usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-04 17:23:16 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'big_sur'

Browse Source
This commit is contained in:
Allen Golbig
2021-07-26 10:42:04 -04:00
parent ebca093853 184efffcf6
commit 932a51f3e8
266 changed files with 3350 additions and 889 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
CHANGELOG.adoc
View File

@@ -2,6 +2,61 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
== [Big Sur, Revision 3] - 2021-07-26
* Rules
** Added Rules
*** audit_record_reduction_report_generation.yaml
*** audit_records_processing.yaml
*** os_access_control_mobile_devices.yaml
*** os_apple_mobile_file_integrity_enforce.yaml
*** os_application_sandboxing.yaml
*** os_asl_log_files_owner_group_configure.yaml
*** os_asl_log_files_permissions_configure.yaml
*** os_config_data_install_enforce.yaml
*** os_filevault_authorized_users.yaml
*** os_information_validation.yaml
*** os_malicious_code_prevention.yaml
*** os_managed_access_control_points.yaml
*** os_newsyslog_files_owner_group_configure.yaml
*** os_newsyslog_files_permissions_configure.yaml
*** os_non_repudiation.yaml
*** os_pii_deidentification.yaml
*** os_pii_quality_control.yaml
*** os_privacy_principle_minimization.yaml
*** os_prohibit_remote_activation_collab_devices.yaml
*** os_secure_enclave.yaml
*** sysprefs_critical_update_install_enforce.yaml
** Renamed Rules
*** auth_ssh_password_authentication_disable.yaml
*** sysprefs_guest_access_smb_disable.yaml
*** sysprefs_guest_account_disable.yaml
*** sysprefs_system_wide_preferences_configure.yaml
** Deleted Rules
*** os_filevault_user_account.yaml
*** os_system_log_files_owner_group_configure.yaml
*** os_system_log_files_permissions_configure.yaml
** Bug Fixes
* Baselines
** Added NIST 800-53 Rev 5 (Low, Moderate, High, and Privacy)
** Removed NIST 800-53 Rev 5 (Low, Moderate, and High)
** Modified existing baselines
* Scripts
** generate_guidanace
*** Added additional flags to the compliance scipt generated (--stats, --compliant, and --non_compliant) link:https://github.com/usnistgov/macos_security/pull/64[#64]
** generate_baseline
*** Added `-k all_rules` to generate a baseline containing all the rules
*** Bug fixes
** yaml-to-oval
*** Bug fixes
** Added generate_mapping.py to generate custom rules from a mapping between compliance frameworks
* SCAP
** Included SCAP 1.3 datastream file only
** Removed macos-cpe-dictionary.xml, macos-cpe-oval.xml, ocil.xml, oval.xml, xccdf.html, and xccdf.xml
== [Big Sur, Revision 2] - 2021-03-18
* Rules

4
README.adoc
View File

@@ -21,9 +21,9 @@ image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.app
image:https://badgen.net/badge/icon/11.0?icon=apple&label[link="https://www.apple.com/macos"]
endif::[]
The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 4). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the {uri-repo}/wiki[wiki].

6
SCAP/html-to-xccdf.xsl
View File

@@ -344,7 +344,7 @@
<xsl:for-each select="distinct-values(//div[@class = 'sect2']//table//table//tr[th/p = 'TAGS']/td//p)">
<xsl:choose>
<!-- WARNING: the following will break when tag names are changed -->
<xsl:when test="matches(., '^800-53r4')">
<xsl:when test="matches(., '^800-53r5')">
<!--<xsl:message expand-text="true">{.} {count($ROOT//div[@class = 'sect2'][descendant::table/tbody/tr/th/p='ID'][descendant::table/descendant::tr[th/p = 'tags']/td//p = current()])}</xsl:message>-->
<xsl:element name="Profile" namespace="http://checklists.nist.gov/xccdf/1.2">
<xsl:attribute name="id" expand-text="true">xccdf_{$xccdf-namespace}_profile_{.}</xsl:attribute>
@@ -474,7 +474,7 @@
<xsl:for-each select="tokenize(., ',\s+')">
<xsl:element name="reference" namespace="http://checklists.nist.gov/xccdf/1.2">
<xsl:attribute name="href">
<xsl:text>https://nvd.nist.gov/800-53/Rev4/control/</xsl:text>
<xsl:text>https://nvd.nist.gov/800-53/Rev5/control/</xsl:text>
<xsl:choose>
<xsl:when test="matches(., '[A-Z]{2}-\d+$')">
<xsl:value-of select="."/>
@@ -487,7 +487,7 @@
</xsl:when>
</xsl:choose>
</xsl:attribute>
<xsl:text>NIST SP 800-53r4 </xsl:text>
<xsl:text>NIST SP 800-53r5 </xsl:text>
<xsl:value-of select="."/>
</xsl:element>
</xsl:for-each>

4
VERSION.yaml
View File

@@ -1,3 +1,3 @@
os: "11.0"
version: "Big Sur, Revision 2"
date: "2021-03-18"
version: "Big Sur, Revision 3"
date: "2021-07-26"

34
baselines/800-171.yaml
View File

@@ -1,6 +1,7 @@
title: "macOS 11.0: Security Configuration - 800-171"
title: "macOS 11: Security Configuration - NIST 800-171 Rev 2"
description: |
This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-171.
This guide describes the actions to take when securing a macOS 11 system against the 800-171 Rev 2 baseline.
profile:
profile:
- section: "authentication"
rules:
@@ -31,21 +32,20 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_ssh_server_alive_interval_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_authenticated_root_enable
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
@@ -53,13 +53,12 @@ profile:
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_ssh_server_alive_count_max_configure
- os_nfsd_disable
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
@@ -71,7 +70,6 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
@@ -103,27 +101,30 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_automatic_logout_enforce
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_system_wide_preferences_configure
- sysprefs_rae_disable
- sysprefs_ssh_disable
- sysprefs_personalized_advertising_disable
- sysprefs_guest_access_smb_disable
- sysprefs_media_sharing_disabled
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_power_nap_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_power_nap_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
@@ -137,12 +138,12 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
- os_logical_access
- os_implement_cryptography
- os_separate_functionality
- os_obscure_password
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
@@ -150,15 +151,14 @@ profile:
- section: "Permanent"
rules:
- pwpolicy_50_percent
- sysprefs_wifi_disable
- sysprefs_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
rules:
- os_nonlocal_maintenance
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_smartcard

