections when maintenance is completed"
discussion: |
Terminates session and network connections when nonlocal maintenance is completed.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84881-2
cci:
- CCI-000879
800-53r4:
- MA-4(e)
disa_stig:
- AOSX-15-100011
srg:
- SRG-OS-000126-GPOS-00066
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_terminate_session_inactivity.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_terminate_session_inactivity
title: "Automatically terminate user session after inactivity"
discussion: |
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84870-5
cci:
- CCI-002361
800-53r4:
- AC-12
disa_stig:
- AOSX-15-100019
srg:
- SRG-OS-000279-GPOS-00109
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

30
rules/inherent/os_unique_identification.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_unique_identification
title: "Identify and authenticate organizational users and processes"
discussion: |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84874-7
cci:
- CCI-000764
800-53r4:
- IA-2
disa_stig:
- AOSX-15-100007
srg:
- SRG-OS-000104-GPOS-00051
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

26
rules/inherent/os_verify_remote_disconnection.yaml Normal file
View File

@@ -0,0 +1,26 @@
id: os_verify_remote_disconnection
title: "Verify remote disconnection of sessions"
discussion: |
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84858-0
cci:
- CCI-002891
800-53r4:
- MA-4(7)
disa_stig:
- AOSX-15-100034
srg:
- SRG-OS-000395-GPOS-00175
macOS:
- "10.15"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

32
rules/inherent/pwpolicy_emergency_accounts_disable.yaml Normal file
View File

@@ -0,0 +1,32 @@
id: pwpolicy_emergency_accounts_disable
title: "Automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours"
discussion: |
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers.
To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84812-7
cci:
- CCI-001682
800-53r4:
- AC-2(2)
srg:
- SRG-OS-00123-GPOS-00064
disa_stig:
- AOSX-14-000013
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- inherent
mobileconfig: false
mobileconfig_info:

37
rules/inherent/pwpolicy_force_password_change.yaml Normal file
View File

@@ -0,0 +1,37 @@
id: pwpolicy_force_change
title: "Force password change at next logon"
discussion: |
Allows the use of a temporary password for system logons with an immediate change to a permanent password.
To for a user to change their password at next logon, run the following command:
[source,bash]
----
/usr/bin/pwpolicy -u [USER] -setpolicy "newPasswordRequired=1"
----
NOTE: Replace [USER] with the username that must change the password at next logon
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84813-5
cci:
- CCI-002041
800-53r4:
- IA-5(1)(f)
disa_stig:
- AOSX-15-200021
srg:
- SRG-OS-000380-GPOS-00165
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-low
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

39
rules/inherent/pwpolicy_temporary_accounts_disable.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: pwpolicy_temporary_accounts_disable
title: "Automatically remove or disable temporary user accounts after 72 hours"
discussion: |
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a defined time period of 72 hours.
To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.
If there are no temporary accounts defined on the system, this is Not Applicable.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84820-0
cci:
- CCI-000016
800-53r4:
- AC-2(2)
srg:
- SRG-OS-000002-GPOS-00002
disa_stig:
- AOSX-14-000012
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig:
mobileconfig_info:

29
rules/not_applicable/os_auth_peripherals.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_auth_peripherals
title: "Must authenicate peripherals before establishing a connection"
discussion: |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
check: |
This requirement is NA for this technology.
fix: |
The requirement is NA. No fix is required.
references:
cce:
- CCE-84741-8
cci:
- CCI-001958
800-53r4:
- IA-3
disa_stig:
- AOSX-15-300002
srg:
- SRG-OS-000378-GPOS-00163
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- n_a
mobileconfig: false
mobileconfig_info:

Some files were not shown because too many files have changed in this diff Show More