From e3853a8202b42d89852ee1536f590965aec153bb Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:08:03 -0400 Subject: [PATCH 1/7] removed STIG reference --- .../system_settings_system_wide_preferences_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index 036b0f16..8b1b608e 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -43,7 +43,7 @@ references: - AC-6(1) - AC-6(2) disa_stig: - - APPL-12-002069 + - N/A 800-171r2: - 3.1.5 - 3.1.6 From 64e0c2ca8ad78b6aefe43a7c2c945e6b06b43d78 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:08:13 -0400 Subject: [PATCH 2/7] changed monterey to ventura --- baselines/cis_lvl1.yaml | 2 +- baselines/cis_lvl2.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index ef5bd5a3..21bc0f24 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ title: "macOS 13.0: Security Configuration - CIS Benchmarks" description: | - This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Monterey v1.0.0 Benchmark (Level 1) + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) authors: | The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 56b62cbb..c7c0babb 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,12 +1,12 @@ title: "macOS 13.0: Security Configuration - CIS Benchmarks" description: | - This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Monterey v1.0.0 Benchmark (Level 1 and 2) + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1 and 2) authors: | The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== |Edward Byrd|Center for Internet Security |Ron Colvin|Center for Internet Security - |Allen Golbig|Jamf + |Allen Golbig|Jamf |=== parent_values: "cis_lvl2" profile: From 94b4864f77271a7f23c0ee6d30285bb47d269a9e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:44:39 -0400 Subject: [PATCH 3/7] refactor[VERSION.yaml] Updated date --- VERSION.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.yaml b/VERSION.yaml index a2f8aafe..6cc3a19c 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,4 +1,4 @@ os: "13.0" version: "Ventura Guidance, Revision 1" cpe: o:apple:macos:13.0 -date: "2022-10-19" +date: "2022-10-20" From fdc6b4b0aa50bb19756a9b4b45a8e4568fccc526 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:44:57 -0400 Subject: [PATCH 4/7] refactor[baselines]: Added more description Added description defining as a catalog of rules, not a benchmark. --- baselines/800-171.yaml | 2 ++ baselines/800-53r5_high.yaml | 2 ++ baselines/800-53r5_low.yaml | 2 ++ baselines/800-53r5_moderate.yaml | 2 ++ baselines/all_rules.yaml | 2 ++ baselines/cisv8.yaml | 2 ++ baselines/cnssi-1253.yaml | 2 ++ 7 files changed, 14 insertions(+) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 13aea802..580b0698 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,6 +1,8 @@ title: "macOS 12: Security Configuration - NIST 800-171 Rev 2" description: | This guide describes the actions to take when securing a macOS 13 system against the 800-171 Rev 2 baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | |=== |Bob Gendler|National Institute of Standards and Technology diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index 1559e2c5..3cddb183 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -1,6 +1,8 @@ title: "macOS 13 Security Configuration: NIST SP 800-53 Rev 5 High Impact Security Baseline" description: | This guide describes the actions to take when securing a macOS 13 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | |=== |Bob Gendler|National Institute of Standards and Technology diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 2c2a8980..7919eed6 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -1,6 +1,8 @@ title: "macOS 13 Security Configuration: NIST SP 800-53 Rev 5 Low Impact Security Baseline" description: | This guide describes the actions to take when securing a macOS 13 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | |=== |Bob Gendler|National Institute of Standards and Technology diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index 679724a4..6c416a3d 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -1,6 +1,8 @@ title: "macOS 13 Security Configuration: NIST SP 800-53 Rev 5 Moderate Impact Security Baseline" description: | This guide describes the actions to take when securing a macOS 13 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | |=== |Bob Gendler|National Institute of Standards and Technology diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 142b3539..5cd90a14 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,6 +1,8 @@ title: "macOS 13.0: Security Configuration - All Rules" description: | This guide describes the actions to take when securing a macOS 13.0 system against the all_rules baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | |=== |Bob Gendler|National Institute of Standards and Technology diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 9f08e244..1c882791 