diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index ee58e8ca..4368700e 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,6 +2,61 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. +== [Big Sur, Revision 3] - 2021-07-26 + +* Rules +** Added Rules +*** audit_record_reduction_report_generation.yaml +*** audit_records_processing.yaml +*** os_access_control_mobile_devices.yaml +*** os_apple_mobile_file_integrity_enforce.yaml +*** os_application_sandboxing.yaml +*** os_asl_log_files_owner_group_configure.yaml +*** os_asl_log_files_permissions_configure.yaml +*** os_config_data_install_enforce.yaml +*** os_filevault_authorized_users.yaml +*** os_information_validation.yaml +*** os_malicious_code_prevention.yaml +*** os_managed_access_control_points.yaml +*** os_newsyslog_files_owner_group_configure.yaml +*** os_newsyslog_files_permissions_configure.yaml +*** os_non_repudiation.yaml +*** os_pii_deidentification.yaml +*** os_pii_quality_control.yaml +*** os_privacy_principle_minimization.yaml +*** os_prohibit_remote_activation_collab_devices.yaml +*** os_secure_enclave.yaml +*** sysprefs_critical_update_install_enforce.yaml +** Renamed Rules +*** auth_ssh_password_authentication_disable.yaml +*** sysprefs_guest_access_smb_disable.yaml +*** sysprefs_guest_account_disable.yaml +*** sysprefs_system_wide_preferences_configure.yaml +** Deleted Rules +*** os_filevault_user_account.yaml +*** os_system_log_files_owner_group_configure.yaml +*** os_system_log_files_permissions_configure.yaml +** Bug Fixes + +* Baselines +** Added NIST 800-53 Rev 5 (Low, Moderate, High, and Privacy) +** Removed NIST 800-53 Rev 5 (Low, Moderate, and High) +** Modified existing baselines + +* Scripts +** generate_guidanace +*** Added additional flags to the compliance scipt generated (--stats, --compliant, and --non_compliant) link:https://github.com/usnistgov/macos_security/pull/64[#64] +** generate_baseline +*** Added `-k all_rules` to generate a baseline containing all the rules +*** Bug fixes +** yaml-to-oval +*** Bug fixes +** Added generate_mapping.py to generate custom rules from a mapping between compliance frameworks + +* SCAP +** Included SCAP 1.3 datastream file only +** Removed macos-cpe-dictionary.xml, macos-cpe-oval.xml, ocil.xml, oval.xml, xccdf.html, and xccdf.xml + == [Big Sur, Revision 2] - 2021-03-18 * Rules diff --git a/README.adoc b/README.adoc index 4a06ca24..59fc7890 100644 --- a/README.adoc +++ b/README.adoc @@ -21,9 +21,9 @@ image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.app image:https://badgen.net/badge/icon/11.0?icon=apple&label[link="https://www.apple.com/macos"] endif::[] -The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL). +The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL). -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 4). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. To learn more about the project, please see the {uri-repo}/wiki[wiki]. diff --git a/SCAP/html-to-xccdf.xsl b/SCAP/html-to-xccdf.xsl index 4b3020b1..3cb2f899 100644 --- a/SCAP/html-to-xccdf.xsl +++ b/SCAP/html-to-xccdf.xsl @@ -344,7 +344,7 @@ - + xccdf_{$xccdf-namespace}_profile_{.} @@ -474,7 +474,7 @@ - https://nvd.nist.gov/800-53/Rev4/control/ + https://nvd.nist.gov/800-53/Rev5/control/ @@ -487,7 +487,7 @@ - NIST SP 800-53r4 + NIST SP 800-53r5 diff --git a/VERSION.yaml b/VERSION.yaml index deef3d4e..7b1c5402 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,3 +1,3 @@ os: "11.0" -version: "Big Sur, Revision 2" -date: "2021-03-18" \ No newline at end of file +version: "Big Sur, Revision 3" +date: "2021-07-26" diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 79ab9cc2..5ba76126 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,6 +1,7 @@ -title: "macOS 11.0: Security Configuration - 800-171" +title: "macOS 11: Security Configuration - NIST 800-171 Rev 2" description: | - This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-171. + This guide describes the actions to take when securing a macOS 11 system against the 800-171 Rev 2 baseline. +profile: profile: - section: "authentication" rules: @@ -31,21 +32,20 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable - - os_guest_account_disable - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -53,13 +53,12 @@ profile: - os_messages_app_disable - os_airdrop_disable - os_parental_controls_enable + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -71,7 +70,6 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -103,27 +101,30 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable - - sysprefs_ssh_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable - sysprefs_media_sharing_disabled + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce @@ -137,12 +138,12 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - section: "Inherent" rules: - os_prevent_priv_functions - os_logical_access - os_implement_cryptography + - os_separate_functionality - os_obscure_password - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure @@ -150,15 +151,14 @@ profile: - section: "Permanent" rules: - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" - rules: + rules: - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/800-53_high.yaml b/baselines/800-53r5_high.yaml similarity index 81% rename from baselines/800-53_high.yaml rename to baselines/800-53r5_high.yaml index bed41163..2f6c51c0 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - 800-53 High" +title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 High Impact Security Baseline" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 HIGH baseline. + This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline. profile: - section: "authentication" rules: @@ -12,6 +12,7 @@ profile: - auth_pam_su_smartcard_enforce - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -34,23 +35,28 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_newsyslog_files_owner_group_configure - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require + - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - - os_guest_account_disable - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable + - os_asl_log_files_permissions_configure - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_filevault_authorized_users - os_secure_boot_verify + - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -59,32 +65,33 @@ profile: - os_airdrop_disable - os_parental_controls_enable - os_system_read_only + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable - os_appleid_prompt_disable - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce + - pwpolicy_temporary_or_emergency_accounts_disable - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable - pwpolicy_lower_case_character_enforce @@ -110,31 +117,36 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable + - sysprefs_media_sharing_disabled - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -144,19 +156,24 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - section: "Inherent" rules: + - audit_record_reduction_report_generation - os_enforce_access_restrictions - os_limit_gui_sessions - os_prevent_priv_functions - os_logical_access - os_fail_secure_state + - os_application_sandboxing - os_implement_memory_protection - os_implement_cryptography + - os_separate_functionality - os_obscure_password + - os_reauth_users_change_authenticators + - os_unique_identification - os_isolate_security_functions - os_required_crypto_module + - os_malicious_code_prevention - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure - os_crypto_audit @@ -165,27 +182,27 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_secure_name_resolution - - os_notify_account_enable + - audit_records_processing + - os_reauth_devices_change_authenticators - os_provide_automated_account_management - - os_notify_account_created - - os_notify_account_modified - - os_notify_account_removal + - os_secure_name_resolution + - os_prohibit_remote_activation_collab_devices - os_auth_peripherals - os_continuous_monitoring - - os_notify_account_disabled - os_protect_dos_attacks - - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users + - os_information_validation + - os_access_control_mobile_devices + - os_managed_access_control_points - os_nonlocal_maintenance + - os_identify_non-org_users + - os_non_repudiation - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/800-53_low.yaml b/baselines/800-53r5_low.yaml similarity index 78% rename from baselines/800-53_low.yaml rename to baselines/800-53r5_low.yaml index 8e029c62..5c4ee4d8 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - 800-53 Low" +title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 Low Impact Security Baseline" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 LOW baseline. + This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline. profile: - section: "authentication" rules: @@ -11,6 +11,7 @@ profile: - auth_pam_su_smartcard_enforce - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -23,6 +24,7 @@ profile: - audit_files_owner_configure - audit_retention_configure - audit_flags_fr_configure + - audit_settings_failure_notify - audit_folder_owner_configure - audit_flags_lo_configure - audit_flags_fw_configure @@ -31,6 +33,8 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_apple_mobile_file_integrity_enforce + - os_gatekeeper_rearm - os_root_disable - os_password_proximity_disable - os_mdm_require @@ -40,6 +44,9 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -48,10 +55,10 @@ profile: - os_airdrop_disable - os_nfsd_disable - os_httpd_disable + - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - - os_guest_account_disable - - os_guest_access_smb_disable + - os_removable_media_disable + - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable @@ -65,7 +72,6 @@ profile: - os_calendar_app_disable - section: "passwordpolicy" rules: - - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable @@ -92,49 +98,63 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable + - sysprefs_media_sharing_disabled + - sysprefs_ssh_disable + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_time_server_configure - sysprefs_power_nap_disable + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce - sysprefs_automatic_login_disable + - sysprefs_wifi_disable + - sysprefs_time_server_enforce - sysprefs_screen_sharing_disable - sysprefs_siri_disable - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_ssh_disable - section: "Inherent" rules: - os_logical_access + - os_application_sandboxing - os_implement_cryptography - os_obscure_password + - os_reauth_users_change_authenticators + - os_unique_identification - os_required_crypto_module + - os_malicious_code_prevention - os_store_encrypted_passwords - pwpolicy_force_password_change - section: "Permanent" rules: + - os_reauth_devices_change_authenticators - os_secure_name_resolution + - os_prohibit_remote_activation_collab_devices - os_protect_dos_attacks - - pwpolicy_50_percent - section: "not_applicable" rules: - - os_identify_non-org_users + - os_access_control_mobile_devices - os_nonlocal_maintenance + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53r5_moderate.yaml similarity index 80% rename from baselines/800-53_moderate.yaml rename to baselines/800-53r5_moderate.yaml index 8216e699..5f7fcd23 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - 800-53 Moderate" +title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 Moderate Impact Security Baseline" description: | - This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-53 MODERATE baseline. + This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline. profile: - section: "authentication" rules: @@ -12,6 +12,7 @@ profile: - auth_pam_su_smartcard_enforce - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -24,6 +25,7 @@ profile: - audit_files_owner_configure - audit_retention_configure - audit_flags_fr_configure + - audit_settings_failure_notify - audit_folder_owner_configure - audit_flags_lo_configure - audit_flags_fw_configure @@ -32,9 +34,10 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_newsyslog_files_owner_group_configure - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require + - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - os_password_proximity_disable @@ -42,11 +45,16 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable + - os_asl_log_files_permissions_configure - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_secure_boot_verify + - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -55,33 +63,33 @@ profile: - os_airdrop_disable - os_parental_controls_enable - os_system_read_only + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_account_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable - os_appleid_prompt_disable - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce + - pwpolicy_temporary_or_emergency_accounts_disable - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable - pwpolicy_lower_case_character_enforce @@ -107,31 +115,36 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable + - sysprefs_media_sharing_disabled - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -141,15 +154,20 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - section: "Inherent" rules: + - audit_record_reduction_report_generation - os_prevent_priv_functions - os_logical_access + - os_application_sandboxing - os_implement_memory_protection - os_implement_cryptography + - os_separate_functionality - os_obscure_password + - os_reauth_users_change_authenticators + - os_unique_identification - os_required_crypto_module + - os_malicious_code_prevention - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure - pwpolicy_temporary_accounts_disable @@ -157,27 +175,26 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_secure_name_resolution - - os_notify_account_enable + - audit_records_processing + - os_reauth_devices_change_authenticators - os_provide_automated_account_management - - os_notify_account_created - - os_notify_account_modified - - os_notify_account_removal + - os_secure_name_resolution + - os_prohibit_remote_activation_collab_devices - os_auth_peripherals - os_continuous_monitoring - - os_notify_account_disabled - os_protect_dos_attacks - - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users + - os_information_validation + - os_access_control_mobile_devices + - os_managed_access_control_points - os_nonlocal_maintenance + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - \ No newline at end of file + - supplemental_smartcard diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml index ce2d81c3..1fb11849 100644 --- a/baselines/DISA-STIG.yaml +++ b/baselines/DISA-STIG.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - DISA STIG" +title: "macOS 11: Security Configuration - DISA STIG" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the DISA STIG. + This guide describes the actions to take when securing a macOS 11 system against the DISA STIG baseline. profile: - section: "authentication" rules: @@ -34,24 +34,22 @@ profile: - section: "macos" rules: - os_sshd_login_grace_time_configure + - os_newsyslog_files_owner_group_configure - os_firmware_password_require - - os_filevault_user_account - - os_guest_account_disable - os_policy_banner_ssh_enforce - os_anti_virus_installed - os_screensaver_loginwindow_enforce - os_sshd_key_exchange_algorithm_configure - - os_system_wide_preferences_configure - os_tftpd_disable - os_sshd_client_alive_interval_configure - - os_system_log_files_owner_group_configure + - os_asl_log_files_permissions_configure - os_sshd_client_alive_count_max_configure - os_privacy_setup_prompt_disable + - os_filevault_authorized_users - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_user_app_installation_prohibit - - os_system_log_files_permissions_configure - os_hbss_installed - os_filevault_autologin_disable - os_messages_app_disable @@ -59,6 +57,7 @@ profile: - os_nfsd_disable - os_sshd_permit_root_login_configure - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - os_policy_banner_ssh_configure @@ -70,6 +69,8 @@ profile: - os_sshd_fips_140_ciphers - os_sshd_fips_140_macs - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure + - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_camera_disable @@ -104,9 +105,11 @@ profile: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index e9e962c3..011d94a8 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,19 +1,20 @@ -title: "macOS 11.0: Security Configuration - All Rules" +title: "macOS 11: Security Configuration - All Rules" description: | - This guide describes the actions to take when securing a macOS 11.0 system using every available rule. + This guide describes the actions to take when securing a macOS 11 system against the all_rules baseline. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_smartcard_allow - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_pam_su_smartcard_enforce + - auth_ssh_password_authentication_disable - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -36,69 +37,78 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_sshd_login_grace_time_configure + - os_newsyslog_files_owner_group_configure - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require + - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - - os_guest_account_disable - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require + - os_anti_virus_installed - os_screensaver_loginwindow_enforce - os_handoff_disable + - os_sshd_key_exchange_algorithm_configure - os_firewall_log_enable - - os_system_wide_preferences_configure + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable + - os_sshd_client_alive_interval_configure + - os_asl_log_files_permissions_configure - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_sshd_login_grace_time_configure + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_sshd_client_alive_count_max_configure - os_privacy_setup_prompt_disable + - os_filevault_authorized_users - os_secure_boot_verify - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_user_app_installation_prohibit - os_touchid_prompt_disable + - os_hbss_installed - os_filevault_autologin_disable - os_messages_app_disable - os_airdrop_disable - os_parental_controls_enable - os_system_read_only + - os_ssh_server_alive_count_max_configure - os_nfsd_disable + - os_sshd_permit_root_login_configure - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_access_smb_disable - os_policy_banner_ssh_configure - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable - os_appleid_prompt_disable + - os_directory_services_configured + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_camera_disable - os_icloud_storage_prompt_disable - - os_sshd_permit_root_login_configure - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - - os_sshd_fips_140_macs - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce + - pwpolicy_temporary_or_emergency_accounts_disable - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable - pwpolicy_lower_case_character_enforce @@ -124,32 +134,37 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable - sysprefs_ssh_enable - - sysprefs_ssh_disable + - sysprefs_guest_access_smb_disable - sysprefs_media_sharing_disabled + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -159,9 +174,9 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - section: "Inherent" rules: + - audit_record_reduction_report_generation - os_enforce_access_restrictions - os_limit_gui_sessions - os_prevent_priv_functions @@ -169,6 +184,7 @@ profile: - os_verify_remote_disconnection - os_logoff_capability_and_message - os_fail_secure_state + - os_application_sandboxing - os_limit_auditable_events - os_prevent_priv_execution - os_allow_info_passed @@ -177,14 +193,17 @@ profile: - os_implement_memory_protection - os_implement_cryptography - os_remote_access_methods + - os_separate_functionality - os_obscure_password - os_predictable_behavior - os_reauth_users_change_authenticators - os_map_pki_identity + - os_secure_enclave - os_unique_identification - os_provide_disconnect_remote_access - os_isolate_security_functions - os_required_crypto_module + - os_malicious_code_prevention - os_grant_privs - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure @@ -193,7 +212,6 @@ profile: - os_mfa_network_access - os_peripherals_identify - os_error_message - - os_separate_functionality - os_crypto_audit - os_reauth_privilege - pwpolicy_temporary_accounts_disable @@ -202,15 +220,17 @@ profile: - section: "Permanent" rules: - audit_off_load_records + - audit_records_processing - audit_enforce_dual_auth - audit_alert_processing_fail - - os_secure_name_resolution - os_reauth_devices_change_authenticators - os_notify_account_enable - os_provide_automated_account_management + - os_secure_name_resolution - os_notify_account_created - os_notify_account_modified - os_notify_account_removal + - os_prohibit_remote_activation_collab_devices - os_auth_peripherals - os_limit_dos_attacks - os_continuous_monitoring @@ -219,20 +239,22 @@ profile: - os_notify_unauthorized_baseline_change - pwpolicy_50_percent - pwpolicy_prevent_dictionary_words - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users + - os_information_validation + - os_privacy_principle_minimization + - os_access_control_mobile_devices + - os_managed_access_control_points + - os_pii_deidentification - os_nonlocal_maintenance - - section: "srg" - rules: - - os_filevault_user_account - - os_anti_virus_installed + - os_identify_non-org_users + - os_pii_quality_control + - os_non_repudiation - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index ff74ab85..8cdf23f1 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - CNSSI-1253" +title: "macOS 11: Security Configuration - CNSSI-1253" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the CNSSI-1253 baseline. + This guide describes the actions to take when securing a macOS 11 system against the CNSSI-1253 baseline. profile: - section: "authentication" rules: @@ -33,7 +33,6 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -42,11 +41,12 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce @@ -55,14 +55,12 @@ profile: - os_messages_app_disable - os_airdrop_disable - os_parental_controls_enable + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_account_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -75,7 +73,6 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -107,31 +104,34 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -141,13 +141,13 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - section: "Inherent" rules: - os_prevent_priv_functions - os_logical_access - os_implement_memory_protection - os_implement_cryptography + - os_separate_functionality - os_obscure_password - os_map_pki_identity - os_required_crypto_module @@ -158,9 +158,9 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_secure_name_resolution - os_notify_account_enable - os_provide_automated_account_management + - os_secure_name_resolution - os_notify_account_created - os_notify_account_modified - os_notify_account_removal @@ -169,16 +169,15 @@ profile: - os_notify_account_disabled - os_protect_dos_attacks - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users - os_nonlocal_maintenance + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 8e0a74a8..fefcfe33 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -19,6 +19,9 @@ references: cci: - CCI-000162 - CCI-001314 + 800-53r5: + - SI-11 + - AU-9 800-53r4: - AU-9 - SI-11 @@ -32,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 03129bf0..ebc8a4b3 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85252-5 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -29,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index 70f7f361..76c1b428 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -11,6 +11,8 @@ references: - CCE-85253-3 cci: - CCI-000139 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 4c2c4b10..9a58577b 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -8,6 +8,8 @@ discussion: | The content required to be captured in an audit record varies based on the impact level of an organization’s system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. + + NOTE: Security auditing is enabled by default on macOS. check: | /bin/launchctl list | /usr/bin/grep -c com.apple.auditd result: @@ -34,6 +36,16 @@ references: - CCI-001890 - CCI-001914 - CCI-002130 + 800-53r5: + - AU-3 + - AU-3(1) + - AU-8 + - AU-12 + - AU-12(1) + - AU-12(3) + - AU-14(1) + - MA-4(1) + - CM-5(1) 800-53r4: - AU-3 - AU-3(1) @@ -65,11 +77,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 83826ecc..5a89dff8 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -18,6 +18,8 @@ references: - CCE-85255-8 cci: - CCI-001855 + 800-53r5: + - AU-5(1) 800-53r4: - AU-5(1) srg: @@ -27,6 +29,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - stig severity: "medium" diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index 6391654d..e08c0cd2 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-000366 - CCI-001896 + 800-53r5: + - AU-9(5) 800-53r4: - AU-9(5) disa_stig: diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 3f48f3c9..a8845c6e 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -5,19 +5,21 @@ discussion: | Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/grep -Ec "^policy.