usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

chore: clean up extraneous trailing whitespace

Browse Source
This commit is contained in:
Dan Brodjieski
2023-09-14 14:21:06 -04:00
parent 6534990e8e
commit 5acbdbd21e
202 changed files with 1359 additions and 1359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
CONTRIBUTING.adoc
View File

@@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the
These operating rules describe and govern NISTs management of this repository and contributors responsibilities. NIST reserves the right to modify this policy at any time.
=== Criteria for Contributions and Feedback
This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
* states or implies NIST endorsement of any entities, services, or products;
* is inaccurate;
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
* is clearly "off topic";
NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
* states or implies NIST endorsement of any entities, services, or products;
* is inaccurate;
* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
* is clearly "off topic";
* makes unsupported accusations;
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
* contains .exe or .jar file types.
_These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._
@@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito
* responding to NIST representatives in a timely manner;
* keeping contributions and contributor GitHub username up to date
*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].
*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].

22
LICENSE.md
View File

@@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo
5. _Downstream recipients._
**A.** _Offer from the Licensor_ Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
**B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. _No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
## b. Other rights.
@@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following
**i.** identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
**ii.** a copyright notice;
**iii.** a notice that refers to this Public License;
**iv.** a notice that refers to the disclaimer of warranties;
**v.** a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
**B.** indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
**C.** indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
**2.** You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
**3.** If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
@@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your
**a.** This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
**b.** Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
**1.** automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
**2.** upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
**c.** For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.

6
README.adoc
View File

@@ -1,7 +1,7 @@
image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
:idseparator: -
ifndef::env-github[:icons: font]
ifdef::env-github[]
:status:
@@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21
Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the {uri-repo}/wiki[wiki].
@@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
== Changelog
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
== NIST Disclaimer

2
baselines/all_rules.yaml
View File

@@ -324,7 +324,7 @@ profile:
- pwpolicy_prevent_dictionary_words
- system_settings_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
rules:
- os_access_control_mobile_devices
- os_identify_non-org_users
- os_information_validation

8
includes/enablePF-mscp.sh
View File

@@ -4,9 +4,9 @@
enable_macos_application_firewall () {
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
}
@@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () {
launchctl enable system/macsec.pfctl
launchctl bootstrap system $macsec_pfctl_plist
pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)
pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)
}
@@ -147,7 +147,7 @@ block log proto tcp to any port 540
ENDCONFIG
}
####
####
enable_macos_application_firewall
create_macsec_pf_anchors

12
includes/mscp-data.yaml
View File

@@ -1,6 +1,6 @@
---
authors:
all_rules:
all_rules:
names:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
@@ -10,7 +10,7 @@ authors:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
800-53r5_moderate:
800-53r5_moderate:
names:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
@@ -20,12 +20,12 @@ authors:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
800-171:
800-171:
names:
- Bob Gendler|National Institute of Standards and Technology
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
cis_lvl1:
cis_lvl1:
preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
names:
- Edward Byrd|Center for Internet Security
@@ -72,10 +72,10 @@ authors:
- Ekkehard Koch|
- Bob Gendler|National Institute of Standards and Technology
stig:
names:
names:
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
- Bob Gendler|National Institute of Standards and Technology
- Bob Gendler|National Institute of Standards and Technology
titles:
all_rules: All Rules
800-53r5_high: NIST SP 800-53 Rev 5 High Impact

2
includes/supported_payloads.yaml
View File

@@ -1,4 +1,4 @@
payloads_types:
payloads_types:
- com.apple.ADCertificate.managed
- com.apple.AIM.account
- com.apple.AssetCache.managed

2
rules/audit/audit_auditd_enabled.yaml
View File

@@ -60,7 +60,7 @@ references:
- AU-12(3)
- AU-14(1)
- MA-4(1)
- CM-5(1)
- CM-5(1)
800-53r4:
- AU-3
- AU-3(1)

8
rules/audit/audit_configure_capacity_notify.yaml
View File

@@ -1,7 +1,7 @@
id: audit_configure_capacity_notify
title: "Configure Audit Capacity Warning"
discussion: |
The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.
The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.
This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.
check: |
@@ -11,7 +11,7 @@ result:
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
@@ -20,7 +20,7 @@ references:
- CCI-001855
800-53r5:
- AU-5(1)
800-53r4:
800-53r4:
- AU-5(1)
srg:
- SRG-OS-000343-GPOS-00134
@@ -33,7 +33,7 @@ odv:
recommended: 25
stig: 25
tags:
- 800-53r5_high
- 800-53r5_high
- 800-53r4_high
- cnssi-1253_moderate
- cnssi-1253_low