65
baselines/800-53_high.yaml → baselines/800-53r5_high.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 11.0: Security Configuration - 800-53 High"
title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 High Impact Security Baseline"
description: |
This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 HIGH baseline.
This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline.
profile:
- section: "authentication"
rules:
@@ -12,6 +12,7 @@ profile:
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- audit_flags_fd_configure
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
@@ -34,23 +35,28 @@ profile:
- audit_acls_files_configure
- section: "macos"
rules:
- os_newsyslog_files_owner_group_configure
- os_firewall_default_deny_require
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_apple_mobile_file_integrity_enforce
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_ssh_server_alive_interval_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_asl_log_files_permissions_configure
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_authenticated_root_enable
- os_config_data_install_enforce
- os_filevault_authorized_users
- os_secure_boot_verify
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
@@ -59,32 +65,33 @@ profile:
- os_airdrop_disable
- os_parental_controls_enable
- os_system_read_only
- os_ssh_server_alive_count_max_configure
- os_nfsd_disable
- os_httpd_disable
- os_asl_log_files_owner_group_configure
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_certificate_authority_trust
- os_newsyslog_files_permissions_configure
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
- pwpolicy_history_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
@@ -110,31 +117,36 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_automatic_logout_enforce
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_system_wide_preferences_configure
- sysprefs_rae_disable
- sysprefs_personalized_advertising_disable
- sysprefs_guest_access_smb_disable
- sysprefs_media_sharing_disabled
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_critical_update_install_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_power_nap_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_power_nap_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
@@ -144,19 +156,24 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- audit_record_reduction_report_generation
- os_enforce_access_restrictions
- os_limit_gui_sessions
- os_prevent_priv_functions
- os_logical_access
- os_fail_secure_state
- os_application_sandboxing
- os_implement_memory_protection
- os_implement_cryptography
- os_separate_functionality
- os_obscure_password
- os_reauth_users_change_authenticators
- os_unique_identification
- os_isolate_security_functions
- os_required_crypto_module
- os_malicious_code_prevention
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- os_crypto_audit
@@ -165,27 +182,27 @@ profile:
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- os_secure_name_resolution
- os_notify_account_enable
- audit_records_processing
- os_reauth_devices_change_authenticators
- os_provide_automated_account_management
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_secure_name_resolution
- os_prohibit_remote_activation_collab_devices
- os_auth_peripherals
- os_continuous_monitoring
- os_notify_account_disabled
- os_protect_dos_attacks
- pwpolicy_50_percent
- sysprefs_wifi_disable
- sysprefs_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_information_validation
- os_access_control_mobile_devices
- os_managed_access_control_points
- os_nonlocal_maintenance
- os_identify_non-org_users
- os_non_repudiation
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_smartcard

52
baselines/800-53_low.yaml → baselines/800-53r5_low.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 11.0: Security Configuration - 800-53 Low"
title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 Low Impact Security Baseline"
description: |
This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 LOW baseline.
This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline.
profile:
- section: "authentication"
rules:
@@ -11,6 +11,7 @@ profile:
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- audit_flags_fd_configure
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
@@ -23,6 +24,7 @@ profile:
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
@@ -31,6 +33,8 @@ profile:
- audit_acls_files_configure
- section: "macos"
rules:
- os_apple_mobile_file_integrity_enforce
- os_gatekeeper_rearm
- os_root_disable
- os_password_proximity_disable
- os_mdm_require
@@ -40,6 +44,9 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_authenticated_root_enable
- os_config_data_install_enforce
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
@@ -48,10 +55,10 @@ profile:
- os_airdrop_disable
- os_nfsd_disable
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_removable_media_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
@@ -65,7 +72,6 @@ profile:
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
- pwpolicy_history_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
@@ -92,49 +98,63 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_personalized_advertising_disable
- sysprefs_guest_access_smb_disable
- sysprefs_media_sharing_disabled
- sysprefs_ssh_disable
- sysprefs_critical_update_install_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_time_server_configure
- sysprefs_power_nap_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_ssh_disable
- section: "Inherent"
rules:
- os_logical_access
- os_application_sandboxing
- os_implement_cryptography
- os_obscure_password
- os_reauth_users_change_authenticators
- os_unique_identification
- os_required_crypto_module
- os_malicious_code_prevention
- os_store_encrypted_passwords
- pwpolicy_force_password_change
- section: "Permanent"
rules:
- os_reauth_devices_change_authenticators
- os_secure_name_resolution
- os_prohibit_remote_activation_collab_devices
- os_protect_dos_attacks
- pwpolicy_50_percent
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_access_control_mobile_devices
- os_nonlocal_maintenance
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_smartcard

65
baselines/800-53_moderate.yaml → baselines/800-53r5_moderate.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 11.0: Security Configuration - 800-53 Moderate"
title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 Moderate Impact Security Baseline"
description: |
This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-53 MODERATE baseline.
This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline.
profile:
- section: "authentication"
rules:
@@ -12,6 +12,7 @@ profile:
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- audit_flags_fd_configure
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
@@ -24,6 +25,7 @@ profile:
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
@@ -32,9 +34,10 @@ profile:
- audit_acls_files_configure
- section: "macos"
rules:
- os_newsyslog_files_owner_group_configure
- os_firewall_default_deny_require
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_apple_mobile_file_integrity_enforce
- os_gatekeeper_rearm
- os_root_disable
- os_password_proximity_disable
@@ -42,11 +45,16 @@ profile:
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_ssh_server_alive_interval_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_asl_log_files_permissions_configure
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_authenticated_root_enable
- os_config_data_install_enforce
- os_secure_boot_verify
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
@@ -55,33 +63,33 @@ profile:
- os_airdrop_disable
- os_parental_controls_enable
- os_system_read_only
- os_ssh_server_alive_count_max_configure
- os_nfsd_disable
- os_httpd_disable
- os_asl_log_files_owner_group_configure
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_certificate_authority_trust
- os_newsyslog_files_permissions_configure
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
- pwpolicy_history_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
@@ -107,31 +115,36 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_automatic_logout_enforce
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_system_wide_preferences_configure
- sysprefs_rae_disable
- sysprefs_personalized_advertising_disable
- sysprefs_guest_access_smb_disable
- sysprefs_media_sharing_disabled
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_critical_update_install_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_power_nap_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_power_nap_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
@@ -141,15 +154,20 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- audit_record_reduction_report_generation
- os_prevent_priv_functions
- os_logical_access
- os_application_sandboxing
- os_implement_memory_protection
- os_implement_cryptography
- os_separate_functionality
- os_obscure_password
- os_reauth_users_change_authenticators
- os_unique_identification
- os_required_crypto_module
- os_malicious_code_prevention
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
@@ -157,27 +175,26 @@ profile:
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- os_secure_name_resolution
- os_notify_account_enable
- audit_records_processing
- os_reauth_devices_change_authenticators
- os_provide_automated_account_management
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_secure_name_resolution
- os_prohibit_remote_activation_collab_devices
- os_auth_peripherals
- os_continuous_monitoring
- os_notify_account_disabled
- os_protect_dos_attacks
- pwpolicy_50_percent
- sysprefs_wifi_disable
- sysprefs_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_information_validation
- os_access_control_mobile_devices
- os_managed_access_control_points
- os_nonlocal_maintenance
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_smartcard