*ahlt" /etc/security/audit_control + /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: - CCE-85257-4 cci: - CCI-000140 + 800-53r5: + - AU-5 800-53r4: - AU-5 srg: @@ -29,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 7086bd8d..eeb97d90 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -13,13 +13,15 @@ result: fix: | [source,bash] ---- - /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: - CCE-85258-2 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -31,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index af56b699..24289610 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -9,13 +9,15 @@ result: fix: | [source,bash] ---- - /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: - CCE-85259-0 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -27,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 26659c2d..ee75f582 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -13,13 +13,15 @@ result: fix: | [source,bash] ---- - /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: - CCE-85260-8 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -31,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index cb993d8e..98a47c0a 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -7,19 +7,25 @@ discussion: | Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | - /usr/bin/grep -Ec "^flags.*aa" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: - CCE-85261-6 cci: - CCI-000172 + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - MA-4(1) + - CM-5(1) 800-53r4: - AU-2 - AU-12 @@ -37,11 +43,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 5301dd45..19beb409 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -8,14 +8,16 @@ discussion: | Audit records can be generated from various components within the information system (e.g., via a module or policy filter). The information system audits the execution of privileged functions. + + NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. check: | - /usr/bin/grep -Ec "^flags.*ad" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: @@ -28,6 +30,14 @@ references: - CCI-001405 - CCI-002234 - CCI-002884 + 800-53r5: + - AC-2(12) + - AC-6(9) + - AU-12 + - AC-2(4) + - AU-2 + - MA-4(1) + - CM-5(1) 800-53r4: - AU-2 - AC-2(4) @@ -54,11 +64,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 25095593..a67ce6f6 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -8,19 +8,24 @@ discussion: | This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-ex" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: - CCE-85263-2 cci: - N/A + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - CM-5(1) 800-53r4: - AU-2 - AU-12 @@ -35,11 +40,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 02d4b948..947a649f 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -9,13 +9,13 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fd" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: @@ -23,6 +23,13 @@ references: cci: - CCI-000172 - CCI-001814 + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - AU-9 + - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 @@ -47,6 +54,10 @@ references: macOS: - "11.0" tags: + - 800-53r5_privacy + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index e3e8b912..5668884a 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -1,7 +1,7 @@ id: audit_flags_fm_configure -title: "Configure System to Audit All Change of Object Attributes" +title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). @@ -9,13 +9,13 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*fm" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fm' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: @@ -23,6 +23,13 @@ references: cci: - CCI-000172 - CCI-001814 + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - AU-9 + - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 @@ -49,11 +56,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 561d294f..754d9cec 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -9,13 +9,13 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fr" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: @@ -23,6 +23,13 @@ references: cci: - CCI-000172 - CCI-001814 + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - AU-9 + - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 @@ -49,11 +56,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 6dded9fe..b4a6335f 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -9,19 +9,26 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fw" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: - CCE-85266-5 cci: - CCI-000162 + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - AU-9 + - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 @@ -48,11 +55,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index ceb373e5..6cce40cc 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -7,13 +7,13 @@ discussion: | The information system monitors login and logout events. check: | - /usr/bin/grep -Ec "^flags*.lo" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'lo' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: @@ -21,6 +21,12 @@ references: cci: - CCI-000067 - CCI-000172 + 800-53r5: + - AC-2(12) + - AU-12 + - AC-17(1) + - AU-2 + - MA-4(1) 800-53r4: - AU-2 - AC-17(1) @@ -38,11 +44,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 9f7eddc1..3797c791 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85268-1 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -31,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 7db1de93..f04a1fb6 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85269-9 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -31,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 18cbda04..9e042f5c 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -20,6 +20,8 @@ references: - CCI-000162 - CCI-000163 - CCI-000164 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: @@ -33,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index ce101e2d..48ec84bd 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -15,6 +15,8 @@ references: - CCE-85271-5 cci: - CCI-001851 + 800-53r5: + - AU-4(1) 800-53r4: - AU-4(1) disa_stig: diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml new file mode 100644 index 00000000..a5ff6ec9 --- /dev/null +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -0,0 +1,36 @@ +id: audit_record_reduction_report_generation +title: "Audit Record Reduction and Report Generation" +discussion: | + The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. + + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. + + Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - CCE-85461-2 + cci: + - N/A + 800-53r5: + - AU-7 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_high + - 800-53r4_high + - 800-53r5_moderate + - inherent +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml new file mode 100644 index 00000000..61d47899 --- /dev/null +++ b/rules/audit/audit_records_processing.yaml @@ -0,0 +1,34 @@ +id: audit_records_processing +title: "Audit Record Reduction and Report Generation" +discussion: | + The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. + + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. +check: | + The technology does not support this requirement. This is an