2
rules/audit/audit_control_acls_configure.yaml
View File

@@ -4,7 +4,7 @@ discussion: |
/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs).
check: |
/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
result:
result:
integer: 0
fix: |
[source,bash]

6
rules/audit/audit_enforce_dual_auth.yaml
View File

@@ -2,10 +2,10 @@ id: audit_enforce_dual_auth
title: "Enforce Dual Authorization for Movement and Deletion of Audit Information"
discussion: |
All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed.
An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation.
To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

20
rules/audit/audit_failure_halt.yaml
View File

@@ -1,11 +1,11 @@
id: audit_failure_halt
title: "Configure System to Shut Down Upon Audit Failure"
discussion: |
The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
check: |
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
result:
integer: 1
fix: |
@@ -33,13 +33,13 @@ references:
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

2
rules/audit/audit_files_group_configure.yaml
View File

@@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel"
discussion: |
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
check: |

2
rules/audit/audit_files_mode_configure.yaml
View File

@@ -1,7 +1,7 @@
id: audit_files_mode_configure
title: "Configure Audit Log Files to Mode 440 or Less Permissive"
discussion: |
The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
check: |
/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:

4
rules/audit/audit_files_owner_configure.yaml
View File

@@ -1,5 +1,5 @@
id: audit_files_owner_configure
title: "Configure Audit Log Files to be Owned by Root"
title: "Configure Audit Log Files to be Owned by Root"
discussion: |
Audit log files _MUST_ be owned by root.
@@ -7,7 +7,7 @@ discussion: |
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
check: |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
result:
integer: 0
fix: |

22
rules/audit/audit_flags_aa_configure.yaml
View File

@@ -2,9 +2,9 @@ id: audit_flags_aa_configure
title: "Configure System to Audit All Authorization and Authentication Events"
discussion: |
The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
check: |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'
@@ -54,14 +54,14 @@ references:
macOS:
- "14.0"
tags:
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cis_lvl2
- cisv8
- cnssi-1253_moderate

10
rules/audit/audit_flags_ex_configure.yaml
View File

@@ -3,9 +3,9 @@ title: "Configure System to Audit All Failed Program Execution on the System"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex'
@@ -20,7 +20,7 @@ references:
cce:
- CCE-92717-8
cci:
- N/A
- N/A
800-53r5:
- AC-2(12)
- AU-12
@@ -47,7 +47,7 @@ references:
cmmc:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
- SI.L2-3.14.3
macOS:
- "14.0"
tags:

4
rules/audit/audit_flags_fm_configure.yaml
View File

@@ -1,11 +1,11 @@
id: audit_flags_fm_configure
title: "Configure System to Audit All Changes of Object Attributes"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm).
The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file.
This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |

14
rules/audit/audit_flags_fm_failed_configure.yaml
View File

@@ -1,11 +1,11 @@
id: audit_flags_fm_failed_configure
title: "Configure System to Audit All Failed Change of Object Attributes"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm).
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
@@ -29,13 +29,13 @@ references:
- AU-9
- CM-5(1)
- MA-4(1)
800-53r4:
- AU-2
800-53r4:
- AU-2
- AU-12
- AU-9
- CM-5(1)
- MA-4(1)
srg:
srg:
- N/A
disa_stig:
- N/A

2
rules/audit/audit_folder_group_configure.yaml
View File

@@ -3,7 +3,7 @@ title: "Configure Audit Log Folders Group to Wheel"
discussion: |
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
check: |

2
rules/audit/audit_folder_owner_configure.yaml
View File

@@ -1,5 +1,5 @@
id: audit_folder_owner_configure
title: "Configure Audit Log Folders to be Owned by Root"
title: "Configure Audit Log Folders to be Owned by Root"
discussion: |
Audit log folders _MUST_ be owned by root.

4
rules/audit/audit_folders_mode_configure.yaml
View File

@@ -1,9 +1,9 @@
id: audit_folders_mode_configure
title: "Configure Audit Log Folders to Mode 700 or Less Permissive"
discussion: |
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
check: |
/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
result:

4
rules/audit/audit_off_load_records.yaml
View File

@@ -3,9 +3,9 @@ title: "Off-Load Audit Records"
discussion: |
Audit records should be off-loaded onto a different system or media from the system being audited.
Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

8
rules/audit/audit_record_reduction_report_generation.yaml
View File

@@ -1,8 +1,8 @@
id: audit_record_reduction_report_generation
title: "Audit Record Reduction and Report Generation"
discussion: |
The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability.
The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability.
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP).
@@ -13,11 +13,11 @@ fix: |
references:
cce:
- CCE-92728-5
cci:
cci:
- N/A
800-53r5:
- AU-7
800-53r4:
800-53r4:
- N/A
srg:
- N/A

