Merge branch 'dev_ventura_cis' into ventura

baselines/all_rules.yaml

@@ -103,8 +103,9 @@ profile:
       - os_gatekeeper_rearm
       - os_guest_folder_removed
       - os_handoff_disable
+      - os_hibernate_mode_apple_silicon_enable
       - os_hibernate_mode_destroyfvkeyonstandby_enable
-      - os_hibernate_mode_enable
+      - os_hibernate_mode_intel_enable
       - os_home_folders_default
       - os_home_folders_secure
       - os_httpd_disable

baselines/cis_lvl1.yaml

@@ -1,6 +1,6 @@
-title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)"
+title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)"
 description: |
-  This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) security baseline.
+  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)
 authors: |
   *macOS Security Compliance Project*
 

baselines/cis_lvl2.yaml

@@ -1,6 +1,6 @@
-title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)"
+title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2)"
 description: |
-  This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) security baseline.
+  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1 and 2)
 authors: |
   *macOS Security Compliance Project*
 
@@ -48,8 +48,9 @@ profile:
       - os_firewall_log_enable
       - os_gatekeeper_enable
       - os_guest_folder_removed
+      - os_hibernate_mode_apple_silicon_enable
       - os_hibernate_mode_destroyfvkeyonstandby_enable
-      - os_hibernate_mode_enable
+      - os_hibernate_mode_intel_enable
       - os_home_folders_secure
       - os_httpd_disable
       - os_install_log_retention_configure

includes/mscp-data.yaml

@@ -82,8 +82,8 @@ titles:
   800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
   800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
   800-171: NIST 800-171 Rev 2
-  cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)
-  cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)
+  cis_lvl1: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)
+  cis_lvl2: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2)
   cmmc_lvl1: US CMMC 2.0 Level 1
   cmmc_lvl2: US CMMC 2.0 Level 2
   cisv8: CIS Controls Version 8

rules/os/os_hibernate_mode_apple_silicon_enable.yaml

@@ -0,0 +1,66 @@
+id: os_hibernate_mode_apple_silicon_enable
+title: "Enable Hibernate Mode (Apple Silicon)"
+discussion: |
+  Hibernate mode _MUST_ be enabled. 
+
+  This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack.
+
+  Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. 
+  This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time.
+
+  NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops.
+check: |
+  error_count=0
+  if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
+    hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
+    sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
+    displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
+    
+    if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then
+      ((error_count++))
+    fi
+    if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then
+      ((error_count++))
+    fi
+    if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then
+      ((error_count++))
+    fi
+  fi
+  echo "$error_count"
+result:
+  integer: 0
+fix: |
+  [source,bash]
+  ----
+  /usr/bin/pmset -a sleep 10
+  /usr/bin/pmset -a displaysleep 15
+  /usr/bin/pmset -a hibernatemode 25
+  ----
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 2.9.1.2 (level 2)
+    controls v8:
+      - 4.1
+macOS:
+  - "13.0"
+tags:
+  - cis_lvl2
+  - cisv8
+  - arm64
+mobileconfig: false
+mobileconfig_info:

rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml

@@ -28,7 +28,7 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.3 (level 2)
+      - 2.9.1.3 (level 2)
     controls v8: 
       - 4.1
 macOS:

rules/os/os_hibernate_mode_enable.yaml

@@ -1,75 +0,0 @@
-id: os_hibernate_mode_enable
-title: "Enable Hibernate Mode"
-discussion: |
-  Hibernate mode _MUST_ be enabled. 
-
-  NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops.
-check: |
-  error_count=0
-  if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
-    hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
-    if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then
-        hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}')
-        hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}')
-        hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}')
-        
-        if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then
-            ((error_count++))
-        fi
-        if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then
-            ((error_count++))
-        fi
-        if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then
-            ((error_count++))
-        fi
-    else
-        if [[ "$(/usr/bin/pmset -g | /usr/bin/grep standbydelay 2>&1 | /usr/bin/awk '{print $2}')" -gt 900 ]]; then
-            ((error_count++))
-        fi
-    fi
-    if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then
-      ((error_count++))
-    fi
-  fi
-  echo "$error_count"
-result:
-  integer: 0
-fix: |
-  [source,bash]
-  ----
-  /usr/bin/pmset -a hibernatemode 25
-  if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then
-    /usr/bin/pmset -a standbydelayhigh 600
-    /usr/bin/pmset -a standbydelaylow 600
-    /usr/bin/pmset -a highstandbythreshold 90
-  else
-    /usr/bin/pmset -a standbydelay 900
-  fi
-  ----
-references:
-  cce:
-    - CCE-91799-7
-  cci:
-    - N/A
-  800-53r5:
-    - N/A
-  800-53r4:
-    - N/A
-  srg:
-    - N/A
-  disa_stig:
-    - N/A
-  800-171r2:
-    - N/A
-  cis:
-    benchmark:
-      - 2.9.3 (level 2)
-    controls v8:
-      - 4.1
-macOS:
-  - "13.0"
-tags:
-  - cis_lvl2
-  - cisv8
-mobileconfig: false
-mobileconfig_info:

