Merge branch 'dev_tahoe_adjustments' into tahoe

baselines/DISA-STIG.yaml

@@ -0,0 +1,195 @@
+title: "macOS 26.0: Security Configuration - Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1"
+description: |
+  This guide describes the actions to take when securing a macOS 26.0 system against the Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1 security baseline.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Dan Brodjieski|National Aeronautics and Space Administration
+  |Allen Golbig|Jamf
+  |Bob Gendler|National Institute of Standards and Technology
+  |Aaron Kegerreis|Defense Information Systems Agency
+  |===
+parent_values: "stig"
+profile:
+  - section: "auditing"
+    rules:
+      - audit_acls_files_configure
+      - audit_acls_folders_configure
+      - audit_auditd_enabled
+      - audit_configure_capacity_notify
+      - audit_control_acls_configure
+      - audit_control_group_configure
+      - audit_control_mode_configure
+      - audit_control_owner_configure
+      - audit_files_group_configure
+      - audit_files_mode_configure
+      - audit_files_owner_configure
+      - audit_flags_aa_configure
+      - audit_flags_ad_configure
+      - audit_flags_ex_configure
+      - audit_flags_fd_configure
+      - audit_flags_fm_configure
+      - audit_flags_fr_configure
+      - audit_flags_fw_configure
+      - audit_flags_lo_configure
+      - audit_folder_group_configure
+      - audit_folder_owner_configure
+      - audit_folders_mode_configure
+      - audit_retention_configure
+      - audit_settings_failure_notify
+  - section: "authentication"
+    rules:
+      - auth_pam_login_smartcard_enforce
+      - auth_pam_su_smartcard_enforce
+      - auth_pam_sudo_smartcard_enforce
+      - auth_smartcard_allow
+      - auth_smartcard_certificate_trust_enforce_moderate
+      - auth_smartcard_enforce
+      - auth_ssh_password_authentication_disable
+  - section: "icloud"
+    rules:
+      - icloud_addressbook_disable
+      - icloud_bookmarks_disable
+      - icloud_calendar_disable
+      - icloud_drive_disable
+      - icloud_freeform_disable
+      - icloud_game_center_disable
+      - icloud_keychain_disable
+      - icloud_mail_disable
+      - icloud_notes_disable
+      - icloud_photos_disable
+      - icloud_private_relay_disable
+      - icloud_reminders_disable
+      - icloud_sync_disable
+  - section: "macos"
+    rules:
+      - os_account_modification_disable
+      - os_airdrop_disable
+      - os_appleid_prompt_disable
+      - os_asl_log_files_owner_group_configure
+      - os_asl_log_files_permissions_configure
+      - os_authenticated_root_enable
+      - os_bonjour_disable
+      - os_camera_disable
+      - os_certificate_authority_trust
+      - os_config_data_install_enforce
+      - os_dictation_disable
+      - os_erase_content_and_settings_disable
+      - os_facetime_app_disable
+      - os_filevault_autologin_disable
+      - os_gatekeeper_enable
+      - os_genmoji_disable
+      - os_handoff_disable
+      - os_home_folders_secure
+      - os_httpd_disable
+      - os_icloud_storage_prompt_disable
+      - os_image_playground_disable
+      - os_install_log_retention_configure
+      - os_iphone_mirroring_disable
+      - os_loginwindow_adminhostinfo_disabled
+      - os_mdm_require
+      - os_newsyslog_files_owner_group_configure
+      - os_newsyslog_files_permissions_configure
+      - os_nfsd_disable
+      - os_on_device_dictation_enforce
+      - os_password_hint_remove
+      - os_password_proximity_disable
+      - os_policy_banner_loginwindow_enforce
+      - os_policy_banner_ssh_configure
+      - os_policy_banner_ssh_enforce
+      - os_privacy_setup_prompt_disable
+      - os_recovery_lock_enable
+      - os_root_disable
+      - os_secure_boot_verify
+      - os_sip_enable
+      - os_siri_prompt_disable
+      - os_skip_apple_intelligence_enable
+      - os_skip_screen_time_prompt_enable
+      - os_skip_unlock_with_watch_enable
+      - os_ssh_fips_compliant
+      - os_ssh_server_alive_count_max_configure
+      - os_ssh_server_alive_interval_configure
+      - os_sshd_channel_timeout_configure
+      - os_sshd_client_alive_count_max_configure
+      - os_sshd_client_alive_interval_configure
+      - os_sshd_fips_compliant
+      - os_sshd_login_grace_time_configure
+      - os_sshd_permit_root_login_configure
+      - os_sshd_unused_connection_timeout_configure
+      - os_sudo_log_enforce
+      - os_sudo_timeout_configure
+      - os_sudoers_timestamp_type_configure
+      - os_tftpd_disable
+      - os_time_server_enabled
+      - os_touchid_prompt_disable
+      - os_unlock_active_user_session_disable
+      - os_user_app_installation_prohibit
+      - os_uucp_disable
+      - os_writing_tools_disable
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_account_inactivity_enforce
+      - pwpolicy_account_lockout_enforce
+      - pwpolicy_account_lockout_timeout_enforce
+      - pwpolicy_alpha_numeric_enforce
+      - pwpolicy_custom_regex_enforce
+      - pwpolicy_max_lifetime_enforce
+      - pwpolicy_minimum_length_enforce
+      - pwpolicy_minimum_lifetime_enforce
+      - pwpolicy_special_character_enforce
+      - pwpolicy_temporary_or_emergency_accounts_disable
+  - section: "systemsettings"
+    rules:
+      - system_settings_airplay_receiver_disable
+      - system_settings_apple_watch_unlock_disable
+      - system_settings_automatic_login_disable
+      - system_settings_automatic_logout_enforce
+      - system_settings_bluetooth_disable
+      - system_settings_bluetooth_settings_disable
+      - system_settings_bluetooth_sharing_disable
+      - system_settings_content_caching_disable
+      - system_settings_diagnostics_reports_disable
+      - system_settings_filevault_enforce
+      - system_settings_find_my_disable
+      - system_settings_firewall_enable
+      - system_settings_gatekeeper_identified_developers_allowed
+      - system_settings_guest_account_disable
+      - system_settings_hot_corners_disable
+      - system_settings_improve_assistive_voice_disable
+      - system_settings_improve_search_disable
+      - system_settings_improve_siri_dictation_disable
+      - system_settings_internet_sharing_disable
+      - system_settings_location_services_disable
+      - system_settings_loginwindow_prompt_username_password_enforce
+      - system_settings_media_sharing_disabled
+      - system_settings_password_hints_disable
+      - system_settings_personalized_advertising_disable
+      - system_settings_printer_sharing_disable
+      - system_settings_rae_disable
+      - system_settings_remote_management_disable
+      - system_settings_screen_sharing_disable
+      - system_settings_screensaver_ask_for_password_delay_enforce
+      - system_settings_screensaver_password_enforce
+      - system_settings_screensaver_timeout_enforce
+      - system_settings_siri_disable
+      - system_settings_siri_settings_disable
+      - system_settings_smbd_disable
+      - system_settings_softwareupdate_current
+      - system_settings_system_wide_preferences_configure
+      - system_settings_time_server_configure
+      - system_settings_time_server_enforce
+      - system_settings_token_removal_enforce
+      - system_settings_touchid_unlock_disable
+      - system_settings_usb_restricted_mode
+      - system_settings_wallet_applepay_settings_disable
+  - section: "Inherent"
+    rules:
+      - os_supported_operating_system
+  - section: "Supplemental"
+    rules:
+      - supplemental_controls
+      - supplemental_filevault
+      - supplemental_firewall_pf
+      - supplemental_password_policy
+      - supplemental_smartcard