6
rules/audit/audit_records_processing.yaml
View File

@@ -2,7 +2,7 @@ id: audit_records_processing
title: "Audit Record Reduction and Report Generation"
discussion: |
The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields.
Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
@@ -11,11 +11,11 @@ fix: |
references:
cce:
- CCE-92729-3
cci:
cci:
- N/A
800-53r5:
- AU-7(1)
800-53r4:
800-53r4:
- N/A
srg:
- N/A

6
rules/auth/auth_smartcard_allow.yaml
View File

@@ -1,10 +1,10 @@
id: auth_smartcard_allow
title: "Allow Smartcard Authentication"
discussion: |
Smartcard authentication _MUST_ be allowed.
Smartcard authentication _MUST_ be allowed.
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -26,7 +26,7 @@ references:
- IA-2(1)
- IA-2(2)
- IA-2(12)
800-53r4:
800-53r4:
- IA-2(12)
- IA-5(11)
srg:

8
rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
View File

@@ -1,8 +1,8 @@
id: auth_smartcard_certificate_trust_enforce_high
title: "Set Smartcard Certificate Trust to High"
discussion: |
The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking.
By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed.
@@ -20,12 +20,12 @@ fix: |
references:
cce:
- CCE-92736-8
cci:
cci:
- N/A
800-53r5:
- IA-5(2)
- SC-17
800-53r4:
800-53r4:
- IA-2(12)
- IA-5(2)
srg:

4
rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
View File

@@ -45,8 +45,8 @@ references:
macOS:
- "14.0"
tags:
- 800-53r4_moderate
- 800-53r5_moderate
- 800-53r4_moderate
- 800-53r5_moderate
- cnssi-1253_moderate
- cnssi-1253_low
- cmmc_lvl2

12
rules/auth/auth_ssh_password_authentication_disable.yaml
View File

@@ -80,12 +80,12 @@ macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low

2
rules/icloud/icloud_addressbook_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_addressbook_disable
title: "Disable iCloud Address Book"
discussion: |
The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled.
The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service.
check: |

2
rules/icloud/icloud_appleid_preference_pane_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_appleid_preference_pane_disable
title: "Disable the Preference Pane for Apple ID"
discussion: |
This is required for compliance with the DISA STIG for macOS.
This is required for compliance with the DISA STIG for macOS.
The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key.

16
rules/icloud/icloud_game_center_disable.yaml
View File

@@ -22,7 +22,7 @@ references:
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
@@ -49,14 +49,14 @@ references:
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

2
rules/icloud/icloud_notes_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_notes_disable
title: "Disable iCloud Notes"
discussion: |
The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled.
The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service.
check: |

16
rules/icloud/icloud_private_relay_disable.yaml
View File

@@ -23,7 +23,7 @@ references:
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
@@ -50,13 +50,13 @@ references:
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

2
rules/icloud/icloud_reminders_disable.yaml
View File

@@ -1,7 +1,7 @@
id: icloud_reminders_disable
title: "Disable iCloud Reminders"
discussion: |
The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled.
The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service.
check: |

4
rules/icloud/icloud_sync_disable.yaml
View File

@@ -3,7 +3,7 @@ title: "Disable iCloud Desktop and Document Folder Sync"
discussion: |
The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
@@ -23,7 +23,7 @@ references:
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)

2
rules/os/os_airdrop_disable.yaml
View File

@@ -3,7 +3,7 @@ title: "Disable AirDrop"
discussion:
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

2
rules/os/os_appleid_prompt_disable.yaml
View File

@@ -2,7 +2,7 @@ id: os_appleid_prompt_disable
title: "Disable Apple ID Setup during Setup Assistant"
discussion: |
The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.
check: |
/usr/bin/osascript -l JavaScript << EOS

4
rules/os/os_application_sandboxing.yaml
View File

@@ -1,8 +1,8 @@
id: os_application_sandboxing
title: "Ensure Seperate Execution Domain for Processes"
discussion: |
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[]
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[]

4
rules/os/os_auth_peripherals.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
check: |
The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level.
fix: |
This requirement is a permanent finding and can be fixed by implementing a third party solution.
This requirement is a permanent finding and can be fixed by implementing a third party solution.
references:
cce:
- CCE-92763-2
@@ -24,7 +24,7 @@ references:
- 3.5.2
cis:
benchmark:
- N/A
- N/A
controls v8:
- 13.9
macOS:

