From 55ffd7d4107a2319d61b13095efddf68c6d6f6f3 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 22 May 2023 20:32:56 -0400 Subject: [PATCH 1/6] fix[rules] updates for cis v1.1.0 updates for cis v1.1.0 --- rules/os/os_power_nap_disable.yaml | 2 +- rules/supplemental/supplemental_cis_manual.yaml | 3 ++- .../system_settings_location_services_menu_enforce.yaml | 2 +- .../system_settings_wake_network_access_disable.yaml | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index 287da69d..ecbf2776 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -41,7 +41,7 @@ references: - N/A cis: benchmark: - - 2.9.1 (level 1) + - 2.9.2 (level 1) controls v8: - 4.1 - 4.8 diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 52ffd548..1f7b67bb 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -19,7 +19,8 @@ discussion: | 2.8.1 Audit Universal Control Settings + 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings + 2.13.1 Audit Passwords System Preference Setting + - 2.14.1 Audit Notification & Focus Settings + + 2.14.1 Audit Game Center Settings + + 2.15.1 Audit Notification & Focus Settings + |=== [cols="15%h, 85%a"] diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 6f65c927..07265f50 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -1,5 +1,5 @@ id: system_settings_location_services_menu_enforce -title: "Enable Location Services" +title: "Ensure Location Services Is in the Menu Bar" discussion: | Location Services menu item _MUST_ be enabled. check: | diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index adf73132..6caafc9c 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 2.9.2 (level 1) + - 2.9.3 (level 1) controls v8: - 4.8 macOS: From 1415612ca00d29559b5f8b9146eda896b99be9f8 Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Fri, 16 Jun 2023 12:50:11 -0400 Subject: [PATCH 2/6] Fixes for issue #219 --- baselines/all_rules.yaml | 3 +- baselines/cis_lvl2.yaml | 3 +- ...s_hibernate_mode_apple_silicon_enable.yaml | 66 ++++++++++++++++ rules/os/os_hibernate_mode_enable.yaml | 75 ------------------- rules/os/os_hibernate_mode_intel_enable.yaml | 67 +++++++++++++++++ 5 files changed, 137 insertions(+), 77 deletions(-) create mode 100644 rules/os/os_hibernate_mode_apple_silicon_enable.yaml delete mode 100644 rules/os/os_hibernate_mode_enable.yaml create mode 100644 rules/os/os_hibernate_mode_intel_enable.yaml diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index e200f261..f42ff3a8 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -100,8 +100,9 @@ profile: - os_gatekeeper_rearm - os_guest_folder_removed - os_handoff_disable + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 28d2d7ac..bcb9018f 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -46,8 +46,9 @@ profile: - os_firewall_log_enable - os_gatekeeper_enable - os_guest_folder_removed + - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_enable + - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml new file mode 100644 index 00000000..52b968cd --- /dev/null +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -0,0 +1,66 @@ +id: os_hibernate_mode_enable +title: "Enable Hibernate Mode (Apple Silicon)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + + Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. + This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time. + + NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a sleep 10 + /usr/bin/pmset -a displaysleep 15 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.2 (level 2) + controls v8: + - 4.1 +macOS: + - "13.0" +tags: + - cis_lvl2 + - cisv8 + - arm64 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml deleted file mode 100644 index dfef4553..00000000 --- a/rules/os/os_hibernate_mode_enable.yaml +++ /dev/null @@ -1,75 +0,0 @@ -id: os_hibernate_mode_enable -title: "Enable Hibernate Mode" -discussion: | - Hibernate mode _MUST_ be enabled. - - NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. -check: | - error_count=0 - if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') - hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') - - if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then - ((error_count++)) - fi - if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then - ((error_count++)) - fi - else - if [[ "$(/usr/bin/pmset -g | /usr/bin/grep standbydelay 2>&1 | /usr/bin/awk '{print $2}')" -gt 900 ]]; then - ((error_count++)) - fi - fi - if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then - ((error_count++)) - fi - fi - echo "$error_count" -result: - integer: 0 -fix: | - [source,bash] - ---- - /usr/bin/pmset -a hibernatemode 25 - if [[ "$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" =~ "Intel" ]]; then - /usr/bin/pmset -a standbydelayhigh 600 - /usr/bin/pmset -a standbydelaylow 600 - /usr/bin/pmset -a highstandbythreshold 90 - else - /usr/bin/pmset -a standbydelay 900 - fi - ---- -references: - cce: - - CCE-91799-7 