17
baselines/DISA-STIG.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 11.0: Security Configuration - DISA STIG"
title: "macOS 11: Security Configuration - DISA STIG"
description: |
This guide describes the actions to take when securing a macOS 11.0 system against the DISA STIG.
This guide describes the actions to take when securing a macOS 11 system against the DISA STIG baseline.
profile:
- section: "authentication"
rules:
@@ -34,24 +34,22 @@ profile:
- section: "macos"
rules:
- os_sshd_login_grace_time_configure
- os_newsyslog_files_owner_group_configure
- os_firmware_password_require
- os_filevault_user_account
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_anti_virus_installed
- os_screensaver_loginwindow_enforce
- os_sshd_key_exchange_algorithm_configure
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_sshd_client_alive_interval_configure
- os_system_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_sshd_client_alive_count_max_configure
- os_privacy_setup_prompt_disable
- os_filevault_authorized_users
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_user_app_installation_prohibit
- os_system_log_files_permissions_configure
- os_hbss_installed
- os_filevault_autologin_disable
- os_messages_app_disable
@@ -59,6 +57,7 @@ profile:
- os_nfsd_disable
- os_sshd_permit_root_login_configure
- os_httpd_disable
- os_asl_log_files_owner_group_configure
- os_gatekeeper_enable
- os_sip_enable
- os_policy_banner_ssh_configure
@@ -70,6 +69,8 @@ profile:
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- os_certificate_authority_trust
- os_newsyslog_files_permissions_configure
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
@@ -104,9 +105,11 @@ profile:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_internet_sharing_disable
- sysprefs_system_wide_preferences_configure
- sysprefs_rae_disable
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce

82
baselines/all_rules.yaml
View File

@@ -1,19 +1,20 @@
title: "macOS 11.0: Security Configuration - All Rules"
title: "macOS 11: Security Configuration - All Rules"
description: |
This guide describes the actions to take when securing a macOS 11.0 system using every available rule.
This guide describes the actions to take when securing a macOS 11 system against the all_rules baseline.
profile:
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_smartcard_allow
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_ssh_password_authentication_disable
- section: "auditing"
rules:
- audit_flags_fd_configure
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
@@ -36,69 +37,78 @@ profile:
- audit_acls_files_configure
- section: "macos"
rules:
- os_sshd_login_grace_time_configure
- os_newsyslog_files_owner_group_configure
- os_firewall_default_deny_require
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_apple_mobile_file_integrity_enforce
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_anti_virus_installed
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_sshd_key_exchange_algorithm_configure
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_ssh_server_alive_interval_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_sshd_client_alive_interval_configure
- os_asl_log_files_permissions_configure
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_sshd_login_grace_time_configure
- os_authenticated_root_enable
- os_config_data_install_enforce
- os_sshd_client_alive_count_max_configure
- os_privacy_setup_prompt_disable
- os_filevault_authorized_users
- os_secure_boot_verify
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_user_app_installation_prohibit
- os_touchid_prompt_disable
- os_hbss_installed
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_system_read_only
- os_ssh_server_alive_count_max_configure
- os_nfsd_disable
- os_sshd_permit_root_login_configure
- os_httpd_disable
- os_asl_log_files_owner_group_configure
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_directory_services_configured
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- os_certificate_authority_trust
- os_newsyslog_files_permissions_configure
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- os_icloud_storage_prompt_disable
- os_sshd_permit_root_login_configure
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
- pwpolicy_history_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
@@ -124,32 +134,37 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_automatic_logout_enforce
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_system_wide_preferences_configure
- sysprefs_rae_disable
- sysprefs_personalized_advertising_disable
- sysprefs_ssh_enable
- sysprefs_ssh_disable
- sysprefs_guest_access_smb_disable
- sysprefs_media_sharing_disabled
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_critical_update_install_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_power_nap_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_power_nap_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
@@ -159,9 +174,9 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- audit_record_reduction_report_generation
- os_enforce_access_restrictions
- os_limit_gui_sessions
- os_prevent_priv_functions
@@ -169,6 +184,7 @@ profile:
- os_verify_remote_disconnection
- os_logoff_capability_and_message
- os_fail_secure_state
- os_application_sandboxing
- os_limit_auditable_events
- os_prevent_priv_execution
- os_allow_info_passed
@@ -177,14 +193,17 @@ profile:
- os_implement_memory_protection
- os_implement_cryptography
- os_remote_access_methods
- os_separate_functionality
- os_obscure_password
- os_predictable_behavior
- os_reauth_users_change_authenticators
- os_map_pki_identity
- os_secure_enclave
- os_unique_identification
- os_provide_disconnect_remote_access
- os_isolate_security_functions
- os_required_crypto_module
- os_malicious_code_prevention
- os_grant_privs
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
@@ -193,7 +212,6 @@ profile:
- os_mfa_network_access
- os_peripherals_identify
- os_error_message
- os_separate_functionality
- os_crypto_audit
- os_reauth_privilege
- pwpolicy_temporary_accounts_disable
@@ -202,15 +220,17 @@ profile:
- section: "Permanent"
rules:
- audit_off_load_records
- audit_records_processing
- audit_enforce_dual_auth
- audit_alert_processing_fail
- os_secure_name_resolution
- os_reauth_devices_change_authenticators
- os_notify_account_enable
- os_provide_automated_account_management
- os_secure_name_resolution
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_prohibit_remote_activation_collab_devices
- os_auth_peripherals
- os_limit_dos_attacks
- os_continuous_monitoring
@@ -219,20 +239,22 @@ profile:
- os_notify_unauthorized_baseline_change
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- sysprefs_wifi_disable
- sysprefs_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_information_validation
- os_privacy_principle_minimization
- os_access_control_mobile_devices
- os_managed_access_control_points
- os_pii_deidentification
- os_nonlocal_maintenance
- section: "srg"
rules:
- os_filevault_user_account
- os_anti_virus_installed
- os_identify_non-org_users
- os_pii_quality_control
- os_non_repudiation
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_smartcard