8
rules/os/os_authenticated_root_enable.yaml
View File

@@ -1,12 +1,12 @@
id: os_authenticated_root_enable
title: "Enable Authenticated Root"
discussion: |
Authenticated Root _MUST_ be enabled.
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
check: |
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'
@@ -21,7 +21,7 @@ fix: |
references:
cce:
- CCE-92764-0
cci:
cci:
- N/A
800-53r5:
- AC-3

4
rules/os/os_calendar_app_disable.yaml
View File

@@ -34,7 +34,7 @@ fix: |
references:
cce:
- CCE-92771-5
cci:
cci:
- N/A
800-53r5:
- AC-20
@@ -72,5 +72,5 @@ mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
familyControlsEnabled: true
pathBlackList:
pathBlackList:
- /Applications/Calendar.app

6
rules/os/os_change_security_attributes.yaml
View File

@@ -1,9 +1,9 @@
id: os_change_security_attributes
title: "Allow Administrators to Modify Security Settings and System Attributes"
discussion: |
The information system _IS_ configured to allow administrators to modify security settings and system attributes.
The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. .
The information system _IS_ configured to allow administrators to modify security settings and system attributes.
The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. .
link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]
check: |

6
rules/os/os_config_profile_ui_install_disable.yaml
View File

@@ -15,7 +15,7 @@ references:
cce:
- CCE-92777-2
cci:
- N/A
- N/A
800-53r5:
- CM-5
800-171r2:
@@ -30,8 +30,8 @@ references:
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253_moderate

2
rules/os/os_continuous_monitoring.yaml
View File

@@ -26,7 +26,7 @@ tags:
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- permanent
- permanent
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

12
rules/os/os_crypto_audit.yaml
View File

@@ -1,13 +1,13 @@
id: os_crypto_audit
title: "Protect Audit Integrity with Cryptographic Mechanisms"
discussion: |
The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient.
The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient.
link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[]
NOTE: This will only apply to a Mac that includes a T2 security chip.
NOTE: This will only apply to a Mac that includes a T2 security chip.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

4
rules/os/os_directory_services_configured.yaml
View File

@@ -1,13 +1,13 @@
id: os_directory_services_configured
title: "Integrate System into a Directory Services Infrastructure"
discussion: |
The macOS system _MUST_ be integrated into a directory services infrastructure.
The macOS system _MUST_ be integrated into a directory services infrastructure.
A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system.
check: |
/usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $?
result:
integer: 0
integer: 0
fix: |
Integrate the system into an existing directory services infrastructure.
references:

4
rules/os/os_enforce_access_restrictions.yaml
View File

@@ -2,8 +2,8 @@ id: os_enforce_access_restrictions
title: "Enforce Access Restrictions"
discussion: |
The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions.
The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer.
The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer.
link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]
check: |

8
rules/os/os_facetime_app_disable.yaml
View File

@@ -1,7 +1,7 @@
id: os_facetime_app_disable
title: "Disable FaceTime.app"
discussion: |
The macOS built-in FaceTime.app _MUST_ be disabled.
The macOS built-in FaceTime.app _MUST_ be disabled.
The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access.
@@ -9,7 +9,7 @@ discussion: |
====
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
check: |
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
@@ -31,7 +31,7 @@ fix: |
references:
cce:
- CCE-92788-9
cci:
cci:
- N/A
800-53r5:
- AC-20
@@ -69,5 +69,5 @@ mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
familyControlsEnabled: true
pathBlackList:
pathBlackList:
- /Applications/FaceTime.app

6
rules/os/os_fail_secure_state.yaml
View File

@@ -1,11 +1,11 @@
id: os_fail_secure_state
title: "Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails"
discussion: |
The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort.
The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort.
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources.
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources.
Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state.
Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state.
link:https://developer.apple.com/videos/play/wwdc2017/715/[]
check: |

2
rules/os/os_filevault_autologin_disable.yaml
View File

@@ -3,7 +3,7 @@ title: "Disable FileVault Automatic Login"
discussion: |
If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required.
The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials.
The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials.
NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot.
check: |

4
rules/os/os_firewall_default_deny_require.yaml
View File

@@ -1,13 +1,13 @@
id: os_firewall_default_deny_require
title: "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy"
discussion: |
A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems.
A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems.
Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule.
Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data.
If you are using a third-party firewall solution, this setting does not apply.
If you are using a third-party firewall solution, this setting does not apply.
[IMPORTANT]
====