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 2.9.3 (level 2) - controls v8: - - 4.1 -macOS: - - "13.0" -tags: - - cis_lvl2 - - cisv8 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml new file mode 100644 index 00000000..f74d0051 --- /dev/null +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -0,0 +1,67 @@ +id: os_hibernate_mode_enable +title: "Enable Hibernate Mode (Intel)" +discussion: | + Hibernate mode _MUST_ be enabled. + + This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. + +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 900 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then + ((error_count++)) + fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a standbydelaylow 900 + /usr/bin/pmset -a standbydelayhigh 900 + /usr/bin/pmset -a highstandbythreshold 90 + /usr/bin/pmset -a hibernatemode 25 + ---- +references: + cce: + - CCE-91799-7 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.1 (level 2) + controls v8: + - 4.1 +macOS: + - "13.0" +tags: + - cis_lvl2 + - cisv8 + - i386 +mobileconfig: false +mobileconfig_info: From 7a6b7a207c9c830c787b0e9e36aa46e7fdd64954 Mon Sep 17 00:00:00 2001 From: mahlmanj Date: Fri, 16 Jun 2023 13:42:32 -0400 Subject: [PATCH 3/6] Updating CIS supplemental. --- rules/supplemental/supplemental_cis_manual.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 1f7b67bb..a76a349e 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -11,16 +11,18 @@ discussion: | |Recommendations |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + + 2.1.1.4 Audit Security Keys Used With AppleIDs + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + 2.6.1.3 Audit Location Services Access + 2.6.6 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + - 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings + + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + 2.14.1 Audit Game Center Settings + 2.15.1 Audit Notification & Focus Settings + + 2.16.1 Audit Wallet & Apple Pay Settings + |=== [cols="15%h, 85%a"] @@ -44,7 +46,6 @@ discussion: | 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + - 5.5 Ensure Login Keychain is Locked when the Computer Sleeps + |=== [cols="15%h, 85%a"] @@ -55,7 +56,6 @@ discussion: | |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + - 6.3.7 Audit History and Remove History Items + |=== check: | fix: | From a026c12eaf4897e4fb073f9e450c5b4879f38bc6 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 25 Jul 2023 16:05:55 -0400 Subject: [PATCH 4/6] fix[rule] world writable system folder Fixed os_world_writable_system_folder_configure, downloadDir --- rules/os/os_world_writable_system_folder_configure.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 6dfe4d4a..21817e7b 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -3,14 +3,14 @@ title: "Ensure No World Writable Files Exist in the System Folder" discussion: | Folders in /System/Volumes/Data/System _MUST_ not be world-writable. check: | - /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "downloadDir" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do + for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "downloadDir" ); do /bin/chmod -R o-w "$sysPermissions" done ---- From cd35ddd35d7815acba5b516cddd4dee0b6c23eea Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 26 Jul 2023 06:44:23 -0400 Subject: [PATCH 5/6] updates for 1.1.0 --- Gemfile | 2 +- baselines/cis_lvl1.yaml | 2 +- baselines/cis_lvl2.yaml | 2 +- includes/mscp-data.yaml | 4 +- ...s_hibernate_mode_apple_silicon_enable.yaml | 2 +- ...ate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_intel_enable.yaml | 2 +- scripts/generate_guidance.py | 67 ++++++++++++++++--- sections/authentication.yaml | 2 +- templates/adoc_additional_docs.adoc | 2 +- templates/adoc_header.adoc | 4 +- 11 files changed, 71 insertions(+), 20 deletions(-) diff --git a/Gemfile b/Gemfile index 87ba404a..e622c7fa 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,5 @@ source 'https://rubygems.org' gem 'asciidoctor' -gem 'asciidoctor-pdf', '2.3.5' +gem 'asciidoctor-pdf' gem 'rouge', '3.30.0' diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 4eaa19e9..2ff1e8f1 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ title: "macOS 13.0: Security Configuration - CIS Benchmarks" description: | - This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1) authors: | The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index bcb9018f..5c454b68 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ title: "macOS 13.0: Security Configuration - CIS Benchmarks" description: | - This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1 and 2) + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1 and 2) authors: | The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 6257681c..39dcfe70 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -55,7 +55,7 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 2 - cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2) cisv8: