Merge branch 'dev_ventura' into ventura

2026-03-16 22:12:08 +00:00 · 2022-10-20 09:45:46 -04:00
parent 07fe336fc1 722e6f00a7
commit 342fb7f28b
17 changed files with 35 additions and 13 deletions
--- a/VERSION.yaml
+++ b/VERSION.yaml
@@ -1,4 +1,4 @@
 os: "13.0"
 version: "Ventura Guidance, Revision 1"
 cpe: o:apple:macos:13.0
-date: "2022-10-19"
+date: "2022-10-20"
--- a/baselines/800-171.yaml
+++ b/baselines/800-171.yaml
@@ -1,6 +1,8 @@
 title: "macOS 12: Security Configuration - NIST 800-171 Rev 2"
 description: |
  This guide describes the actions to take when securing a macOS 13 system against the 800-171 Rev 2 baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  |===
  |Bob Gendler|National Institute of Standards and Technology
--- a/baselines/800-53r5_high.yaml
+++ b/baselines/800-53r5_high.yaml
@@ -1,6 +1,8 @@
 title: "macOS 13 Security Configuration: NIST SP 800-53 Rev 5 High Impact Security Baseline"
 description: |
  This guide describes the actions to take when securing a macOS 13 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  |===
  |Bob Gendler|National Institute of Standards and Technology
--- a/baselines/800-53r5_low.yaml
+++ b/baselines/800-53r5_low.yaml
@@ -1,6 +1,8 @@
 title: "macOS 13 Security Configuration: NIST SP 800-53 Rev 5 Low Impact Security Baseline"
 description: |
  This guide describes the actions to take when securing a macOS 13 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  |===
  |Bob Gendler|National Institute of Standards and Technology
--- a/baselines/800-53r5_moderate.yaml
+++ b/baselines/800-53r5_moderate.yaml
@@ -1,6 +1,8 @@
 title: "macOS 13 Security Configuration: NIST SP 800-53 Rev 5 Moderate Impact Security Baseline"
 description: |
  This guide describes the actions to take when securing a macOS 13 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  |===
  |Bob Gendler|National Institute of Standards and Technology
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -1,6 +1,8 @@
 title: "macOS 13.0: Security Configuration - All Rules"
 description: |
  This guide describes the actions to take when securing a macOS 13.0 system against the all_rules baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  |===
  |Bob Gendler|National Institute of Standards and Technology
--- a/baselines/cis_lvl1.yaml
+++ b/baselines/cis_lvl1.yaml
@@ -1,6 +1,6 @@
 title: "macOS 13.0: Security Configuration - CIS Benchmarks"
 description: |
-  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Monterey v1.0.0 Benchmark (Level 1)
+  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)
 authors: |
  The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
  |===
--- a/baselines/cis_lvl2.yaml
+++ b/baselines/cis_lvl2.yaml
@@ -1,12 +1,12 @@
 title: "macOS 13.0: Security Configuration - CIS Benchmarks"
 description: |
-  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Monterey v1.0.0 Benchmark (Level 1 and 2)
+  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1 and 2)
 authors: |
  The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
  |===
  |Edward Byrd|Center for Internet Security
  |Ron Colvin|Center for Internet Security
-  |Allen Golbig|Jamf  
+  |Allen Golbig|Jamf
  |===
 parent_values: "cis_lvl2"
 profile:
--- a/baselines/cisv8.yaml
+++ b/baselines/cisv8.yaml
@@ -1,6 +1,8 @@
 title: "macOS 13.0: Security Configuration - CIS Controls Version 8"
 description: |
  This guide describes the actions to take when securing a macOS 13.0 system against the CIS Controls version 8 baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  CIS Critical Security Controls® (CIS Controls®) are referenced with the permission and support of the Center for Internet Security® (CIS®)
  |===
--- a/baselines/cnssi-1253.yaml
+++ b/baselines/cnssi-1253.yaml
@@ -1,6 +1,8 @@
 title: "macOS 12: Security Configuration - CNSSI-1253"
 description: |
  This guide describes the actions to take when securing a macOS 13 system against the CNSSI-1253 baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
  |===
  |Rob Lamb|Los Alamos National Laboratory
--- a/rules/os/os_implement_cryptography.yaml
+++ b/rules/os/os_implement_cryptography.yaml
@@ -5,9 +5,9 @@ discussion: |

  Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. 

-  macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation.
+  Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation.

-  link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[]
+  link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]
  
  link:https://support.apple.com/en-us/HT201159[]
 check: |
--- a/rules/os/os_required_crypto_module.yaml
+++ b/rules/os/os_required_crypto_module.yaml
@@ -5,9 +5,9 @@ discussion: |
  
  macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules.

-  macOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation.
+  Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation.

-  link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[]
+  link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]
  
  link:https://support.apple.com/en-us/HT201159[]
 check: |
--- a/rules/os/os_sshd_fips_140_ciphers.yaml
+++ b/rules/os/os_sshd_fips_140_ciphers.yaml
@@ -50,6 +50,7 @@ references:
    - SC-13
    - MA-4(6)
  srg: 
+    - N/A
  disa_stig: 
    - N/A
  800-171r2:
--- a/rules/os/os_sshd_fips_140_macs.yaml
+++ b/rules/os/os_sshd_fips_140_macs.yaml
@@ -50,6 +50,7 @@ references:
    - SC-13
    - MA-4(6)
  srg: 
+    - N/A
  disa_stig: 
    - N/A
  800-171r2:
--- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml
+++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml
@@ -43,7 +43,7 @@ references:
    - AC-6(1)
    - AC-6(2)
  disa_stig:
-    - APPL-12-002069
+    - N/A
  800-171r2:
    - 3.1.5
    - 3.1.6
--- a/templates/adoc_acronyms.adoc
+++ b/templates/adoc_acronyms.adoc
@@ -37,4 +37,10 @@
 |STIG|Security Technical Implementation Guide
 |UAMDM|User Approved MDM
 |UUCP|Unix-to-Unix Copy Protocol
+|====
+.Definitions
+[width="100%",cols="1,3"]
+|====
+|Baseline|Baselines are a catalog of settings that can be used to create security benchmarks.
+|Benchmark|Benchmarks are a defined list of settings with values that an organization has defined.
 |====
--- a/templates/adoc_additional_docs.adoc
+++ b/templates/adoc_additional_docs.adoc
@@ -21,6 +21,7 @@ ASSOCIATED DOCUMENTS
 |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_
 |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_
 |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_
+|link:https://csrc.nist.gov/publications/detail/sp/800-219/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_
 |===

 [%header, cols=2*a]
@@ -46,16 +47,15 @@ ASSOCIATED DOCUMENTS
 |Document Number or Descriptor
 |Document Title
 |link:https://support.apple.com/guide/security/welcome/web[Apple Platform Security Guide]|_Apple Platform Security_
-|link:https://support.apple.com/guide/deployment/welcome/web[Apple Platform Deployment]|_Apple Platform Deployment_
+|link:https://support.apple.com/guide/deployment-reference-macos/welcome/web[Deployment Reference for Mac]|_Deployment Reference_
+|link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_
 |link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_
-|link:https://github.com/apple/device-management/tree/release[Apple Device Management GitHub]
 |link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_
 |===
-
 [%header, cols=2*a]
 .Center for Internet Security
 |===
 |Document Number or Descriptor
 |Document Title
-|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 1.0_
+|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 2.1.0_
 |===