10
rules/os/os_firewall_log_enable.yaml
View File

@@ -1,11 +1,11 @@
id: os_firewall_log_enable
title: "Enable Firewall Logging"
discussion: |
Firewall logging _MUST_ be enabled.
Firewall logging _MUST_ be enabled.
Firewall logging ensures that malicious network activity will be logged to the system.
Firewall logging ensures that malicious network activity will be logged to the system.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
check: |
/usr/bin/osascript -l JavaScript << EOS
function run() {
@@ -27,12 +27,12 @@ fix: |
references:
cce:
- CCE-92793-9
cci:
cci:
- N/A
800-53r5:
- AU-12
- SC-7
800-53r4:
800-53r4:
- SC-7
- AU-12
srg:

4
rules/os/os_gatekeeper_rearm.yaml
View File

@@ -14,11 +14,11 @@ fix: |
references:
cce:
- CCE-92796-2
cci:
cci:
- N/A
800-53r5:
- CM-5
800-53r4:
800-53r4:
- CM-5
- SI-3
srg:

4
rules/os/os_grant_privs.yaml
View File

@@ -1,8 +1,8 @@
id: os_grant_privs
title: "Allow Administrators to Promote Other Users to Administrator Status"
discussion: |
The information system _IS_ configured to allow current administrators to promote standard users to administrator user status.
The information system _IS_ configured to allow current administrators to promote standard users to administrator user status.
The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users.
link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[]

6
rules/os/os_guest_folder_removed.yaml
View File

@@ -1,6 +1,6 @@
id: os_guest_folder_removed
title: "Remove Guest Folder if Present"
discussion: |
discussion: |
The guest folder _MUST_ be deleted if present.
check: |
/bin/ls /Users/ | /usr/bin/grep -c "Guest"
@@ -14,7 +14,7 @@ fix: |
references:
cce:
- CCE-92798-8
cci:
cci:
- N/A
800-53r5:
- N/A
@@ -29,7 +29,7 @@ references:
cis:
benchmark:
- 5.10 (level 1)
controls v8:
controls v8:
- 4.1
macOS:
- "14.0"

6
rules/os/os_hibernate_mode_apple_silicon_enable.yaml
View File

@@ -1,11 +1,11 @@
id: os_hibernate_mode_apple_silicon_enable
title: "Enable Hibernate Mode (Apple Silicon)"
discussion: |
Hibernate mode _MUST_ be enabled.
Hibernate mode _MUST_ be enabled.
This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack.
Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting.
Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting.
This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time.
NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops.
@@ -15,7 +15,7 @@ check: |
hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then
((error_count++))
fi

4
rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
View File

@@ -1,7 +1,7 @@
id: os_hibernate_mode_destroyfvkeyonstandby_enable
title: "Enable DestroyFVKeyOnStandby on Hibernate"
discussion: |
DestroyFVKeyOnStandby on hibernate _MUST_ be enabled.
DestroyFVKeyOnStandby on hibernate _MUST_ be enabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
@@ -29,7 +29,7 @@ references:
cis:
benchmark:
- 2.9.1.3 (level 2)
controls v8:
controls v8:
- 4.1
macOS:
- "14.0"

4
rules/os/os_hibernate_mode_intel_enable.yaml
View File

@@ -1,7 +1,7 @@
id: os_hibernate_mode_intel_enable
title: "Enable Hibernate Mode (Intel)"
discussion: |
Hibernate mode _MUST_ be enabled.
Hibernate mode _MUST_ be enabled.
This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack.
@@ -12,7 +12,7 @@ check: |
hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}')
hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}')
hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}')
if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then
((error_count++))
fi

16
rules/os/os_home_folders_default.yaml
View File

@@ -2,27 +2,27 @@ id: os_home_folders_default
title: "Configure User's Home Folders to Apple's Default"
discussion: |
The system _MUST_ be configured to prevent access to other user's home folders.
Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures.
check: |-
Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands:
/bin/ls -le /Users
This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be:
0: group:everyone deny delete
For every authorized user account, also run the following command:
/usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user.
/usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user.
This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be:
drwx------+
drwx------+
0: group:everyone deny delete
The exception is the \"Public\" directory, whose permissions must match the following:
drwxr-xr-x+
drwxr-xr-x+
0: group:everyone deny delete
If the permissions returned by either of these checks differ from what is shown, this is a finding.
result: ""
fix: |-

2
rules/os/os_home_folders_secure.yaml
View File

@@ -2,7 +2,7 @@ id: os_home_folders_secure
title: "Secure User's Home Folders"
discussion: |
The system _MUST_ be configured to prevent access to other user's home folders.
The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within.
check: |
/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs

6
rules/os/os_implement_cryptography.yaml
View File

@@ -1,14 +1,14 @@
id: os_implement_cryptography
title: "Configure the System to Implement Approved Cryptography to Protect Information"
discussion: |
The information system _IS_ configured to implement approved cryptography to protect information.
The information system _IS_ configured to implement approved cryptography to protect information.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government.
Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation.
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]
link:https://support.apple.com/en-us/HT201159[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules.