rules/os/os_hibernate_mode_intel_enable.yaml

@@ -0,0 +1,67 @@
+id: os_hibernate_mode_intel_enable
+title: "Enable Hibernate Mode (Intel)"
+discussion: |
+  Hibernate mode _MUST_ be enabled. 
+
+  This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack.
+
+check: |
+  error_count=0
+  if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
+    hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
+    hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}')
+    hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}')
+    hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}')
+    
+    if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then
+      ((error_count++))
+    fi
+    if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 900 ]]; then
+      ((error_count++))
+    fi
+    if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then
+      ((error_count++))
+    fi
+    if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then
+      ((error_count++))
+    fi
+  fi
+  echo "$error_count"
+result:
+  integer: 0
+fix: |
+  [source,bash]
+  ----
+  /usr/bin/pmset -a standbydelaylow 900
+  /usr/bin/pmset -a standbydelayhigh 900
+  /usr/bin/pmset -a highstandbythreshold 90
+  /usr/bin/pmset -a hibernatemode 25
+  ----
+references:
+  cce:
+    - CCE-91799-7
+  cci:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - 2.9.1.1 (level 2)
+    controls v8:
+      - 4.1
+macOS:
+  - "13.0"
+tags:
+  - cis_lvl2
+  - cisv8
+  - i386
+mobileconfig: false
+mobileconfig_info:

rules/os/os_power_nap_disable.yaml

@@ -41,7 +41,7 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.1 (level 1)
+      - 2.9.2 (level 1)
     controls v8:
       - 4.1
       - 4.8

rules/os/os_world_writable_system_folder_configure.yaml

@@ -3,14 +3,14 @@ title: "Ensure No World Writable Files Exist in the System Folder"
 discussion: |
   Folders in /System/Volumes/Data/System _MUST_ not be world-writable.
 check: |
-  /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs
+  /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "downloadDir" | /usr/bin/wc -l | /usr/bin/xargs
 result:
   integer: 0
 fix: |
   [source,bash]
   ----
   IFS=$'\n'
-  for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do
+  for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "downloadDir" ); do
     /bin/chmod -R o-w "$sysPermissions"
   done
   ----

rules/supplemental/supplemental_cis_manual.yaml

@@ -11,15 +11,18 @@ discussion: |
   |Recommendations
   |2.1.1.1 Audit iCloud Keychain +
   2.1.1.2 Audit iCloud Drive + 
+  2.1.1.4 Audit Security Keys Used With AppleIDs +
   2.1.2 Audit App Store Password Settings +
   2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +
   2.5.1 Audit Siri Settings +
   2.6.1.3 Audit Location Services Access +
   2.6.6 Audit Lockdown Mode +
   2.8.1 Audit Universal Control Settings +
-  2.11.2 Audit Touch ID and Wallet & Apple Pay Settings +  
+  2.11.2 Audit Touch ID +  
   2.13.1 Audit Passwords System Preference Setting +
-  2.14.1 Audit Notification & Focus Settings +  
+  2.14.1 Audit Game Center Settings +
+  2.15.1 Audit Notification & Focus Settings +  
+  2.16.1 Audit Wallet & Apple Pay Settings +
   |===
 
   [cols="15%h, 85%a"]
@@ -43,7 +46,6 @@ discussion: |
   5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured +
   5.3.1 Ensure All User Storage APFS Volumes are Encrypted +
   5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted +
-  5.5 Ensure Login Keychain is Locked when the Computer Sleeps +
   |===
 
   [cols="15%h, 85%a"]
@@ -54,7 +56,6 @@ discussion: |
   |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled +
   6.3.2 Audit History and Remove History Items +
   6.3.5 Audit Hide IP Address in Safari Setting +
-  6.3.7 Audit History and Remove History Items +
   |===
 check: |
 fix: |

rules/system_settings/system_settings_location_services_menu_enforce.yaml

@@ -1,5 +1,5 @@
 id: system_settings_location_services_menu_enforce
-title: "Enable Location Services"
+title: "Ensure Location Services Is in the Menu Bar"
 discussion: |
   Location Services menu item _MUST_ be enabled.
 check: |

rules/system_settings/system_settings_wake_network_access_disable.yaml

@@ -28,7 +28,7 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.2 (level 1)
+      - 2.9.3 (level 1)
     controls v8:
       - 4.8
 macOS:

templates/adoc_additional_docs.adoc

@@ -21,7 +21,7 @@ ASSOCIATED DOCUMENTS
 |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_
 |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_
 |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_
-|link:https://csrc.nist.gov/publications/detail/sp/800-219/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_
+|link:https://csrc.nist.gov/pubs/sp/800/219/r1/final[NIST Special Publication 800-219]|\_NIST Special Publication 800-219 Rev 1\_
 |===
 
 [%header, cols=2*a]
@@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS
 |===
 |Document Number or Descriptor
 |Document Title
-|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 13 (Ventura) STIG_
+|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 13 (Ventura) STIG_
 |===
 
 [%header, cols=2*a]
@@ -56,5 +56,5 @@ ASSOCIATED DOCUMENTS
 |===
 |Document Number or Descriptor
 |Document Title
-|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.0.0_
+|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.1.0_
 |===