applicable-does not meet finding. +fix: | + This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. +references: + cce: + - CCE-85462-0 + cci: + - N/A + 800-53r5: + - AU-7(1) + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_high + - 800-53r4_high + - 800-53r5_moderate + - permanent +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 68fc74cf..995c352a 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -18,6 +18,9 @@ references: - CCE-85272-3 cci: - CCI-001849 + 800-53r5: + - AU-11 + - AU-4 800-53r4: - AU-4 - AU-11 @@ -28,10 +31,14 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 7ac711bc..1e85fcf9 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -18,6 +18,9 @@ references: - CCE-85273-1 cci: - CCI-001858 + 800-53r5: + - AU-5(2) + - AU-5 800-53r4: - AU-5 - AU-5(2) @@ -30,8 +33,11 @@ references: macOS: - "11.0" tags: - - 800-171 + - 800-53r5_low + - 800-53r5_moderate - 800-53r4_high + - 800-53r5_high + - 800-171 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 600d1ef3..e44cd526 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -38,6 +38,10 @@ references: - CCE-85274-9 cci: - CCI-000366 + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(8) 800-53r4: - IA-2(3) - IA-2(4) @@ -51,11 +55,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 417c8d66..4295f675 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -33,6 +33,10 @@ references: - CCE-85275-6 cci: - CCI-000366 + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(8) 800-53r4: - IA-2(3) - IA-2(4) @@ -46,11 +50,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 2204504d..bf3ba162 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -32,6 +32,10 @@ references: - CCE-85276-4 cci: - CCI-000366 + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(8) 800-53r4: - IA-2(3) - IA-2(4) @@ -46,11 +50,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index d334a8e5..46487092 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -17,6 +17,10 @@ references: - CCE-85277-2 cci: - N/A + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(12) 800-53r4: - IA-2(12) - IA-5(11) @@ -27,10 +31,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 71371c72..3c99fa0f 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -19,6 +19,9 @@ references: - CCE-85278-0 cci: - CCI-000186 + 800-53r5: + - IA-5(2) + - SC-17 800-53r4: - IA-2(12) - IA-5(2) @@ -30,6 +33,7 @@ macOS: - "11.0" tags: - 800-53r4_high + - 800-53r5_high mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index eeec375e..11de0e23 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -23,6 +23,9 @@ references: - CCI-001991 - CCI-001953 - CCI-001954 + 800-53r5: + - IA-5(2) + - SC-17 800-53r4: - IA-2(12) - IA-5(2) @@ -37,8 +40,9 @@ references: macOS: - "11.0" tags: - - cnssi-1253 - 800-53r4_moderate + - 800-53r5_moderate + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 99314c07..591aeb14 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -7,7 +7,7 @@ discussion: | When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver. - CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a member of the NotEnforced group. + CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement. NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work. check: | @@ -23,6 +23,14 @@ references: - CCI-000187 - CCI-000767 - CCI-000768 + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(6) + - IA-2 + - IA-5(2) + - IA-2(12) + - IA-2(8) 800-53r4: - IA-2 - IA-2(1) @@ -46,11 +54,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml similarity index 78% rename from rules/auth/auth_ssh_smartcard_enforce.yaml rename to rules/auth/auth_ssh_password_authentication_disable.yaml index ce66f851..815abb8f 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -1,7 +1,7 @@ -id: auth_ssh_smartcard_enforce -title: "Enforce Smartcard Authentication for SSH" +id: auth_ssh_password_authentication_disable +title: "Disable Password Authentication for SSH" discussion: | - If remote login through SSH is enabled, smartcard authentication _MUST_ be enforced for user login. + If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. @@ -11,7 +11,6 @@ check: | result: integer: 2 fix: | - The following commands must be run to disable passcode based authentication for SSHD: [source,bash] ---- /usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd @@ -21,6 +20,14 @@ references: - CCE-85281-4 cci: - N/A + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(6) + - IA-2 + - IA-5(2) + - MA-4 + - IA-2(8) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 9c0d2efe..c22e5ef0 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index af99bc00..44ce2d72 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -15,8 +15,14 @@ references: - CCE-85283-0 cci: - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -29,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 87819382..f5cd619c 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 25c178de..b54b3856 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 4454a9ed..3e0ba3a2 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 17f5016c..927363a5 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index ecdd7a5e..9a390c31 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 908eb428..b8882128 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index ca081cda..da7853be 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index f1d6063f..057d5e85 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -16,8 +16,15 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 1dfeb7a1..6a31aef5 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -15,8 +15,15 @@ references: - CCE-85292-1 cci: - N/A + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: @@ -30,11 +37,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml new file mode 100644 index 00000000..5c8607f7 --- /dev/null +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -0,0 +1,34 @@ +id: os_access_control_mobile_devices +title: "Access Control for Mobile Devices" +discussion: | + A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. + + Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. + + Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. +check: | + The technology does not support this requirement. This is an applicable-does not meet finding. +fix: | + This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. +references: + cce: + - CCE-85464-6 + cci: + - N/A + 800-53r5: + - AC-19 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 609470d2..8330b415 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -5,7 +5,7 @@ discussion: AirDrop allows users to share and receive files from other nearby Apple devices. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableAirDrop = 1' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAirDrop = 0' result: integer: 1 fix: | @@ -15,10 +15,15 @@ references: - CCE-85293-9 cci: - CCI-000381 + 800-53r5: + - AC-3 + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-3 - - AC-18 - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -33,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index e1715c9f..79635bd0 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -15,6 +15,8 @@ references: - CCE-85294-7 cci: - CCI-002165 + 800-53r5: + - AC-3(4) 800-53r4: - AC-3(4) disa_stig: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index a1b28be7..cde46e3a 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -14,6 +14,8 @@ references: - CCE-85295-4 cci: - CCI-000366 + 800-53r5: + - N/A 800-53r4: - SI-2 srg: diff --git a/rules/os/os_apple_mobile_file_integrity_enforce.yaml b/rules/os/os_apple_mobile_file_integrity_enforce.yaml new file mode 100644 index 00000000..83270d18 --- /dev/null +++ b/rules/os/os_apple_mobile_file_integrity_enforce.yaml @@ -0,0 +1,39 @@ +id: os_apple_mobile_file_integrity_enforce +title: "Enforce Apple Mobile File Integrity" +discussion: | + Apple Mobile File Integrity (AMFI) is a macOS kernel module that enforces the code-signing validation within Gatekeeper and library validation. AMFI checks the signatures of every app that is run. + + NOTE: AMFI is enabled by default on macOS systems. +check: | + /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/nvram