35
baselines/cnssi-1253.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 11.0: Security Configuration - CNSSI-1253"
title: "macOS 11: Security Configuration - CNSSI-1253"
description: |
This guide describes the actions to take when securing a macOS 11.0 system against the CNSSI-1253 baseline.
This guide describes the actions to take when securing a macOS 11 system against the CNSSI-1253 baseline.
profile:
- section: "authentication"
rules:
@@ -33,7 +33,6 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
@@ -42,11 +41,12 @@ profile:
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_ssh_server_alive_interval_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_authenticated_root_enable
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
@@ -55,14 +55,12 @@ profile:
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_ssh_server_alive_count_max_configure
- os_nfsd_disable
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
@@ -75,7 +73,6 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
@@ -107,31 +104,34 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_automatic_logout_enforce
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_system_wide_preferences_configure
- sysprefs_rae_disable
- sysprefs_personalized_advertising_disable
- sysprefs_guest_access_smb_disable
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_guest_account_disable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_power_nap_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_power_nap_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
@@ -141,13 +141,13 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
- os_logical_access
- os_implement_memory_protection
- os_implement_cryptography
- os_separate_functionality
- os_obscure_password
- os_map_pki_identity
- os_required_crypto_module
@@ -158,9 +158,9 @@ profile:
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- os_secure_name_resolution
- os_notify_account_enable
- os_provide_automated_account_management
- os_secure_name_resolution
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
@@ -169,16 +169,15 @@ profile:
- os_notify_account_disabled
- os_protect_dos_attacks
- pwpolicy_50_percent
- sysprefs_wifi_disable
- sysprefs_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_nonlocal_maintenance
- os_identify_non-org_users
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_smartcard

10
rules/audit/audit_acls_files_configure.yaml
View File

@@ -19,6 +19,9 @@ references:
cci:
- CCI-000162
- CCI-001314
800-53r5:
- SI-11
- AU-9
800-53r4:
- AU-9
- SI-11
@@ -32,11 +35,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

9
rules/audit/audit_acls_folders_configure.yaml
View File

@@ -18,6 +18,8 @@ references:
- CCE-85252-5
cci:
- CCI-000162
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -29,11 +31,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

2
rules/audit/audit_alert_processing_fail.yaml
View File

@@ -11,6 +11,8 @@ references:
- CCE-85253-3
cci:
- CCI-000139
800-53r5:
- N/A
800-53r4:
- N/A
disa_stig:

19
rules/audit/audit_auditd_enabled.yaml
View File

@@ -8,6 +8,8 @@ discussion: |
The content required to be captured in an audit record varies based on the impact level of an organizations system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is enabled by default on macOS.
check: |
/bin/launchctl list | /usr/bin/grep -c com.apple.auditd
result:
@@ -34,6 +36,16 @@ references:
- CCI-001890
- CCI-001914
- CCI-002130
800-53r5:
- AU-3
- AU-3(1)
- AU-8
- AU-12
- AU-12(1)
- AU-12(3)
- AU-14(1)
- MA-4(1)
- CM-5(1)
800-53r4:
- AU-3
- AU-3(1)
@@ -65,11 +77,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

3
rules/audit/audit_configure_capacity_notify.yaml
View File

@@ -18,6 +18,8 @@ references:
- CCE-85255-8
cci:
- CCI-001855
800-53r5:
- AU-5(1)
800-53r4:
- AU-5(1)
srg:
@@ -27,6 +29,7 @@ references:
macOS:
- "11.0"
tags:
- 800-53r5_high
- 800-53r4_high
- stig
severity: "medium"

2
rules/audit/audit_enforce_dual_auth.yaml
View File

@@ -16,6 +16,8 @@ references:
cci:
- CCI-000366
- CCI-001896
800-53r5:
- AU-9(5)
800-53r4:
- AU-9(5)
disa_stig:

13
rules/audit/audit_failure_halt.yaml
View File

@@ -5,19 +5,21 @@ discussion: |
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
check: |
/usr/bin/grep -Ec "^policy.*ahlt" /etc/security/audit_control
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-85257-4
cci:
- CCI-000140
800-53r5:
- AU-5
800-53r4:
- AU-5
srg:
@@ -29,11 +31,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

11
rules/audit/audit_files_group_configure.yaml
View File

@@ -13,13 +13,15 @@ result:
fix: |
[source,bash]
----
/usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
/usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/*
----
references:
cce:
- CCE-85258-2
cci:
- CCI-000162
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -31,11 +33,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

11
rules/audit/audit_files_mode_configure.yaml
View File

@@ -9,13 +9,15 @@ result:
fix: |
[source,bash]
----
/bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
/bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/*
----
references:
cce:
- CCE-85259-0
cci:
- CCI-000162
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -27,11 +29,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

11
rules/audit/audit_files_owner_configure.yaml
View File

@@ -13,13 +13,15 @@ result:
fix: |
[source,bash]
----
/usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
/usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/*
----
references:
cce:
- CCE-85260-8
cci:
- CCI-000162
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -31,11 +33,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

18
rules/audit/audit_flags_aa_configure.yaml
View File

@@ -7,19 +7,25 @@ discussion: |
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
check: |
/usr/bin/grep -Ec "^flags.*aa" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-85261-6
cci:
- CCI-000172
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- MA-4(1)
- CM-5(1)
800-53r4:
- AU-2
- AU-12
@@ -37,11 +43,15 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

22
rules/audit/audit_flags_ad_configure.yaml
View File

@@ -8,14 +8,16 @@ discussion: |
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
The information system audits the execution of privileged functions.
NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag.
check: |
/usr/bin/grep -Ec "^flags.*ad" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
@@ -28,6 +30,14 @@ references:
- CCI-001405
- CCI-002234
- CCI-002884
800-53r5:
- AC-2(12)
- AC-6(9)
- AU-12
- AC-2(4)
- AU-2
- MA-4(1)
- CM-5(1)
800-53r4:
- AU-2
- AC-2(4)
@@ -54,11 +64,15 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_moderate
- 800-53r5_high
- 800-53r5_low
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

18
rules/audit/audit_flags_ex_configure.yaml
View File

@@ -8,19 +8,24 @@ discussion: |
This configuration ensures that audit lists include events in which program execution has failed.
Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/grep -Ec "^flags.*-ex" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-85263-2
cci:
- N/A
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- CM-5(1)
800-53r4:
- AU-2
- AU-12
@@ -35,11 +40,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
mobileconfig: false
mobileconfig_info:

15
rules/audit/audit_flags_fd_configure.yaml
View File

@@ -9,13 +9,13 @@ discussion: |
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/grep -Ec "^flags.*-fd" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
@@ -23,6 +23,13 @@ references:
cci:
- CCI-000172
- CCI-001814
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- AU-9
- CM-5(1)
- MA-4(1)
800-53r4:
- AU-2
- AU-12
@@ -47,6 +54,10 @@ references:
macOS:
- "11.0"
tags:
- 800-53r5_privacy
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- stig
severity: "medium"
mobileconfig: false

23
rules/audit/audit_flags_fm_configure.yaml
View File

@@ -1,7 +1,7 @@
id: audit_flags_fm_configure
title: "Configure System to Audit All Change of Object Attributes"
title: "Configure System to Audit All Failed Change of Object Attributes"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm).
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
@@ -9,13 +9,13 @@ discussion: |
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/grep -Ec "^flags.*fm" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fm'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*-fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
@@ -23,6 +23,13 @@ references:
cci:
- CCI-000172
- CCI-001814
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- AU-9
- CM-5(1)
- MA-4(1)
800-53r4:
- AU-2
- AU-12
@@ -49,11 +56,15 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

