refactor[rules] new and revised 14.0 rules

Changed siri_disable to new key Added freefrom rule, on device dictation rule, and filevault setup assistant
2026-03-17 06:12:10 +00:00 · 2023-08-01 14:19:00 -04:00
parent a3ce45a986
commit 6d76bc5de6
4 changed files with 195 additions and 4 deletions
--- a/rules/icloud/icloud_freeform_disable.yaml
+++ b/rules/icloud/icloud_freeform_disable.yaml
@@ -0,0 +1,72 @@
+id: icloud_freeform_disable
+title: "Disable the iCloud Freeform Services"
+discussion: |
+  The macOS built-in Freeform.app connection to Apple's iCloud service _MUST_ be disabled.
+
+  Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('allowCloudFreeform').js
+  EOS
+result:
+  string: "false"
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - CCI-000381
+    - CCI-001774
+  800-53r5:
+    - AC-20
+    - AC-20(1)
+    - CM-7
+    - CM-7(1)
+    - SC-7(10)
+  800-53r4:
+    - CM-7
+    - CM-7(1)
+    - AC-20
+    - AC-20(1)
+  srg:
+    - SRG-OS-000095-GPOS-00049
+  disa_stig:
+    - N/A
+  800-171r2:
+    - 3.1.20
+    - 3.4.6
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - 4.1
+      - 4.8
+      - 15.3
+  cmmc:
+    - AC.L1-3.1.20
+    - CM.L2-3.4.6
+    - CM.L2-3.4.7
+macOS:
+  - "14.0"
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_low
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
+  - cisv8
+  - cnssi-1253_moderate
+  - cnssi-1253_low
+  - cnssi-1253_high
+  - cmmc_lvl2
+  - cmmc_lvl1
+  - stig
+severity: "low"
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    allowCloudFreeform: false
--- a/rules/os/os_on_device_dictation_enforce.yaml
+++ b/rules/os/os_on_device_dictation_enforce.yaml
@@ -0,0 +1,68 @@
+id: os_on_device_dictation_enforce
+title: "Enforce On Device Dictation"
+discussion: |
+  Dictation _MUST_ be restricted to on device only to prevent potential data exfiltration.
+
+  The information system _MUST_ be configured to provide only essential capabilities.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('forceOnDeviceOnlyDictation').js
+  EOS
+result:
+  string: "true"
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - AC-20
+    - CM-7
+    - CM-7(1)
+    - SC-7(10)
+  800-53r4:
+    - CM-7
+    - CM-7(1)
+    - AC-20
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - 3.1.20
+    - 3.4.6
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - 4.1
+      - 4.8
+  cmmc:
+    - AC.L1-3.1.20
+    - CM.L2-3.4.6
+    - CM.L2-3.4.7
+macOS:
+  - "14.0"
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_low
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
+  - cisv8
+  - cnssi-1253_moderate
+  - cnssi-1253_low
+  - cnssi-1253_high
+  - cmmc_lvl2
+  - cmmc_lvl1
+  - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    forceOnDeviceOnlyDictation: true
--- a/rules/os/os_setup_assistant_filevault_enforce.yaml
+++ b/rules/os/os_setup_assistant_filevault_enforce.yaml
@@ -0,0 +1,51 @@
+id: os_setup_assistant_filevault_enforce
+title: "Enforce FileVault in Setup Assistant"
+discussion: |
+  FileVault _MUST_ be enforced in Setup Assistant.
+
+  The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX.FileVault2')\
+  .objectForKey('ForceEnableInSetupAssistant').js
+  EOS
+result:
+  integer: 1
+fix: |
+  NOTE: See the FileVault supplemental to implement this rule.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - SC-28
+    - SC-28(1)
+  800-53r4:
+    - SC-28
+    - SC-28(1)
+  srg:
+    - SRG-OS-000185-GPOS-00079
+    - SRG-OS-000404-GPOS-00183
+    - SRG-OS-000405-GPOS-00184
+  disa_stig:
+    - N/A
+  800-171r2:
+    - 3.13.16
+  cis:
+    benchmark:
+      - 2.6.5 (level 1)
+    controls v8:
+      - 3.6
+      - 3.11
+  cmmc:
+    - SC.L2-3.13.16
+macOS:
+  - "14.0"
+tags:
+  - none
+severity: "high"
+mobileconfig: true
+mobileconfig_info:
+  com.apple.MCX.FileVault2:
+    ForceEnableInSetupAssistant: true
--- a/rules/system_settings/system_settings_siri_disable.yaml
+++ b/rules/system_settings/system_settings_siri_disable.yaml
@@ -6,8 +6,8 @@ discussion: |
  The information system _MUST_ be configured to provide only essential capabilities.
 check: |
  /usr/bin/osascript -l JavaScript << EOS
-  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\
-  .objectForKey('Ironwood Allowed').js
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('allowAssistant').js
  EOS
 result:
  string: "false"
@@ -66,5 +66,5 @@ tags:
 severity: "medium"
 mobileconfig: true
 mobileconfig_info:
-  com.apple.ironwood.support:
-    "Ironwood Allowed": false
+  com.apple.applicationaccess:
+    allowAssistant: false