boot-args="" + ---- +references: + cce: + - CCE-85461-2 + cci: + - N/A + 800-53r5: + - SI-7(1) + - SI-3 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index c8d35572..ece0335e 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85296-2 cci: - CCI-000381 + 800-53r5: + - AC-20 800-53r4: - AC-20 srg: @@ -26,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml new file mode 100644 index 00000000..b0986763 --- /dev/null +++ b/rules/os/os_application_sandboxing.yaml @@ -0,0 +1,32 @@ +id: os_application_sandboxing +title: "Ensure Seperate Execution Domain for Processes" +discussion: | + The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. + + link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] + + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - CCE-85474-5 + 800-53r5: + - SC-39 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml new file mode 100644 index 00000000..99592693 --- /dev/null +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -0,0 +1,39 @@ +id: os_asl_log_files_owner_group_configure +title: "Configure Apple System Log Files Owned by Root and Group to Wheel" +discussion: | + The Apple System Logs (ASL) _MUST_ be owned by root. + + ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. +check: | + /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') + ---- +references: + cce: + - CCE-85463-8 + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004001 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml new file mode 100644 index 00000000..33fdd066 --- /dev/null +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -0,0 +1,37 @@ +id: os_asl_log_files_permissions_configure +title: "Configure Apple System Log Files To Mode 640 or Less Permissive" +discussion: | + The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. +check: | + /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}') + ---- +references: + cce: + - CCE-85465-3 + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004002 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 4deb51eb..6a18b1e6 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -11,6 +11,8 @@ references: - CCE-85297-0 cci: - CCI-001958 + 800-53r5: + - IA-3 800-53r4: - IA-3 disa_stig: @@ -23,9 +25,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 7be373f8..86c53dcf 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -1,9 +1,11 @@ id: os_authenticated_root_enable title: "Enable Authenticated Root" -discussion: +discussion: | Authenticated Root _MUST_ be enabled. When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. + + NOTE: Authenticated Root is enabled by default on macOS systems. check: | /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' result: @@ -19,6 +21,13 @@ references: - CCE-85298-8 cci: - N/A + 800-53r5: + - AC-3 + - CM-5 + - SC-34 + - SI-7(6) + - SI-7 + - MA-4(1) 800-53r4: - AC-3 - CM-5 @@ -36,11 +45,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 7b2d73d3..e4bf1437 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -13,8 +13,12 @@ references: - CCE-85299-6 cci: - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 disa_stig: @@ -24,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 3dd033d9..d2d327bb 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -18,8 +18,13 @@ references: - CCE-85300-2 cci: - CCI-000381 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -31,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index acf3546b..9851d7ac 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -15,6 +15,8 @@ references: - CCI-000381 - CCI-001150 - CCI-001153 + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index dd00a9ff..0a679b76 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -3,7 +3,7 @@ title: "Issue or Obtain Public Key Certificates from an Approved Service Provide discussion: | The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain. check: | - /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/grep labl | awk -F'"' '{ print $4 }' + /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}' result: string: "a list containing approved root certificates" fix: | @@ -14,6 +14,8 @@ references: cci: - CCI-000185 - CCI-002450 + 800-53r5: + - SC-17 800-53r4: - SC-17 disa_stig: @@ -24,9 +26,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - stig - manual severity: "high" diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index ffd92f1e..a7d90f90 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -15,6 +15,8 @@ references: - CCE-85303-6 cci: - CCI-002165 + 800-53r5: + - AC-3(4) 800-53r4: - AC-3(4) disa_stig: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml new file mode 100644 index 00000000..d31820ac --- /dev/null +++ b/rules/os/os_config_data_install_enforce.yaml @@ -0,0 +1,42 @@ +id: os_config_data_install_enforce +title: "Enforce Installation of XProtect, MRT, and Gatekeeper Updates Automatically" +discussion: | + Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. + + This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. + + link:https://support.apple.com/en-us/HT207005[] + + NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-85466-1 + cci: + - N/A + 800-53r5: + - SI-3 + - SI-2(5) + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: true +mobileconfig_info: + com.apple.SoftwareUpdate: + configdatainstall: true diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index fc2fe655..4d6412a7 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -11,6 +11,8 @@ references: - CCE-85304-4 cci: - CCI-001233 + 800-53r5: + - SI-2(2) 800-53r4: - SI-2(2) srg: @@ -21,9 +23,10 @@ macOS: - "11.0" tags: - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - permanent - + - permanent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index e6e7a3ec..02b21fd8 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -17,6 +17,8 @@ references: - CCE-85305-1 cci: - CCI-001496 + 800-53r5: + - AU-9(3) 800-53r4: - AU-9(3) disa_stig: @@ -26,6 +28,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 93fda98c..a1b16bb7 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -1,5 +1,5 @@ id: os_directory_services_configured -title: The macOS system must be integrated into a directory services infrastructure. +title: "The macOS system must be integrated into a directory services infrastructure." discussion: | Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords. check: | @@ -7,7 +7,7 @@ check: | To determine if the system is integrated to a directory service, ask the System Administrator (SA) or Information System Security Officer (ISSO) or run the following command: - /usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)' + /usr/bin/dscl localhost -list . | /usr/bin/grep -vE '(Contact|Search|Local|^$)' If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding. fix: | @@ -15,6 +15,8 @@ fix: | references: cci: - CCI-000366 + 800-53r5: + - N/A 800-53r4: - CM-6(b) srg: diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 08d918b6..f7bb3bff 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -15,6 +15,8 @@ references: - CCE-85306-9 cci: - CCI-001813 + 800-53r5: + - CM-5(1) 800-53r4: - CM-5(1) disa_stig: @@ -24,6 +26,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index 0569456a..5d5f0eb4 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -11,6 +11,8 @@ references: - CCE-85307-7 cci: - CCI-001312 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 87d1cbf4..df1f9365 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -16,25 +16,33 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - ASOX-14-002010 + - ASOX-11-002010 800-171r2: - 3.1.20 - 3.4.6 macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 39f2cf47..8c034916 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -18,6 +18,8 @@ references: cci: - CCI-001190 - CCI-001665 + 800-53r5: + - SC-24 800-53r4: - SC-24 disa_stig: @@ -28,6 +30,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml new file mode 100644 index 00000000..3e306106 --- /dev/null +++ b/rules/os/os_filevault_authorized_users.yaml @@ -0,0 +1,37 @@ +id: os_filevault_authorized_users +title: "FileVault Authorized Users" +discussion: | + macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup. +check: | + /usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}' +result: + string: "a list containing authorized users that can unlock FileVault" +fix: | + Remove the user that is not authorized to unlock FileVault using the fdesetup command. + + [source,bash] + ---- + /usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME + ---- +references: + cce: + - CCE-85311-9 + cci: + - CCI-002143 + 800-53r5: + - AC-2(11) + 800-53r4: + - N/A + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-11-000032 +macOS: + - "11.0" +tags: + - 800-53r5_high + - stig + - manual +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 02dd58fa..c22820df 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -4,6 +4,8 @@ discussion: | If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. + + NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableFDEAutoLogin = 1' result: @@ -13,6 +15,10 @@ fix: | references: cce: - CCE-85310-1 + 800-53r5: + - AC-3 + - IA-5(13) + - AC-2(11) 800-53r4: - AC-2(11) - AC-3 @@ -29,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml deleted file mode 100644 index 7cb2628c..00000000 --- a/rules/os/os_filevault_user_account.yaml +++ /dev/null @@ -1,62 +0,0 @@ -id: os_filevault_user_account -title: "Dedicated User Account to Decrypt the Hard Disk" -discussion: | - The macOS system _MUST_ be configured with a dedicated user account to decrypt the hard disk upon startup. - - When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. -check: | - Ensure that only one FileVault user is defined: - - # sudo fdesetup list - - fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A - - If more than one user is defined, this is a finding. - - Verify that the defined FileVault user has been disabled: - - # sudo dscl . read /Users/ AuthenticationAuthority | grep "DisabledUser" - - AuthenticationAuthority: ;ShadowHash;HASHLIST: ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser - - If the FileVault user is not disabled, this is a finding. - - Verify that password forwarding has been disabled on the system: - - # sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin" - - DisableFDEAutologin = 1; - - If "DisableFDEAutologin" is not set to a value of "1", this is a finding. -fix: | - Create a new user account that will be used to unlock the disk on startup. - - Disable the login ability of the newly created user account: - - # sudo dscl . append /Users/ AuthenticationAuthority DisabledUser - - Disable FileVaults Auto-login feature: - - # sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES - - Remove all FileVault login access from each user account defined on the system that is not the designated FileVault user: - - # sudo fdesetup remove -user -references: - cce: - - CCE-85311-9 - cci: - - CCI-002143 - 800-53r4: - - AC-2(11) - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-11-000032 -macOS: - - "11.0" -tags: - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index c650f340..7bd6978d 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -25,6 +25,9 @@ references: cci: - CCI-000366 - CCI-002080 + 800-53r5: + - AC-4 + - SC-7(5) 800-53r4: - SC-7(5) - AC-4 @@ -38,10 +41,11 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 1a870d0b..a5033eff 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -20,6 +20,9 @@ references: - CCE-85313-5 cci: - N/A + 800-53r5: + - AU-12 + - SC-7 800-53r4: - SC-7 - AU-12 @@ -36,10 +39,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index b6434726..b90bf2ce 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -14,6 +14,8 @@ discussion: | NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated. + NOTE: Firmware passwords are not supported on Apple Silicon devices. + check: | /usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" result: @@ -25,6 +27,8 @@ references: - CCE-85314-3 cci: - CCI-000366 + 800-53r5: + - AC-6 800-53r4: - AC-6 srg: @@ -36,10 +40,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 1192eefa..62e23bef 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -20,6 +20,12 @@ references: - CCE-85315-0 cci: - CCI-001749 + 800-53r5: + - CM-14 + - CM-5 + - SI-7(1) + - SI-7(15) + - SI-3 800-53r4: - CM-5(3) - CM-5 @@ -34,10 +40,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index dfb01ec9..b51af00c 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -13,6 +13,8 @@ references: - CCE-85316-8 cci: - N/A + 800-53r5: + - CM-5 800-53r4: - CM-5 - SI-3 @@ -25,10 +27,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 41754f65..f8e21f63 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -15,6 +15,8 @@ references: - CCE-85317-6 cci: - CCI-002165 + 800-53r5: + - AC-3(4) 800-53r4: - AC-3(4) disa_stig: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 1a00905e..87b29050 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -13,10 +13,16 @@ fix: | references: cce: - CCE-85321-8 + 800-53r5: + - AC-3 + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - AC-3 - AC-20 - CM-7 + - CM-7(1) disa_stig: - N/A srg: @@ -31,11 +37,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml index 5c22ba07..9ac0ba5e 100644 --- a/rules/os/os_hbss_installed.yaml +++ b/rules/os/os_hbss_installed.yaml @@ -11,9 +11,11 @@ fix: | Install the approved HBSS solution onto the system. references: cce: - - N/A + - CCE-85467-9 cci: - CCI-001233 + 800-53r5: + - N/A 800-53r4: - SI-2(2) srg: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 965376fe..47771080 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -22,6 +22,8 @@ references: - CCE-85322-6 cci: - CCI-000366 + 800-53r5: + - AC-6 800-53r4: - AC-6 srg: @@ -34,10 +36,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 1da2e020..c4996435 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -1,7 +1,9 @@ id: os_httpd_disable title: "Disable the Built-in Web Server" -discussion: +discussion: | The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. + + NOTE: The built in web server service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true' result: @@ -16,6 +18,9 @@ references: - CCE-85323-4 cci: - CCI-000381 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 srg: @@ -28,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 4df5deb6..fda1179b 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85324-2 cci: - CCI-000381 + 800-53r5: + - AC-20 800-53r4: - AC-20 srg: @@ -26,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 15274b12..29df7ade 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -11,6 +11,8 @@ references: - CCE-85325-9 cci: - CCI-000804 + 800-53r5: + - IA-8 800-53r4: - IA-8 disa_stig: @@ -20,10 +22,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - n_a mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index d1a25e5a..862fdd06 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,9 +5,9 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - macOS Big Sur has been submitted to an accredited laboratory for testing of the cryptographic module for FIPS 140-3 validation. Once complete the test will be submitted to the National Institute of Standards and Technology (NIST) for validation. + macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation. - link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[] link:https://support.apple.com/en-us/HT201159[] check: | @@ -19,6 +19,8 @@ references: - CCE-85326-7 cci: - CCI-002450 + 800-53r5: + - SC-13 800-53r4: - SC-13 disa_stig: @@ -30,11 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 5842c507..6d88652b 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -22,6 +22,8 @@ references: - CCE-85327-5 cci: - CCI-002824 + 800-53r5: + - SI-16 800-53r4: - SI-16 disa_stig: @@ -32,9 +34,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml new file mode 100644 index 00000000..223b78fd --- /dev/null +++ b/rules/os/os_information_validation.yaml @@ -0,0 +1,33 @@ +id: os_information_validation +title: "Information Input Validation" +discussion: | + Check the validity of the following information inputs: organization-defined information inputs to the systems. + + Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85476-0 + cci: + - N/A + 800-53r5: + - SI-10 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index