baseline fixes, discussion edits, ac-12 rule created

2026-02-03 05:53:24 +00:00 · 2020-09-29 16:02:37 -04:00
parent 81c0c405a2
commit 8c2fcd6938
17 changed files with 58 additions and 56 deletions
--- a/baselines/800-171.yaml
+++ b/baselines/800-171.yaml
@@ -141,13 +141,13 @@ profile:
      - sysprefs_password_hints_disable
      - sysprefs_bluetooth_sharing_disable
      - sysprefs_improve_siri_dictation_disable
+      - sysprefs_enforce_auto_logout
  - section: "Inherent"
    rules:
      - os_prevent_priv_functions
      - os_logical_access
      - os_implement_cryptography
      - os_obscure_password
-      - os_terminate_session_inactivity
      - os_store_encrypted_passwords
      - os_prevent_unauthorized_disclosure
      - pwpolicy_force_change_password_change
--- a/baselines/800-53_high.yaml
+++ b/baselines/800-53_high.yaml
@@ -147,6 +147,7 @@ profile:
      - sysprefs_password_hints_disable
      - sysprefs_bluetooth_sharing_disable
      - sysprefs_improve_siri_dictation_disable
+      - sysprefs_enforce_auto_logout
  - section: "Inherent"
    rules:
      - os_enforce_access_restrictions
@@ -157,12 +158,10 @@ profile:
      - os_implement_memory_protection
      - os_implement_cryptography
      - os_obscure_password
-      - os_terminate_session_inactivity
      - os_isolate_security_functions
      - os_required_crypto_module
      - os_store_encrypted_passwords
      - os_prevent_unauthorized_disclosure
-      - os_separate_fuctionality
      - os_crypto_audit
      - pwpolicy_temporary_accounts_disable
      - pwpolicy_force_change_password_change
--- a/baselines/800-53_low.yaml
+++ b/baselines/800-53_low.yaml
@@ -118,7 +118,6 @@ profile:
      - os_logical_access
      - os_implement_cryptography
      - os_obscure_password
-      - os_terminate_session_inactivity
      - os_required_crypto_module
      - os_store_encrypted_passwords
      - pwpolicy_force_change_password_change
--- a/baselines/800-53_moderate.yaml
+++ b/baselines/800-53_moderate.yaml
@@ -143,6 +143,7 @@ profile:
      - sysprefs_password_hints_disable
      - sysprefs_bluetooth_sharing_disable
      - sysprefs_improve_siri_dictation_disable
+      - sysprefs_enforce_auto_logout
  - section: "Inherent"
    rules:
      - os_prevent_priv_functions
@@ -150,11 +151,9 @@ profile:
      - os_implement_memory_protection
      - os_implement_cryptography
      - os_obscure_password
-      - os_terminate_session_inactivity
      - os_required_crypto_module
      - os_store_encrypted_passwords
      - os_prevent_unauthorized_disclosure
-      - os_separate_fuctionality
      - pwpolicy_temporary_accounts_disable
      - pwpolicy_force_change_password_change
      - pwpolicy_emergency_accounts_disable
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -158,6 +158,7 @@ profile:
      - sysprefs_password_hints_disable
      - sysprefs_bluetooth_sharing_disable
      - sysprefs_improve_siri_dictation_disable
+      - sysprefs_enforce_auto_logout
  - section: "Inherent"
    rules:
      - os_enforce_access_restrictions
@@ -176,7 +177,6 @@ profile:
      - os_implement_cryptography
      - os_remote_access_methods
      - os_obscure_password
-      - os_terminate_session_inactivity
      - os_predictable_behavior
      - os_reauth_users_change_authenticators
      - os_map_pki_identity
--- a/baselines/cnssi-1253.yaml
+++ b/baselines/cnssi-1253.yaml
@@ -143,6 +143,7 @@ profile:
      - sysprefs_password_hints_disable
      - sysprefs_bluetooth_sharing_disable
      - sysprefs_improve_siri_dictation_disable
+      - sysprefs_enforce_auto_logout
  - section: "Inherent"
    rules:
      - os_prevent_priv_functions
@@ -150,12 +151,10 @@ profile:
      - os_implement_memory_protection
      - os_implement_cryptography
      - os_obscure_password
-      - os_terminate_session_inactivity
      - os_map_pki_identity
      - os_required_crypto_module
      - os_store_encrypted_passwords
      - os_prevent_unauthorized_disclosure
-      - os_separate_fuctionality
      - pwpolicy_temporary_accounts_disable
      - pwpolicy_force_change_password_change
      - pwpolicy_emergency_accounts_disable
--- a/rules/os/os_firewall_default_deny_require.yaml
+++ b/rules/os/os_firewall_default_deny_require.yaml
@@ -1,5 +1,5 @@
 id: os_firewall_default_deny_require
-title: "The macOS system must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems."
+title: "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy"
 discussion: |
  A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. 