CIS Controls Version 8 cnssi-1253: Committee on National Security Systems Instruction No. 1253 \ No newline at end of file diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml index 52b968cd..cd083e2a 100644 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -1,4 +1,4 @@ -id: os_hibernate_mode_enable +id: os_hibernate_mode_apple_silicon_enable title: "Enable Hibernate Mode (Apple Silicon)" discussion: | Hibernate mode _MUST_ be enabled. diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index dfc19e8e..2b776e27 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 2.9.3 (level 2) + - 2.9.1.3 (level 2) controls v8: - 4.1 macOS: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index f74d0051..45c52402 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -1,4 +1,4 @@ -id: os_hibernate_mode_enable +id: os_hibernate_mode_intel_enable title: "Enable Hibernate Mode (Intel)" discussion: | Hibernate mode _MUST_ be enabled. diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 6bfbb228..b676f35f 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -13,6 +13,7 @@ import argparse import subprocess import logging import tempfile +import base64 from datetime import date from xlwt import Workbook from string import Template @@ -20,7 +21,7 @@ from itertools import groupby from uuid import uuid4 class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, odv, tags, result_value, mobileconfig, mobileconfig_info, customized): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, cmmc, custom_refs, odv, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -34,6 +35,7 @@ class MacSecurityRule(): self.rule_disa_stig = disa_stig self.rule_srg = srg self.rule_cis = cis + self.rule_cmmc = cmmc self.rule_custom_refs = custom_refs self.rule_odv = odv self.rule_result_value = result_value @@ -56,6 +58,7 @@ class MacSecurityRule(): rule_80053r5=self.rule_80053r5, rule_disa_stig=self.rule_disa_stig, rule_cis=self.rule_cis, + rule_cmmc=self.rule_cmmc, rule_srg=self.rule_srg, rule_result=self.rule_result_value ) @@ -602,6 +605,14 @@ if [[ $EUID -ne 0 ]]; then exit 1 fi +ssh_key_check=0 +if /usr/sbin/sshd -T &> /dev/null; then + ssh_key_check=0 +else + /usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key + ssh_key_check=1 +fi + # path to PlistBuddy plb="/usr/libexec/PlistBuddy" @@ -1068,6 +1079,12 @@ else read_options done fi + +if [[ "$ssh_key_check" -ne 0 ]]; then + /bin/rm /etc/ssh/ssh_host_rsa_key + /bin/rm /etc/ssh/ssh_host_rsa_key.public + ssh_key_check=0 +fi """ #write out the compliance script @@ -1246,7 +1263,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") counter = 1 - column_counter = 16 + column_counter = 17 custom_ref_column = {} sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) @@ -1262,8 +1279,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 11, "DISA STIG", headers) sheet1.write(0, 12, "CIS Benchmark", headers) sheet1.write(0, 13, "CIS v8", headers) - sheet1.write(0, 14, "CCI", headers) - sheet1.write(0, 15, "Modifed Rule", headers) + sheet1.write(0, 14, "CMMC", headers) + sheet1.write(0, 15, "CCI", headers) + sheet1.write(0, 16, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1351,18 +1369,24 @@ def generate_xls(baseline_name, build_path, baseline_yaml): cis = cis.replace(", ", "\n") sheet1.write(counter, 13, cis, topWrap) sheet1.col(13).width = 500 * 15 + + cmmc_refs = (str(rule.rule_cmmc)).strip('[]\'') + cmmc_refs = cmmc_refs.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 14, cmmc_refs, topWrap) + sheet1.col(14).width = 500 * 15 cci = (str(rule.rule_cci)).strip('[]\'') cci = cci.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 14, cci, topWrap) - sheet1.col(13).width = 400 * 15 + sheet1.write(counter, 15, cci, topWrap) + sheet1.col(15).width = 400 * 15 customized = (str(rule.rule_customized)).strip('[]\'') customized = customized.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 15, customized, topWrap) - sheet1.col(14).width = 400 * 15 + sheet1.write(counter, 16, customized, topWrap) + sheet1.col(16).width = 400 * 15 if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): @@ -1408,6 +1432,7 @@ def create_rules(baseline_yaml): '800-53r5', '800-171r2', 'cis', + 'cmmc', 'srg', 'custom'] @@ -1451,6 +1476,7 @@ def create_rules(baseline_yaml): rule_yaml['references']['disa_stig'], rule_yaml['references']['srg'], rule_yaml['references']['cis'], + rule_yaml['references']['cmmc'], rule_yaml['references']['custom'], rule_yaml['odv'], rule_yaml['tags'], @@ -1562,6 +1588,7 @@ def parse_cis_references(reference): string += "!" + str(item) + "!