19
rules/audit/audit_flags_fr_configure.yaml
View File

@@ -9,13 +9,13 @@ discussion: |
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/grep -Ec "^flags.*-fr" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
@@ -23,6 +23,13 @@ references:
cci:
- CCI-000172
- CCI-001814
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- AU-9
- CM-5(1)
- MA-4(1)
800-53r4:
- AU-2
- AU-12
@@ -49,11 +56,15 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

19
rules/audit/audit_flags_fw_configure.yaml
View File

@@ -9,19 +9,26 @@ discussion: |
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/grep -Ec "^flags.*-fw" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
- CCE-85266-5
cci:
- CCI-000162
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- AU-9
- CM-5(1)
- MA-4(1)
800-53r4:
- AU-2
- AU-12
@@ -48,11 +55,15 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

18
rules/audit/audit_flags_lo_configure.yaml
View File

@@ -7,13 +7,13 @@ discussion: |
The information system monitors login and logout events.
check: |
/usr/bin/grep -Ec "^flags*.lo" /etc/security/audit_control
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'lo'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s
/usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
@@ -21,6 +21,12 @@ references:
cci:
- CCI-000067
- CCI-000172
800-53r5:
- AC-2(12)
- AU-12
- AC-17(1)
- AU-2
- MA-4(1)
800-53r4:
- AU-2
- AC-17(1)
@@ -38,11 +44,15 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

9
rules/audit/audit_folder_group_configure.yaml
View File

@@ -20,6 +20,8 @@ references:
- CCE-85268-1
cci:
- CCI-000162
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -31,11 +33,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

9
rules/audit/audit_folder_owner_configure.yaml
View File

@@ -20,6 +20,8 @@ references:
- CCE-85269-9
cci:
- CCI-000162
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -31,11 +33,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

9
rules/audit/audit_folders_mode_configure.yaml
View File

@@ -20,6 +20,8 @@ references:
- CCI-000162
- CCI-000163
- CCI-000164
800-53r5:
- AU-9
800-53r4:
- AU-9
srg:
@@ -33,11 +35,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

2
rules/audit/audit_off_load_records.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85271-5
cci:
- CCI-001851
800-53r5:
- AU-4(1)
800-53r4:
- AU-4(1)
disa_stig:

36
rules/audit/audit_record_reduction_report_generation.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: audit_record_reduction_report_generation
title: "Audit Record Reduction and Report Generation"
discussion: |
The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability.
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP).
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-85461-2
cci:
- N/A
800-53r5:
- AU-7
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_high
- 800-53r4_high
- 800-53r5_moderate
- inherent
mobileconfig: false
mobileconfig_info:

34
rules/audit/audit_records_processing.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: audit_records_processing
title: "Audit Record Reduction and Report Generation"
discussion: |
The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields.
Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-85462-0
cci:
- N/A
800-53r5:
- AU-7(1)
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_high
- 800-53r4_high
- 800-53r5_moderate
- permanent
mobileconfig: false
mobileconfig_info:

9
rules/audit/audit_retention_configure.yaml
View File

@@ -18,6 +18,9 @@ references:
- CCE-85272-3
cci:
- CCI-001849
800-53r5:
- AU-11
- AU-4
800-53r4:
- AU-4
- AU-11
@@ -28,10 +31,14 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

8
rules/audit/audit_settings_failure_notify.yaml
View File

@@ -18,6 +18,9 @@ references:
- CCE-85273-1
cci:
- CCI-001858
800-53r5:
- AU-5(2)
- AU-5
800-53r4:
- AU-5
- AU-5(2)
@@ -30,8 +33,11 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r4_high
- 800-53r5_high
- 800-171
- stig
severity: "medium"
mobileconfig: false

11
rules/auth/auth_pam_login_smartcard_enforce.yaml
View File

@@ -38,6 +38,10 @@ references:
- CCE-85274-9
cci:
- CCI-000366
800-53r5:
- IA-2(1)
- IA-2(2)
- IA-2(8)
800-53r4:
- IA-2(3)
- IA-2(4)
@@ -51,11 +55,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

11
rules/auth/auth_pam_su_smartcard_enforce.yaml
View File

@@ -33,6 +33,10 @@ references:
- CCE-85275-6
cci:
- CCI-000366
800-53r5:
- IA-2(1)
- IA-2(2)
- IA-2(8)
800-53r4:
- IA-2(3)
- IA-2(4)
@@ -46,11 +50,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

11
rules/auth/auth_pam_sudo_smartcard_enforce.yaml
View File

@@ -32,6 +32,10 @@ references:
- CCE-85276-4
cci:
- CCI-000366
800-53r5:
- IA-2(1)
- IA-2(2)
- IA-2(8)
800-53r4:
- IA-2(3)
- IA-2(4)
@@ -46,11 +50,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

9
rules/auth/auth_smartcard_allow.yaml
View File

@@ -17,6 +17,10 @@ references:
- CCE-85277-2
cci:
- N/A
800-53r5:
- IA-2(1)
- IA-2(2)
- IA-2(12)
800-53r4:
- IA-2(12)
- IA-5(11)
@@ -27,10 +31,13 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- cnssi-1253
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

4
rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
View File

@@ -19,6 +19,9 @@ references:
- CCE-85278-0
cci:
- CCI-000186
800-53r5:
- IA-5(2)
- SC-17
800-53r4:
- IA-2(12)
- IA-5(2)
@@ -30,6 +33,7 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- 800-53r5_high
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

6
rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
View File

@@ -23,6 +23,9 @@ references:
- CCI-001991
- CCI-001953
- CCI-001954
800-53r5:
- IA-5(2)
- SC-17
800-53r4:
- IA-2(12)
- IA-5(2)
@@ -37,8 +40,9 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r5_moderate
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

17
rules/auth/auth_smartcard_enforce.yaml
View File

@@ -7,7 +7,7 @@ discussion: |
When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver.
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a member of the NotEnforced group.
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement.
NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work.
check: |
@@ -23,6 +23,14 @@ references:
- CCI-000187
- CCI-000767
- CCI-000768
800-53r5:
- IA-2(1)
- IA-2(2)
- IA-2(6)
- IA-2
- IA-5(2)
- IA-2(12)
- IA-2(8)
800-53r4:
- IA-2
- IA-2(1)
@@ -46,11 +54,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "high"
mobileconfig: true

15
rules/auth/auth_ssh_smartcard_enforce.yaml → rules/auth/auth_ssh_password_authentication_disable.yaml
View File