includes/mscp-data.yaml

@@ -91,7 +91,7 @@ titles:
   cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low)
   cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
   cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
-  stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 4
+  stig: Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1
 ddm:
   supported_types:
     - com.apple.configuration.services.configuration-files

rules/audit/audit_failure_halt.yaml

@@ -25,7 +25,7 @@ references:
   srg:
     - SRG-OS-000047-GPOS-00023
   disa_stig:
-    - APPL-26-001010
+    - N/A
   800-171r3:
     - 03.03.04
   cmmc:
@@ -43,7 +43,6 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - cmmc_lvl2
-  - stig
   - cnssi-1253_moderate
 severity: medium
 mobileconfig: false

rules/os/os_firmware_password_require.yaml

@@ -20,7 +20,7 @@ check: |
 result:
   integer: 1
 fix: |
-  NOTE: See discussion on remediation and how to enable firmware password.
+  NOTE: See discussion on how to enable firmware password.
 references:
   cce:
     - CCE-95194-7
@@ -33,7 +33,7 @@ references:
   srg:
     - SRG-OS-000480-GPOS-00227
   disa_stig:
-    - APPL-26-003013
+    - N/A
   800-171r3:
     - 03.01.05
   cmmc:
@@ -52,7 +52,6 @@ tags:
   - cnssi-1253_high
   - cmmc_lvl2
   - cmmc_lvl1
-  - stig
   - cnssi-1253_moderate
 severity: medium
 mobileconfig: false

rules/os/os_software_update_deferral.yaml

@@ -2,6 +2,8 @@ id: os_software_update_deferral
 title: Ensure Software Update Deferment Is Less Than or Equal to $ODV Days
 discussion: |
   Software updates _MUST_ be deferred for $ODV days or less.
+
+  If you need to defer software updates, create a Restrictions profile using the com.apple.applicationaccess domain and the key enforcedSoftwareUpdateDelay.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
   function run() {
@@ -49,7 +51,5 @@ odv:
 tags:
   - cis_lvl1
   - cis_lvl2
-mobileconfig: true
+mobileconfig: false
 mobileconfig_info:
-  com.apple.applicationaccess:
-    enforcedSoftwareUpdateDelay: $ODV