* " + str(reference[item]) + "\n" return string +# Might have to do something similar to above for cmmc def main(): @@ -1586,8 +1613,14 @@ def main(): if args.logo: logo = args.logo + pdf_logo_path = logo else: logo = "../../templates/images/mscp_banner.png" + pdf_logo_path = "../templates/images/mscp_banner.png" + + # convert logo to base64 for inline processing + b64logo = base64.b64encode(open(pdf_logo_path, "rb").read()) + build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') if not (os.path.isdir(build_path)): @@ -1704,6 +1737,11 @@ def main(): else: adoc_cis_show=":show_cis!:" + if "CMMC" in baseline_yaml['title'].upper(): + adoc_cmmc_show=":show_CMMC:" + else: + adoc_cmmc_show=":show_CMMC!:" + if "800" in baseline_yaml['title']: adoc_171_show=":show_171:" else: @@ -1713,6 +1751,7 @@ def main(): adoc_tag_show=":show_tags:" adoc_STIG_show=":show_STIG:" adoc_cis_show=":show_cis:" + adoc_cmmc_show=":show_CMMC:" adoc_171_show=":show_171:" else: adoc_tag_show=":show_tags!:" @@ -1734,11 +1773,13 @@ def main(): html_subtitle=adoc_html_subtitle, document_subtitle2=adoc_document_subtitle2, logo=logo, + pdflogo=b64logo.decode("ascii"), pdf_theme=pdf_theme, tag_attribute=adoc_tag_show, nist171_attribute=adoc_171_show, stig_attribute=adoc_STIG_show, cis_attribute=adoc_cis_show, + cmmc_attribute=adoc_cmmc_show, version=version_yaml['version'], os_version=version_yaml['os'], release_date=version_yaml['date'] @@ -1857,6 +1898,13 @@ def main(): else: cis = parse_cis_references(rule_yaml['references']['cis']) + try: + rule_yaml['references']['cmmc'] + except KeyError: + cmmc = "" + else: + cmmc = ulify(rule_yaml['references']['cmmc']) + try: rule_yaml['references']['srg'] except KeyError: @@ -1941,6 +1989,7 @@ def main(): rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cis=cis, + rule_cmmc=cmmc, rule_cce=cce, rule_custom_refs=custom_refs, rule_tags=tags, @@ -1958,6 +2007,7 @@ def main(): rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cis=cis, + rule_cmmc=cmmc, rule_cce=cce, rule_tags=tags, rule_srg=srg @@ -1974,6 +2024,7 @@ def main(): rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cis=cis, + rule_cmmc=cmmc, rule_cce=cce, rule_tags=tags, rule_srg=srg, diff --git a/sections/authentication.yaml b/sections/authentication.yaml index facd68bb..57eb549e 100644 --- a/sections/authentication.yaml +++ b/sections/authentication.yaml @@ -2,6 +2,6 @@ description: | This section contains the configuration of authentication settings, including the enforcement of smartcard authentication. - NOTE: See addittional guidance in the Smartcard Supplemental. + NOTE: See additional guidance in the Smartcard Supplemental. NOTE: The check/fix commands outlined in this section must be run with elevated privileges. \ No newline at end of file diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 11634338..2ef31eaf 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -56,5 +56,5 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.0.0_ +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.1.0_ |=== \ No newline at end of file diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc index d3224306..a1fdb421 100644 --- a/templates/adoc_header.adoc +++ b/templates/adoc_header.adoc @@ -20,6 +20,7 @@ endif::[] $nist171_attribute $stig_attribute $cis_attribute +$cmmc_attribute :version: $version ($release_date) :os: $os_version :proj-title: $html_header_title @@ -28,11 +29,10 @@ $cis_attribute $document_subtitle2 ifdef::backend-pdf[] = {document-title}: {document-subtitle} -{document-subtitle2} $version ($release_date) :pdf-themesdir: ../templates :pdf-theme: $pdf_theme -:title-logo-image: image:$logo[align=center] +:title-logo-image: image:data:image/png;base64,$pdflogo[align=center] :nofooter!: endif::[] :data-uri: From 371cb0bf6b198d01f898037fc4046ae29f03f5b0 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 26 Jul 2023 07:52:50 -0400 Subject: [PATCH 6/6] fixed additional docs --- templates/adoc_additional_docs.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 2ef31eaf..e3287b06 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -21,7 +21,7 @@ ASSOCIATED DOCUMENTS |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_ |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_ -|link:https://csrc.nist.gov/publications/detail/sp/800-219/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_ +|link:https://csrc.nist.gov/pubs/sp/800/219/r1/final[NIST Special Publication 800-219]|\_NIST Special Publication 800-219 Rev 1\_ |=== [%header, cols=2*a] @@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_12_V1R3_STIG.zip[STIG Ver 1, Rel 3]|_Apple macOS 12 (Monterey) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 13 (Ventura) STIG_ |=== [%header, cols=2*a] @@ -48,7 +48,7 @@ ASSOCIATED DOCUMENTS |Document Title |link:https://support.apple.com/guide/security/welcome/web[Apple Platform Security Guide]|_Apple Platform Security_ |link:https://support.apple.com/guide/deployment/welcome/web[Apple Platform Deployment]|_Apple Platform Deployment_ -|link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ +|link:https://support.apple.com/guide/certifications/welcome/web[Apple Platform Certifications]|_Apple Platform Certifications_ |link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_ |=== [%header, cols=2*a]