@@ -1,7 +1,7 @@
id: auth_ssh_smartcard_enforce
title: "Enforce Smartcard Authentication for SSH"
id: auth_ssh_password_authentication_disable
title: "Disable Password Authentication for SSH"
discussion: |
If remote login through SSH is enabled, smartcard authentication _MUST_ be enforced for user login.
If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
@@ -11,7 +11,6 @@ check: |
result:
integer: 2
fix: |
The following commands must be run to disable passcode based authentication for SSHD:
[source,bash]
----
/usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
@@ -21,6 +20,14 @@ references:
- CCE-85281-4
cci:
- N/A
800-53r5:
- IA-2(1)
- IA-2(2)
- IA-2(6)
- IA-2
- IA-5(2)
- MA-4
- IA-2(8)
800-53r4:
- IA-2
- IA-2(1)

14
rules/icloud/icloud_addressbook_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "low"
mobileconfig: true

13
rules/icloud/icloud_appleid_prefpane_disable.yaml
View File

@@ -15,8 +15,14 @@ references:
- CCE-85283-0
cci:
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -29,11 +35,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "high"
mobileconfig: true

14
rules/icloud/icloud_bookmarks_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

14
rules/icloud/icloud_calendar_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "low"
mobileconfig: true

14
rules/icloud/icloud_drive_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

14
rules/icloud/icloud_keychain_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

14
rules/icloud/icloud_mail_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "low"
mobileconfig: true

14
rules/icloud/icloud_notes_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "low"
mobileconfig: true

14
rules/icloud/icloud_photos_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

14
rules/icloud/icloud_reminders_disable.yaml
View File

@@ -16,8 +16,15 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -31,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "low"
mobileconfig: true

14
rules/icloud/icloud_sync_disable.yaml
View File

@@ -15,8 +15,15 @@ references:
- CCE-85292-1
cci:
- N/A
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
- AC-20(1)
srg:
@@ -30,11 +37,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

34
rules/os/os_access_control_mobile_devices.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: os_access_control_mobile_devices
title: "Access Control for Mobile Devices"
discussion: |
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-85464-6
cci:
- N/A
800-53r5:
- AC-19
800-53r4:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- n_a
mobileconfig: false
mobileconfig_info:

16
rules/os/os_airdrop_disable.yaml
View File

@@ -5,7 +5,7 @@ discussion:
AirDrop allows users to share and receive files from other nearby Apple devices.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableAirDrop = 1'
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAirDrop = 0'
result:
integer: 1
fix: |
@@ -15,10 +15,15 @@ references:
- CCE-85293-9
cci:
- CCI-000381
800-53r5:
- AC-3
- AC-20
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-3
- AC-18
- AC-20
srg:
- SRG-OS-000095-GPOS-00049
@@ -33,11 +38,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

2
rules/os/os_allow_info_passed.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85294-7
cci:
- CCI-002165
800-53r5:
- AC-3(4)
800-53r4:
- AC-3(4)
disa_stig:

2
rules/os/os_anti_virus_installed.yaml
View File

@@ -14,6 +14,8 @@ references:
- CCE-85295-4
cci:
- CCI-000366
800-53r5:
- N/A
800-53r4:
- SI-2
srg:

39
rules/os/os_apple_mobile_file_integrity_enforce.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: os_apple_mobile_file_integrity_enforce
title: "Enforce Apple Mobile File Integrity"
discussion: |
Apple Mobile File Integrity (AMFI) is a macOS kernel module that enforces the code-signing validation within Gatekeeper and library validation. AMFI checks the signatures of every app that is run.
NOTE: AMFI is enabled by default on macOS systems.
check: |
/usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
result:
integer: 0
fix: |
[source,bash]
----
/usr/sbin/nvram boot-args=""
----
references:
cce:
- CCE-85461-2
cci:
- N/A
800-53r5:
- SI-7(1)
- SI-3
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
mobileconfig: false
mobileconfig_info:

9
rules/os/os_appleid_prompt_disable.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85296-2
cci:
- CCI-000381
800-53r5:
- AC-20
800-53r4:
- AC-20
srg:
@@ -26,11 +28,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

32
rules/os/os_application_sandboxing.yaml Normal file
View File

@@ -0,0 +1,32 @@
id: os_application_sandboxing
title: "Ensure Seperate Execution Domain for Processes"
discussion: |
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[]
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-85474-5
800-53r5:
- SC-39
800-53r4:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- "11.0"
tags:
- inherent
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
mobileconfig: false
mobileconfig_info:

39
rules/os/os_asl_log_files_owner_group_configure.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: os_asl_log_files_owner_group_configure
title: "Configure Apple System Log Files Owned by Root and Group to Wheel"
discussion: |
The Apple System Logs (ASL) _MUST_ be owned by root.
ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated.
check: |
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
integer: 0
fix: |
[source,bash]
----
/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
----
references:
cce:
- CCE-85463-8
cci:
- CCI-001314
800-53r5:
- SI-11
800-53r4:
- SI-11
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-11-004001
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

37
rules/os/os_asl_log_files_permissions_configure.yaml Normal file
View File

@@ -0,0 +1,37 @@
id: os_asl_log_files_permissions_configure
title: "Configure Apple System Log Files To Mode 640 or Less Permissive"
discussion: |
The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
check: |
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
integer: 0
fix: |
[source,bash]
----
/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}')
----
references:
cce:
- CCE-85465-3
cci:
- CCI-001314
800-53r5:
- SI-11
800-53r4:
- SI-11
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-11-004002
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

6
rules/os/os_auth_peripherals.yaml
View File

@@ -11,6 +11,8 @@ references:
- CCE-85297-0
cci:
- CCI-001958
800-53r5:
- IA-3
800-53r4:
- IA-3
disa_stig:
@@ -23,9 +25,11 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- cnssi-1253
- permanent
mobileconfig: false
mobileconfig_info:

19
rules/os/os_authenticated_root_enable.yaml
View File

@@ -1,9 +1,11 @@
id: os_authenticated_root_enable
title: "Enable Authenticated Root"
discussion:
discussion: |
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
check: |
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'
result:
@@ -19,6 +21,13 @@ references:
- CCE-85298-8
cci:
- N/A
800-53r5:
- AC-3
- CM-5
- SC-34
- SI-7(6)
- SI-7
- MA-4(1)
800-53r4:
- AC-3
- CM-5
@@ -36,11 +45,13 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: false
mobileconfig_info:

11
rules/os/os_bonjour_disable.yaml
View File

@@ -13,8 +13,12 @@ references:
- CCE-85299-6
cci:
- CCI-000381
800-53r5:
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
@@ -24,11 +28,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

12
rules/os/os_calendar_app_disable.yaml
View File

@@ -18,8 +18,13 @@ references:
- CCE-85300-2
cci:
- CCI-000381
800-53r5:
- AC-20
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
srg:
- SRG-OS-000095-GPOS-00049
@@ -31,11 +36,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

2
rules/os/os_camera_disable.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCI-000381
- CCI-001150
- CCI-001153
800-53r5:
- N/A
800-53r4:
- N/A
srg:

