diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 2333e8f4..6b3d8214 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -103,8 +103,9 @@ profile: - os_gatekeeper_rearm - os_guest_folder_removed - os_handoff_disable + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_default - os_home_folders_secure - os_httpd_disable diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index b677cf73..ebbfb7c4 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)" +title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) security baseline. + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1) authors: | *macOS Security Compliance Project* diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 8ce92cd2..9f65c86d 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)" +title: "macOS 13.0: Security Configuration - CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2)" description: | - This guide describes the actions to take when securing a macOS 13.0 system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) security baseline. + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1 and 2) authors: | *macOS Security Compliance Project* @@ -48,8 +48,9 @@ profile: - os_firewall_log_enable - os_gatekeeper_enable - os_guest_folder_removed + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 70772490..c0a2c3ec 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -82,8 +82,8 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 2 - cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml new file mode 100644 index 00000000..cd083e2a --- /dev/null +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -0,0 +1,66 @@ +id: os_hibernate_mode_apple_silicon_enable +title: "Enable Hibernate Mode (Apple Silicon)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + + Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. + This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time. + + NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a sleep 10 + /usr/bin/pmset -a displaysleep 15 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.2 (level 2) + controls v8: + - 4.1 +macOS: + - "13.0" +tags: + - cis_lvl2 + - cisv8 + - arm64 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index dfc19e8e..2b776e27 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 2.9.3 (level 2) + - 2.9.1.3 (level 2) controls v8: - 4.1 macOS: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml deleted file mode 100644 index dfef4553..00000000 --- a/rules/os/os_hibernate_mode_enable.yaml +++ /dev/null @@ -1,75 +0,0 @@ -id: os_hibernate_mode_enable -title: "Enable Hibernate Mode" -discussion: | - Hibernate mode _MUST_ be enabled. - - NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. -check: | - error_count=0 - if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') - - if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then - ((error_count++)) - fi - else - if [[ "$(/usr/bin/pmset -g | /usr/bin/grep standbydelay 2>&1 | /usr/bin/awk '{print $2}')" -gt 900 ]]; then - ((error_count++)) - fi - fi - if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then - ((error_count++)) - fi - fi - echo "$error_count" -result: - integer: 0 -fix: | - [source,bash] - ---- - /usr/bin/pmset -a hibernatemode 25 - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - /usr/bin/pmset -a standbydelayhigh 600 - /usr/bin/pmset -a standbydelaylow 600 - /usr/bin/pmset -a highstandbythreshold 90 - else - /usr/bin/pmset -a standbydelay 900 - fi - ---- -references: - cce: - - CCE-91799-7 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 2.9.3 (level 2) - controls v8: - - 4.1 -macOS: - - "13.0" -tags: - - cis_lvl2 - - cisv8 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml new file mode 100644 index 00000000..45c52402 --- /dev/null +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -0,0 +1,67 @@ +id: os_hibernate_mode_intel_enable +title: "Enable Hibernate Mode (Intel)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a standbydelaylow 900 + /usr/bin/pmset -a standbydelayhigh 900 + /usr/bin/pmset -a highstandbythreshold 90 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - CCE-91799-7 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.1 (level 2) + controls v8: + - 4.1 +macOS: + - "13.0" +tags: + - cis_lvl2 + - cisv8 + - i386 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index ad5f082a..42b6b8af 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -41,7 +41,7 @@ references: - N/A cis: benchmark: - - 2.9.1 (level 1) + - 2.9.2 (level 1) controls v8: - 4.1 - 4.8 diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 6dfe4d4a..21817e7b 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -3,14 +3,14 @@ title: "Ensure No World Writable Files Exist in the System Folder" discussion: | Folders in /System/Volumes/Data/System _MUST_ not be world-writable. check: | - /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "downloadDir" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do + for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "downloadDir" ); do /bin/chmod -R o-w "$sysPermissions" done ---- diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 52ffd548..a76a349e 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -11,15 +11,18 @@ discussion: | |Recommendations |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + + 2.1.1.4 Audit Security Keys Used With AppleIDs + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + 2.6.1.3 Audit Location Services Access + 2.6.6 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + - 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings + + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + - 2.14.1 Audit Notification & Focus Settings + + 2.14.1 Audit Game Center Settings + + 2.15.1 Audit Notification & Focus Settings + + 2.16.1 Audit Wallet & Apple Pay Settings + |=== [cols="15%h, 85%a"] @@ -43,7 +46,6 @@ discussion: | 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + - 5.5 Ensure Login Keychain is Locked when the Computer Sleeps + |=== [cols="15%h, 85%a"] @@ -54,7 +56,6 @@ discussion: | |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + - 6.3.7 Audit History and Remove History Items + |=== check: | fix: | diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 6f65c927..07265f50 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -1,5 +1,5 @@ id: system_settings_location_services_menu_enforce -title: "Enable Location Services" +title: "Ensure Location Services Is in the Menu Bar" discussion: | Location Services menu item _MUST_ be enabled. check: | diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index adf73132..6caafc9c 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 2.9.2 (level 1) + - 2.9.3 (level 1) controls v8: - 4.8 macOS: diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index aa4e59d0..e3287b06 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -21,7 +21,7 @@ ASSOCIATED DOCUMENTS |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_ |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_ -|link:https://csrc.nist.gov/publications/detail/sp/800-219/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_ +|link:https://csrc.nist.gov/pubs/sp/800/219/r1/final[NIST Special Publication 800-219]|\_NIST Special Publication 800-219 Rev 1\_ |=== [%header, cols=2*a] @@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 13 (Ventura) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 13 (Ventura) STIG_ |=== [%header, cols=2*a] @@ -56,5 +56,5 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.0.0_ +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.1.0_ |=== \ No newline at end of file