rules/os/os_sudo_timeout_configure.yaml

@@ -11,6 +11,7 @@ fix: |
   ----
   /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \;
   /bin/echo "Defaults timestamp_timeout=$ODV" >> /etc/sudoers.d/mscp
+  /bin/chmod 440 /etc/sudoers.d/mscp
   ----
 references:
   cce:

rules/os/os_supported_operating_system.yaml

@@ -0,0 +1,32 @@
+id: os_supported_operating_system
+title: The macOS Version Must Be Supported by the Vendor
+discussion: |
+  Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.
+
+  Software and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.
+
+  When maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned.
+check: |
+  The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
+fix: |
+  The technology inherently meets this requirement. No fix is required.
+references:
+  cce:
+    - N/A
+  cci:
+    - CCI-003376
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  disa_stig:
+    - APPL-26-006000
+  srg:
+    - SRG-OS-000830-GPOS-00300
+macOS:
+  - '26.0'
+tags:
+  - inherent
+  - stig
+mobileconfig: false
+mobileconfig_info:

rules/system_settings/system_settings_screensaver_password_enforce.yaml

@@ -31,6 +31,11 @@ references:
     - 03.05.01
   cmmc:
     - AC.L2-3.1.10
+  cis:
+    benchmark:
+      - 2.11.2 (level 1)
+    controls v8:
+      - 4.7      
 macOS:
   - '26.0'
 tags:
@@ -44,6 +49,8 @@ tags:
   - cmmc_lvl2
   - stig
   - cnssi-1253_moderate
+  - cis_lvl1
+  - cis_lvl2
 severity: medium
 mobileconfig: true
 mobileconfig_info:

rules/system_settings/system_settings_softwareupdate_current.yaml

@@ -2,11 +2,11 @@ id: system_settings_softwareupdate_current
 title: Ensure Software Update is Updated and Current
 discussion: |
   Make sure Software Update is updated and current.
-
+  
-  NOTE: Automatic fix can cause unplanned restarts and may lose work.
+  link:https://support.apple.com/en-us/108382[Update macOS on Mac] or if enrolled in an MDM consult your MDM's documentation for automated methods.
 check: |
   softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s")
-  thirty_days_epoch=$(/bin/date -v -30d "+%s")
+  thirty_days_epoch=$(/bin/date -v -$ODV "+%s")
   if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then
     /bin/echo "0"
   else
@@ -15,38 +15,50 @@ check: |
 result:
   integer: 1
 fix: |
-  [source,bash]
+  NOTE: See discussion on how to install software updates.
-  ----
-  /usr/sbin/softwareupdate -i -a
-  ----
-  NOTE - This will apply to the whole system
 references:
   cce:
     - CCE-95405-7
   cci:
-    - N/A
+    - CCI-002605
   800-53r5:
-    - N/A
+    - SI-2
-  800-53r4:
-    - N/A
   srg:
-    - N/A
+    - SRG-OS-000439-GPOS-00195
   disa_stig:
-    - N/A
+    - APPL-26-999999
   800-171r3:
-    - N/A
+    - 03.14.01
+    - 03.14.02
   cis:
     benchmark:
       - 1.1 (level 1)
     controls v8:
       - 7.3
       - 7.4
+  cmmc:
+    - SI.L1-3.14.1
+    - SI.L1-3.14.2
+    - SI.L1-3.14.4      
 macOS:
   - '26.0'
+odv:
+  hint: Maximum Days of Deferral
+  recommended: 30
+  cis_lvl1: 30
+  cis_lvl2: 30
+  stig: 30
 tags:
   - cis_lvl1
   - cis_lvl2
   - cisv8
+  - stig
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-171
+  - cmmc_lvl2
+  - cmmc_lvl1
 severity: medium
 mobileconfig: false
 mobileconfig_info:

templates/adoc_additional_docs.adoc

@@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS
 |===
 |Document Number or Descriptor
 |Document Title
-|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R3_STIG.zip[STIG Ver 1, Rel 4]|_Apple macOS 15 (Sequoia) STIG_
+|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_26_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 26 (Tahoe) STIG_
 |===
 
 [%header, cols=2*a]
@@ -64,5 +64,5 @@ ASSOCIATED DOCUMENTS
 |===
 |Document Number or Descriptor
 |Document Title
-|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 15.0]|_CIS Apple macOS 15.0 Benchmark version 1.1.0_
+|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 26.0]|_CIS Apple macOS 26.0 Benchmark version 1.0.0_
 |===