8
rules/os/os_certificate_authority_trust.yaml
View File

@@ -3,7 +3,7 @@ title: "Issue or Obtain Public Key Certificates from an Approved Service Provide
discussion: |
The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.
check: |
/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/grep labl | awk -F'"' '{ print $4 }'
/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}'
result:
string: "a list containing approved root certificates"
fix: |
@@ -14,6 +14,8 @@ references:
cci:
- CCI-000185
- CCI-002450
800-53r5:
- SC-17
800-53r4:
- SC-17
disa_stig:
@@ -24,9 +26,11 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- cnssi-1253
- stig
- manual
severity: "high"

2
rules/os/os_change_security_attributes.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85303-6
cci:
- CCI-002165
800-53r5:
- AC-3(4)
800-53r4:
- AC-3(4)
disa_stig:

42
rules/os/os_config_data_install_enforce.yaml Normal file
View File

@@ -0,0 +1,42 @@
id: os_config_data_install_enforce
title: "Enforce Installation of XProtect, MRT, and Gatekeeper Updates Automatically"
discussion: |
Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically.
This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
link:https://support.apple.com/en-us/HT207005[]
NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-85466-1
cci:
- N/A
800-53r5:
- SI-3
- SI-2(5)
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
mobileconfig: true
mobileconfig_info:
com.apple.SoftwareUpdate:
configdatainstall: true

7
rules/os/os_continuous_monitoring.yaml
View File

@@ -11,6 +11,8 @@ references:
- CCE-85304-4
cci:
- CCI-001233
800-53r5:
- SI-2(2)
800-53r4:
- SI-2(2)
srg:
@@ -21,9 +23,10 @@ macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- permanent
- permanent
mobileconfig: false
mobileconfig_info:

3
rules/os/os_crypto_audit.yaml
View File

@@ -17,6 +17,8 @@ references:
- CCE-85305-1
cci:
- CCI-001496
800-53r5:
- AU-9(3)
800-53r4:
- AU-9(3)
disa_stig:
@@ -26,6 +28,7 @@ references:
macOS:
- "11.0"
tags:
- 800-53r5_high
- 800-53r4_high
- inherent
mobileconfig: false

6
rules/os/os_directory_services_configured.yaml
View File

@@ -1,5 +1,5 @@
id: os_directory_services_configured
title: The macOS system must be integrated into a directory services infrastructure.
title: "The macOS system must be integrated into a directory services infrastructure."
discussion: |
Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords.
check: |
@@ -7,7 +7,7 @@ check: |
To determine if the system is integrated to a directory service, ask the System Administrator (SA) or Information System Security Officer (ISSO) or run the following command:
/usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)'
/usr/bin/dscl localhost -list . | /usr/bin/grep -vE '(Contact|Search|Local|^$)'
If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding.
fix: |
@@ -15,6 +15,8 @@ fix: |
references:
cci:
- CCI-000366
800-53r5:
- N/A
800-53r4:
- CM-6(b)
srg:

3
rules/os/os_enforce_access_restrictions.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85306-9
cci:
- CCI-001813
800-53r5:
- CM-5(1)
800-53r4:
- CM-5(1)
disa_stig:
@@ -24,6 +26,7 @@ references:
macOS:
- "11.0"
tags:
- 800-53r5_high
- 800-53r4_high
- inherent
mobileconfig: false

2
rules/os/os_error_message.yaml
View File

@@ -11,6 +11,8 @@ references:
- CCE-85307-7
cci:
- CCI-001312
800-53r5:
- N/A
800-53r4:
- N/A
disa_stig:

14
rules/os/os_facetime_app_disable.yaml
View File

@@ -16,25 +16,33 @@ references:
cci:
- CCI-000381
- CCI-001774
800-53r5:
- AC-20
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- ASOX-14-002010
- ASOX-11-002010
800-171r2:
- 3.1.20
- 3.4.6
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "low"
mobileconfig: true

3
rules/os/os_fail_secure_state.yaml
View File

@@ -18,6 +18,8 @@ references:
cci:
- CCI-001190
- CCI-001665
800-53r5:
- SC-24
800-53r4:
- SC-24
disa_stig:
@@ -28,6 +30,7 @@ references:
macOS:
- "11.0"
tags:
- 800-53r5_high
- 800-53r4_high
- inherent
mobileconfig: false

37
rules/os/os_filevault_authorized_users.yaml Normal file
View File

@@ -0,0 +1,37 @@
id: os_filevault_authorized_users
title: "FileVault Authorized Users"
discussion: |
macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup.
check: |
/usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}'
result:
string: "a list containing authorized users that can unlock FileVault"
fix: |
Remove the user that is not authorized to unlock FileVault using the fdesetup command.
[source,bash]
----
/usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME
----
references:
cce:
- CCE-85311-9
cci:
- CCI-002143
800-53r5:
- AC-2(11)
800-53r4:
- N/A
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-11-000032
macOS:
- "11.0"
tags:
- 800-53r5_high
- stig
- manual
severity: "medium"
mobileconfig: false
mobileconfig_info:

13
rules/os/os_filevault_autologin_disable.yaml
View File

@@ -4,6 +4,8 @@ discussion: |
If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required.
The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials.
NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableFDEAutoLogin = 1'
result:
@@ -13,6 +15,10 @@ fix: |
references:
cce:
- CCE-85310-1
800-53r5:
- AC-3
- IA-5(13)
- AC-2(11)
800-53r4:
- AC-2(11)
- AC-3
@@ -29,11 +35,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

62
rules/os/os_filevault_user_account.yaml
View File

@@ -1,62 +0,0 @@
id: os_filevault_user_account
title: "Dedicated User Account to Decrypt the Hard Disk"
discussion: |
The macOS system _MUST_ be configured with a dedicated user account to decrypt the hard disk upon startup.
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
check: |
Ensure that only one FileVault user is defined:
# sudo fdesetup list
fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A
If more than one user is defined, this is a finding.
Verify that the defined FileVault user has been disabled:
# sudo dscl . read /Users/<FileVault_User> AuthenticationAuthority | grep "DisabledUser"
AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2> ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser
If the FileVault user is not disabled, this is a finding.
Verify that password forwarding has been disabled on the system:
# sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin"
DisableFDEAutologin = 1;
If "DisableFDEAutologin" is not set to a value of "1", this is a finding.
fix: |
Create a new user account that will be used to unlock the disk on startup.
Disable the login ability of the newly created user account:
# sudo dscl . append /Users/<FileVault_User> AuthenticationAuthority DisabledUser
Disable FileVaults Auto-login feature:
# sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES
Remove all FileVault login access from each user account defined on the system that is not the designated FileVault user:
# sudo fdesetup remove -user <username>
references:
cce:
- CCE-85311-9
cci:
- CCI-002143
800-53r4:
- AC-2(11)
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-11-000032
macOS:
- "11.0"
tags:
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