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -1,6 +1,8 @@ title: "macOS 13.0: Security Configuration - CIS Controls Version 8" description: | This guide describes the actions to take when securing a macOS 13.0 system against the CIS Controls version 8 baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | CIS Critical Security Controls® (CIS Controls®) are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index 97c9372c..a9491936 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -1,6 +1,8 @@ title: "macOS 12: Security Configuration - CNSSI-1253" description: | This guide describes the actions to take when securing a macOS 13 system against the CNSSI-1253 baseline. + + Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | |=== |Rob Lamb|Los Alamos National Laboratory From 1a4aa58597b55c25ffea17da6392a5e871ebd639 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:46:25 -0400 Subject: [PATCH 5/7] refactor[rules] Updated FIPS information Updated information on FIPS for macOS Ventura. --- rules/os/os_implement_cryptography.yaml | 4 ++-- rules/os/os_required_crypto_module.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 5053bd5b..0dda0cd5 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,9 +5,9 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. - link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] link:https://support.apple.com/en-us/HT201159[] check: | diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 8cbee98d..2f2541e4 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -5,9 +5,9 @@ discussion: | macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. - macOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. - link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] link:https://support.apple.com/en-us/HT201159[] check: | From 3515ca5f56b71d0a229ec7e2d7cb526886245313 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:47:16 -0400 Subject: [PATCH 6/7] refactor[rules] Removed STIG references Removed and fixed STIG and SRG references. --- rules/os/os_sshd_fips_140_ciphers.yaml | 1 + rules/os/os_sshd_fips_140_macs.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index c37f8c23..87ba0e8c 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -50,6 +50,7 @@ references: - SC-13 - MA-4(6) srg: + - N/A disa_stig: - N/A 800-171r2: diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index 80000edf..25da364f 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -50,6 +50,7 @@ references: - SC-13 - MA-4(6) srg: + - N/A disa_stig: - N/A 800-171r2: From 722e6f00a795894ca3175cbb1d709d00e629e924 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 19 Oct 2022 21:47:49 -0400 Subject: [PATCH 7/7] refactor[templates] updated information Added additional doc 800-219 Added definition baseline vs benchmark --- templates/adoc_acronyms.adoc | 6 ++++++ templates/adoc_additional_docs.adoc | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/templates/adoc_acronyms.adoc b/templates/adoc_acronyms.adoc index c425e436..84e5e62c 100644 --- a/templates/adoc_acronyms.adoc +++ b/templates/adoc_acronyms.adoc @@ -37,4 +37,10 @@ |STIG|Security Technical Implementation Guide |UAMDM|User Approved MDM |UUCP|Unix-to-Unix Copy Protocol +|==== +.Definitions +[width="100%",cols="1,3"] +|==== +|Baseline|Baselines are a catalog of settings that can be used to create security benchmarks. +|Benchmark|Benchmarks are a defined list of settings with values that an organization has defined. |==== \ No newline at end of file diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 629c405b..c38a64e4 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -21,6 +21,7 @@ ASSOCIATED DOCUMENTS |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_ |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_ +|link:https://csrc.nist.gov/publications/detail/sp/800-219/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_ |=== [%header, cols=2*a] @@ -46,16 +47,15 @@ ASSOCIATED DOCUMENTS |Document Number or Descriptor |Document Title |link:https://support.apple.com/guide/security/welcome/web[Apple Platform Security Guide]|_Apple Platform Security_ -|link:https://support.apple.com/guide/deployment/welcome/web[Apple Platform Deployment]|_Apple Platform Deployment_ +|link:https://support.apple.com/guide/deployment-reference-macos/welcome/web[Deployment Reference for Mac]|_Deployment Reference_ +|link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_ |link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_ -|link:https://github.com/apple/device-management/tree/release[Apple Device Management GitHub] |link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ |=== - [%header, cols=2*a] .Center for Internet Security |=== |Document Number or Descriptor |Document Title -|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 1.0_ +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 2.1.0_ |=== \ No newline at end of file