6
rules/os/os_implement_memory_protection.yaml
View File

@@ -3,16 +3,16 @@ title: "Configure the System to Protect Memory from Unauthorized Code Execution"
discussion: |
The information system _IS_ configured to implement non-executable data to protect memory from code execution.
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism.
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism.
macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection.
link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[]
link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[]
link:https://www.apple.com/macos/security/[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

2
rules/os/os_information_validation.yaml
View File

@@ -2,7 +2,7 @@ id: os_information_validation
title: "Information Input Validation"
discussion: |
Check the validity of the following information inputs: organization-defined information inputs to the systems.
Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.
check: |
This requirement is NA for this technology.

4
rules/os/os_install_log_retention_configure.yaml
View File

@@ -1,7 +1,7 @@
id: os_install_log_retention_configure
title: "Configure Install.log Retention to $ODV"
discussion: |
The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
check: |
/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}'
result:
@@ -10,7 +10,7 @@ fix: |
[source,bash]
----
/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=$ODV/g" /etc/asl/com.apple.install
----
----
NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.
references:

12
rules/os/os_ir_support_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_ir_support_disable
title: "Disable Infrared (IR) support"
discussion: |
Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices.
By default, if IR is enabled, the system will accept IR control from any remote device.
Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices.
By default, if IR is enabled, the system will accept IR control from any remote device.
NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1.
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -18,13 +18,13 @@ fix: |
references:
cce:
- CCE-92812-7
cci:
cci:
- N/A
800-53r5:
- AC-18
- CM-7
- CM-7(1)
800-53r4:
800-53r4:
- CM-7
- CM-7(1)
- AC-18

4
rules/os/os_isolate_security_functions.yaml
View File

@@ -1,8 +1,8 @@
id: os_isolate_security_functions
title: "Configure the System to Separate User and System Functionality"
discussion: |
The information system _IS_ configured to isolate security functions from non-security functions.
The information system _IS_ configured to isolate security functions from non-security functions.
link:https://support.apple.com/guide/security/welcome/web[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.

4
rules/os/os_library_validation_enabled.yaml
View File

@@ -1,6 +1,6 @@
id: os_library_validation_enabled
title: "Enable Library Validation"
discussion:
discussion:
Library validation _MUST_ be enabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -14,7 +14,7 @@ fix: |
references:
cce:
- CCE-92814-3
cci:
cci:
- N/A
800-53r5:
- N/A

4
rules/os/os_limit_dos_attacks.yaml
View File

@@ -1,9 +1,9 @@
id: os_limit_dos_attacks
title: "Limit Impact of Denial of Service Attacks"
discussion: |
The macOS should be configured to limit the impact of Denial of Service (DoS) attacks.
The macOS should be configured to limit the impact of Denial of Service (DoS) attacks.
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.
check: |

2
rules/os/os_limit_gui_sessions.yaml
View File

@@ -1,7 +1,7 @@
id: os_limit_gui_sessions
title: "Limit Concurrent GUI Sessions to 10 for all Accounts"
discussion: |
The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users.
The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users.
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
check: |

4
rules/os/os_logical_access.yaml
View File

@@ -1,9 +1,9 @@
id: os_logical_access
title: "Enforce Approved Authorization for Logical Access"
discussion: |
The information system _IS_ configured to enforce an approved authorization process before granting users logical access.
The information system _IS_ configured to enforce an approved authorization process before granting users logical access.
The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications.
The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |

10
rules/os/os_mail_app_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_mail_app_disable
title: "Disable Mail App"
discussion: |
The macOS built-in Mail.app _MUST_ be disabled.
The macOS built-in Mail.app _MUST_ be disabled.
The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place.
[IMPORTANT]
====
Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
@@ -14,7 +14,7 @@ discussion: |
====
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
check: |
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
@@ -36,7 +36,7 @@ fix: |
references:
cce:
- CCE-92820-0
cci:
cci:
- N/A
800-53r5:
- AC-20
@@ -74,5 +74,5 @@ mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
familyControlsEnabled: true
pathBlackList:
pathBlackList:
- /Applications/Mail.app

22
rules/os/os_malicious_code_prevention.yaml
View File

@@ -2,31 +2,31 @@ id: os_malicious_code_prevention
title: "Ensure the System Implements Malicious Code Protection Mechanisms"
discussion: |
The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention.
1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching.
The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code:
* The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware.
* XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware.
1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching.
The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code:
* The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware.
* XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware.
* In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when:
* an app is first launched,
* an app has been changed (in the file system), and
* XProtect signatures are updated.
* YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly.
* Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running.
* Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner.
* Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner.
2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading.
The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code:
2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading.
The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code:
* XProtect (defined above).
* Gatekeeper (defined above).
* Notarization (defined above).
3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute.
The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code:
3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute.
The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code:
* Apple's XProtect: a technology included on all macOS systems. XProtect will remediate infections upon receiving updated information delivered and when infections are detected
link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[]
link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.