10
rules/os/os_firewall_default_deny_require.yaml
View File

@@ -25,6 +25,9 @@ references:
cci:
- CCI-000366
- CCI-002080
800-53r5:
- AC-4
- SC-7(5)
800-53r4:
- SC-7(5)
- AC-4
@@ -38,10 +41,11 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: false
mobileconfig_info:

10
rules/os/os_firewall_log_enable.yaml
View File

@@ -20,6 +20,9 @@ references:
- CCE-85313-5
cci:
- N/A
800-53r5:
- AU-12
- SC-7
800-53r4:
- SC-7
- AU-12
@@ -36,10 +39,13 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: false
mobileconfig_info:

10
rules/os/os_firmware_password_require.yaml
View File

@@ -14,6 +14,8 @@ discussion: |
NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.
NOTE: Firmware passwords are not supported on Apple Silicon devices.
check: |
/usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes"
result:
@@ -25,6 +27,8 @@ references:
- CCE-85314-3
cci:
- CCI-000366
800-53r5:
- AC-6
800-53r4:
- AC-6
srg:
@@ -36,10 +40,12 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

13
rules/os/os_gatekeeper_enable.yaml
View File

@@ -20,6 +20,12 @@ references:
- CCE-85315-0
cci:
- CCI-001749
800-53r5:
- CM-14
- CM-5
- SI-7(1)
- SI-7(15)
- SI-3
800-53r4:
- CM-5(3)
- CM-5
@@ -34,10 +40,13 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "high"
mobileconfig: true

9
rules/os/os_gatekeeper_rearm.yaml
View File

@@ -13,6 +13,8 @@ references:
- CCE-85316-8
cci:
- N/A
800-53r5:
- CM-5
800-53r4:
- CM-5
- SI-3
@@ -25,10 +27,13 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:

2
rules/os/os_grant_privs.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85317-6
cci:
- CCI-002165
800-53r5:
- AC-3(4)
800-53r4:
- AC-3(4)
disa_stig:

13
rules/os/os_handoff_disable.yaml
View File

@@ -13,10 +13,16 @@ fix: |
references:
cce:
- CCE-85321-8
800-53r5:
- AC-3
- AC-20
- CM-7
- CM-7(1)
800-53r4:
- AC-3
- AC-20
- CM-7
- CM-7(1)
disa_stig:
- N/A
srg:
@@ -31,11 +37,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

4
rules/os/os_hbss_installed.yaml
View File

@@ -11,9 +11,11 @@ fix: |
Install the approved HBSS solution onto the system.
references:
cce:
- N/A
- CCE-85467-9
cci:
- CCI-001233
800-53r5:
- N/A
800-53r4:
- SI-2(2)
srg:

8
rules/os/os_home_folders_secure.yaml
View File

@@ -22,6 +22,8 @@ references:
- CCE-85322-6
cci:
- CCI-000366
800-53r5:
- AC-6
800-53r4:
- AC-6
srg:
@@ -34,10 +36,12 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

14
rules/os/os_httpd_disable.yaml
View File

@@ -1,7 +1,9 @@
id: os_httpd_disable
title: "Disable the Built-in Web Server"
discussion:
discussion: |
The built-in web server is a non-essential service built into macOS and _MUST_ be disabled.
NOTE: The built in web server service is disabled at startup by default macOS.
check: |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'
result:
@@ -16,6 +18,9 @@ references:
- CCE-85323-4
cci:
- CCI-000381
800-53r5:
- AC-3
- AC-17
800-53r4:
- AC-3
srg:
@@ -28,11 +33,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: false

9
rules/os/os_icloud_storage_prompt_disable.yaml
View File

@@ -15,6 +15,8 @@ references:
- CCE-85324-2
cci:
- CCI-000381
800-53r5:
- AC-20
800-53r4:
- AC-20
srg:
@@ -26,11 +28,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

7
rules/os/os_identify_non-org_users.yaml
View File

@@ -11,6 +11,8 @@ references:
- CCE-85325-9
cci:
- CCI-000804
800-53r5:
- IA-8
800-53r4:
- IA-8
disa_stig:
@@ -20,10 +22,13 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- cnssi-1253
- n_a
mobileconfig: false
mobileconfig_info:

13
rules/os/os_implement_cryptography.yaml
View File

@@ -5,9 +5,9 @@ discussion: |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government.
macOS Big Sur has been submitted to an accredited laboratory for testing of the cryptographic module for FIPS 140-3 validation. Once complete the test will be submitted to the National Institute of Standards and Technology (NIST) for validation.
macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation.
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[]
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[]
link:https://support.apple.com/en-us/HT201159[]
check: |
@@ -19,6 +19,8 @@ references:
- CCE-85326-7
cci:
- CCI-002450
800-53r5:
- SC-13
800-53r4:
- SC-13
disa_stig:
@@ -30,11 +32,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
- inherent
mobileconfig: false
mobileconfig_info:

6
rules/os/os_implement_memory_protection.yaml
View File

@@ -22,6 +22,8 @@ references:
- CCE-85327-5
cci:
- CCI-002824
800-53r5:
- SI-16
800-53r4:
- SI-16
disa_stig:
@@ -32,9 +34,11 @@ references:
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
- cnssi-1253
- inherent
mobileconfig: false
mobileconfig_info:

33
rules/os/os_information_validation.yaml Normal file
View File

@@ -0,0 +1,33 @@
id: os_information_validation
title: "Information Input Validation"
discussion: |
Check the validity of the following information inputs: organization-defined information inputs to the systems.
Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.
check: |
This requirement is NA for this technology.
fix: |
The requirement is NA. No fix is required.
references:
cce:
- CCE-85476-0
cci:
- N/A
800-53r5:
- SI-10
800-53r4:
- N/A
800-171r2:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- n_a
mobileconfig: false
mobileconfig_info:

10
rules/os/os_internet_accounts_prefpane_disable.yaml
View File

@@ -19,6 +19,9 @@ references:
cci:
- CCI-001774
- CCI-000381
800-53r5:
- CM-7(5)
- AC-20
800-53r4:
- AC-20
- CM-7(5)
@@ -32,11 +35,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cnssi-1253
- stig
severity: "medium"
mobileconfig: true

14
rules/os/os_ir_support_disable.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
By default, if IR is enabled, the system will accept IR control from any remote device.
Note: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1.
NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0'
result:
@@ -17,8 +17,13 @@ references:
- CCE-85329-1
cci:
- CCI-000366
800-53r5:
- AC-18
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-18
srg:
- SRG-OS-000480-GPOS-00227
@@ -30,11 +35,14 @@ references:
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cnssi-1253
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:

Some files were not shown because too many files have changed in this diff Show More