--- a/rules/os/os_identify_non-org_users.yaml
+++ b/rules/os/os_identify_non-org_users.yaml
@@ -1,5 +1,5 @@
 id: os_identify_non-org_users
-title: "Must uniquely identify and authenticate non-organizational users"
+title: "Configure the System to Uniquely Identify and Authenticate Non-Organizational Users"
 discussion: |
  The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
 check: |
--- a/rules/os/os_isolate_security_functions.yaml
+++ b/rules/os/os_isolate_security_functions.yaml
@@ -1,7 +1,7 @@
 id: os_isolate_security_functions
-title: "Isolate security functions from non-security functions"
+title: "Configure the System to Separate User and System Functionality"
 discussion: |
-  The information system _IS_ configured to to isolate security functions from non-security functions. 
+  The information system _IS_ configured to isolate security functions from non-security functions. 
  
  link:https://support.apple.com/guide/security/welcome/web[]
 check: |
--- a/rules/os/os_parental_controls_enable.yaml
+++ b/rules/os/os_parental_controls_enable.yaml
@@ -2,10 +2,10 @@ id: os_parental_controls_enable
 title: "Enable Parental Controls"
 discussion: |
  Parental Controls _MUST_ be enabled. 
+  
+  Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline.

-  Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
-
-  Parental Controls on macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
+  Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'familyControlsEnabled = 1'
 result:
--- a/rules/os/os_required_crypto_module.yaml
+++ b/rules/os/os_required_crypto_module.yaml
@@ -1,7 +1,7 @@
 id: os_required_crypto_module
-title: "Must meet federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module"
+title: "Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met"
 discussion: |
-  The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
+  The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication

  macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST).

--- a/rules/os/os_terminate_session_inactivity.yaml
+++ b/rules/os/os_terminate_session_inactivity.yaml
@@ -1,33 +0,0 @@
-id: os_terminate_session_inactivity
-title: "Automatically terminate user session after inactivity"
-discussion: |
-  Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.
-check: |
-  The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
-fix: |
-  The technology inherently meets this requirement. No fix is required.
-references:
-  cce:
-    - CCE-84870-5
-  cci:
-    - CCI-002361
-  800-53r4:
-    - AC-12
-  disa_stig:
-    - N/A
-  srg:
-    - SRG-OS-000279-GPOS-00109
-  800-171r2:
-    - 3.1.11
-macOS:
-  - "10.15"
-tags:
-  - 800-171
-  - cnssi-1253
-  - 800-53r4_low
-  - 800-53r4_moderate
-  - 800-53r4_high
-  - STIG
-  - inherent
-mobileconfig: false
-mobileconfig_info:
--- a/rules/sysprefs/sysprefs_enforce_auto_logout.yaml
+++ b/rules/sysprefs/sysprefs_enforce_auto_logout.yaml
@@ -0,0 +1,37 @@
+id: sysprefs_enforce_auto_logout
+title: "Enforce Auto Logout After 24 Hours of Inactivity"
+discussion: |
+  Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds (24 hours) of inactivity. 
+
+  NOTE:The maximum that macOS can be configured for autologoff is 86400 seconds (24 hours).
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 604800'
+fix: |
+    This is implemented by a Configuration Profile.
+references:
+  cce:
+    - CCE-84870-5
+  cci:
+    - CCI-002361
+  800-53r4:
+    - AC-12
+  disa_stig:
+    - N/A
+  srg:
+    - SRG-OS-000279-GPOS-00109
+  800-171r2:
+    - 3.1.11
+macOS:
+  - "10.15"
+tags:
+  - 800-171
+  - cnssi-1253
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - STIG
+mobileconfig: true
+mobileconfig_info:
+  .GlobalPreferences:
+    com.apple.autologout.AutoLogOutDelay: 86400
+    
+
--- a/rules/sysprefs/sysprefs_wifi_disable.yaml
+++ b/rules/sysprefs/sysprefs_wifi_disable.yaml
@@ -1,7 +1,9 @@
 id: sysprefs_wifi_disable
-title: "Disable Wi-Fi when connected to ethernet"
+title: "Disable Wi-Fi When Connected to Ethernet"
 discussion: |
-  Use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
+  The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. 
+
+  The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. 

  NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable.
 check: |
--- a/sections/authentication.yaml
+++ b/sections/authentication.yaml
@@ -1,5 +1,5 @@
  name: "Authentication"
  description: |
-    This section reviews the configuration and enforcement of smartcard authentication.
+    This section contains the configuration and enforcement of smartcard authentication settings.

    NOTE: The check/fix commands outlined in this section must be run with elevated privileges.
--- a/sections/not_applicable.yaml
+++ b/sections/not_applicable.yaml
@@ -1,3 +1,3 @@
  name: "Not Applicable"
  description: |
-    This section reviews the controls that are defined in the NIST 800-53 revision 4, but are not applicable when configuring a macOS system.
+    This section contains the controls that are defined in the NIST 800-53 revision 4 but are not applicable when configuring a macOS system.
--- a/sections/supplemental.yaml
+++ b/sections/supplemental.yaml
@@ -1,3 +1,3 @@
  name: "Supplemental"
  description: |
-    This sections provides additional information to support the guidance provided by the baselines.
+    This section provides additional information to support the guidance provided by the baselines.