8
rules/os/os_mdm_require.yaml
View File

@@ -2,9 +2,9 @@ id: os_mdm_require
title: "Enforce Enrollment in Mobile Device Management"
discussion: |
You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include:
* Allowed Kernel Extensions
* Allowed Approved System Extensions
* Privacy Preferences Policy Control Payload
@@ -12,7 +12,7 @@ discussion: |
* FDEFileVault
In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM:
* Activation Lock Bypass
* Access to Bootstrap Tokens
* Scheduling Software Updates
@@ -38,7 +38,7 @@ references:
disa_stig:
- N/A
srg:
- N/A
- N/A
800-171r2:
- 3.4.1
- 3.4.2

6
rules/os/os_messages_app_disable.yaml
View File

@@ -1,7 +1,7 @@
id: os_messages_app_disable
title: "Disable Messages App"
discussion: |
The macOS built-in Messages.app _MUST_ be disabled.
The macOS built-in Messages.app _MUST_ be disabled.
The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place.
@@ -31,7 +31,7 @@ fix: |
references:
cce:
- CCE-92825-9
cci:
cci:
- N/A
800-53r5:
- AC-20
@@ -69,5 +69,5 @@ mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
familyControlsEnabled: true
pathBlackList:
pathBlackList:
- /Applications/Messages.app

4
rules/os/os_mobile_file_integrity_enable.yaml
View File

@@ -1,6 +1,6 @@
id: os_mobile_file_integrity_enable
title: "Enable Apple Mobile File Integrity"
discussion:
discussion:
Mobile file integrity _MUST_ be ebabled.
check: |
/usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
@@ -14,7 +14,7 @@ fix: |
references:
cce:
- CCE-92828-3
cci:
cci:
- N/A
800-53r5:
- N/A

2
rules/os/os_nonlocal_maintenance.yaml
View File

@@ -1,7 +1,7 @@
id: os_nonlocal_maintenance
title: "Configure the System for Nonlocal Maintenance"
discussion: |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network.
check: |
This requirement is NA for this technology.
fix: |

4
rules/os/os_notify_account_created.yaml
View File

@@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Created Actions"
discussion: |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

2
rules/os/os_notify_account_disabled.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

4
rules/os/os_notify_account_enable.yaml
View File

@@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Enabled Actions "
discussion: |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.
To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

4
rules/os/os_notify_account_modified.yaml
View File

@@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Modified Actions"
discussion: |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

4
rules/os/os_notify_account_removal.yaml
View File

@@ -4,8 +4,8 @@ discussion: |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed.
When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

4
rules/os/os_notify_unauthorized_baseline_change.yaml
View File

@@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Baseline Configuration Changes"
discussion: |
The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system.
To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |

8
rules/os/os_parental_controls_enable.yaml
View File

@@ -1,8 +1,8 @@
id: os_parental_controls_enable
title: "Enable Parental Controls"
discussion: |
Parental Controls _MUST_ be enabled.
Parental Controls _MUST_ be enabled.
Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline.
Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
@@ -18,11 +18,11 @@ fix: |
references:
cce:
- CCE-92842-4
cci:
cci:
- N/A
800-53r5:
- CM-7(2)
800-53r4:
800-53r4:
- CM-7(2)
srg:
- N/A

2
rules/os/os_password_autofill_disable.yaml
View File

@@ -1,7 +1,7 @@
id: os_password_autofill_disable
title: "Disable Password Autofill"
discussion: |
Password Autofill _MUST_ be disabled.
Password Autofill _MUST_ be disabled.
macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.
check: |

4
rules/os/os_password_hint_remove.yaml
View File

@@ -9,7 +9,7 @@ result:
fix: |
[source,bash]
----
for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
/usr/bin/dscl . -delete /Users/$u hint
done
----
@@ -17,7 +17,7 @@ references:
cce:
- CCE-92844-0
cci:
- N/A
- N/A
800-53r5:
- IA-6
800-53r4:

4
rules/os/os_password_proximity_disable.yaml
View File

@@ -1,8 +1,8 @@
id: os_password_proximity_disable
title: "Disable Proximity Based Password Sharing Requests"
discussion: |
Proximity based password sharing requests _MUST_ be disabled.
Proximity based password sharing requests _MUST_ be disabled.
The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared.
check: |
/usr/bin/osascript -l JavaScript << EOS

4
rules/os/os_password_sharing_disable.yaml
View File

@@ -1,8 +1,8 @@
id: os_password_sharing_disable
title: "Disable Password Sharing"
discussion: |
Password Sharing _MUST_ be disabled.
Password Sharing _MUST_ be disabled.
The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared.
check: |
/usr/bin/osascript -l JavaScript << EOS

4
rules/os/os_peripherals_identify.yaml
View File

@@ -2,7 +2,7 @@ id: os_peripherals_identify
title: The macOS system must uniquely identify peripherals before establishing a connection.
discussion: |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
@@ -22,7 +22,7 @@ references:
disa_stig:
- N/A
800-171r2:
- N/A
- N/A
macOS:
- "14.0"
tags:

12
rules/os/os_policy_banner_loginwindow_enforce.yaml
View File

@@ -6,7 +6,7 @@ discussion: |
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder.
The banner text of the document _MUST_ read:
[source,text]
@@ -65,15 +65,15 @@ odv:
cis_lvl1: "Center for Internet Security Test Message"
cis_lvl2: "Center for Internet Security Test Message"
stig: |-
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
tags:

14
rules/os/os_policy_banner_ssh_configure.yaml
View File

@@ -60,13 +60,13 @@ odv:
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

16
rules/os/os_policy_banner_ssh_enforce.yaml
View File

@@ -1,7 +1,7 @@
id: os_policy_banner_ssh_enforce
title: "Enforce SSH to Display Policy Banner"
discussion: |
SSH _MUST_ be configured to display a policy banner.
SSH _MUST_ be configured to display a policy banner.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
@@ -55,13 +55,13 @@ references:
macOS:
- "14.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high

2
rules/os/os_power_nap_disable.yaml
View File

@@ -3,7 +3,7 @@ title: "Disable Power Nap"
discussion: |
Power Nap _MUST_ be disabled.
NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems.
NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems.
The following Macs support Power Nap:

4
rules/os/os_power_nap_enable.yaml
View File

@@ -3,7 +3,7 @@ title: "Enable Power Nap"
discussion: |
Power Nap _MUST_ be enabled.
NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot.
NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot.
The following Macs support Power Nap:
@@ -34,7 +34,7 @@ references:
disa_stig:
- N/A
srg:
- N/A
- N/A
800-171r2:
- N/A
cis:

6
rules/os/os_prevent_priv_execution.yaml
View File

@@ -3,8 +3,8 @@ title: "Prevent Software From Executing at Higher Privilege Levels than Users Ex
discussion: |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
@@ -24,7 +24,7 @@ references:
srg:
- N/A
800-171r2:
- 3.1.7
- 3.1.7
macOS:
- "14.0"
tags:

8
rules/os/os_prevent_priv_functions.yaml
View File

@@ -1,11 +1,11 @@
id: os_prevent_priv_functions
title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions"
discussion: |
The information system _IS_ configured to block standard users from executing privileged functions.
The information system _IS_ configured to block standard users from executing privileged functions.
Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures.
The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures.
The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[]
check: |

6
rules/os/os_prevent_unauthorized_disclosure.yaml
View File

@@ -1,9 +1,9 @@
id: os_prevent_unauthorized_disclosure
title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources"
discussion: |
The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared.
The inherent configuration of the macOS does not allow for resources to be shared between users without authorization.
The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared.
The inherent configuration of the macOS does not allow for resources to be shared between users without authorization.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |

6
rules/os/os_prohibit_remote_activation_collab_devices.yaml
View File

@@ -2,13 +2,13 @@ id: os_prohibit_remote_activation_collab_devices
title: "Prohibit Remote Activation of Collaborative Computing Devices"
discussion: |
The inherent configuration of the macOS _IS_ in compliance.
Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There is an orange dot indicator by the Control Center pull down menu item to indicate when the system's microphone is listening or activated.
The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device.
link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[]
link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[]
link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/12.0/mac/12.0[]

6
rules/os/os_protect_dos_attacks.yaml
View File

@@ -1,9 +1,9 @@
id: os_protect_dos_attacks
title: "Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces"
discussion: |
The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces.
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces.
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.
check: |

2
rules/os/os_provide_automated_account_management.yaml
View File

@@ -4,7 +4,7 @@ discussion: |
The organization should employ automated mechanisms to support the management of information system accounts.
The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management.
To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.

Some files were not shown because too many files have changed in this diff Show More