a84c3c85..2a8b8a5d 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -19,6 +19,9 @@ references: cci: - CCI-001774 - CCI-000381 + 800-53r5: + - CM-7(5) + - AC-20 800-53r4: - AC-20 - CM-7(5) @@ -32,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 7afd5b1c..c350cb13 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -5,7 +5,7 @@ discussion: | By default, if IR is enabled, the system will accept IR control from any remote device. - Note: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. + NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0' result: @@ -17,8 +17,13 @@ references: - CCE-85329-1 cci: - CCI-000366 + 800-53r5: + - AC-18 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-18 srg: - SRG-OS-000480-GPOS-00227 @@ -30,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index fee3b1f3..ea3b5906 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -13,6 +13,8 @@ references: - CCE-85330-9 cci: - CCI-001084 + 800-53r5: + - SC-3 800-53r4: - SC-3 disa_stig: @@ -22,6 +24,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index 8c4ed5cb..098cb9f6 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -11,6 +11,8 @@ references: - CCE-85331-7 cci: - CCI-000171 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 489356d7..306da1ab 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -15,6 +15,8 @@ references: - CCE-85332-5 cci: - CCI-001095 + 800-53r5: + - SC-5(2) 800-53r4: - SC-5(2) disa_stig: diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index 69e3fdca..a51b3af2 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -13,6 +13,8 @@ references: - CCE-85333-3 cci: - CCI-000054 + 800-53r5: + - AC-10 800-53r4: - AC-10 disa_stig: @@ -22,6 +24,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 01cf22a2..5c07b489 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -15,6 +15,8 @@ references: - CCE-85334-1 cci: - CCI-000213 + 800-53r5: + - AC-3 800-53r4: - AC-3 disa_stig: @@ -27,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index ccc3300b..1bd1116b 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -14,6 +14,9 @@ references: cci: - CCI-002363 - CCI-002364 + 800-53r5: + - AC-12(1) + - AC-12(2) 800-53r4: - AC-12(1) disa_stig: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 8ee6f7ea..7aa9c9bd 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -20,8 +20,13 @@ references: - CCE-85336-6 cci: - CCI-000381 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -34,11 +39,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml new file mode 100644 index 00000000..d51aab71 --- /dev/null +++ b/rules/os/os_malicious_code_prevention.yaml @@ -0,0 +1,56 @@ +id: os_malicious_code_prevention +title: "Ensure the System Implements Malicious Code Protection Mechanisms" +discussion: | + The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. + + 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. + The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: + * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. + * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. + * In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: + * an app is first launched, + * an app has been changed (in the file system), and + * XProtect signatures are updated. + * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. + * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer’s signing certificate and prevents unsafe apps from running. + * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. + + 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. + The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: + * XProtect (defined above). + * Gatekeeper (defined above). + * Notarization (defined above). + + 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. + The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: + * Apple’s Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login. + + link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] + + link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - CCE-85468-7 + cci: + - N/A + 800-53r5: + - SI-3 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml new file mode 100644 index 00000000..28baa051 --- /dev/null +++ b/rules/os/os_managed_access_control_points.yaml @@ -0,0 +1,33 @@ +id: os_managed_access_control_points +title: "Managed Access Control Points" +discussion: | + Route remote accesses through authorized and managed network access control points. + + Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85477-8 + cci: + - N/A + 800-53r5: + - AC-17(3) + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index 3bc70ae6..614ec045 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -11,6 +11,8 @@ references: - CCE-85337-4 cci: - CCI-000187 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 65c69a20..904d1a27 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -27,6 +27,9 @@ fix: | references: cce: - CCE-85338-2 + 800-53r5: + - CM-2 + - CM-6 800-53r4: - CM-2 - CM-6 @@ -42,10 +45,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index d47261db..5ae7f513 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -16,8 +16,13 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -30,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index c991a9f5..2bd008f7 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -12,6 +12,8 @@ references: - CCE-85340-8 cci: - CCI-000765 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index efc841ef..7de824ec 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -12,6 +12,8 @@ references: - CCE-85341-6 cci: - CCI-000766 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml new file mode 100644 index 00000000..8fea713d --- /dev/null +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -0,0 +1,39 @@ +id: os_newsyslog_files_owner_group_configure +title: "Configure System Log Files Owned by Root and Group to Wheel" +discussion: | + The system log files _MUST_ be owned by root. + + System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. +check: | + /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') + ---- +references: + cce: + - CCE-85469-5 + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004001 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml new file mode 100644 index 00000000..900f319f --- /dev/null +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -0,0 +1,38 @@ +id: os_newsyslog_files_permissions_configure +title: "Configure System Log Files to Mode 640 or Less Permissive" +discussion: | + The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. + +check: | + /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}') + ---- +references: + cce: + - CCE-85470-3 + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004002 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 37c18973..d4c50a3f 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -17,6 +17,9 @@ references: - CCE-85342-4 cci: - CCI-000381 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 srg: @@ -29,11 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml new file mode 100644 index 00000000..bd0f4de8 --- /dev/null +++ b/rules/os/os_non_repudiation.yaml @@ -0,0 +1,32 @@ +id: os_non_repudiation +title: "Non-Repudiation" +discussion: | + Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions to be covered by non-repudiation. + + Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85481-0 + cci: + - N/A + 800-53r5: + - AU-10 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 50348c8b..7872e85e 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -11,6 +11,8 @@ references: - CCE-85458-8 cci: - N/A + 800-53r5: + - MA-4 800-53r4: - MA-4 800-171r2: @@ -22,11 +24,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - n_a mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 42296a78..3f671470 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -15,6 +15,8 @@ references: - CCE-85343-2 cci: - CCI-001683 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 7615d41c..32b2b482 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -15,6 +15,8 @@ references: - CCE-85344-0 cci: - CCI-001685 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index fee25a2c..acea837d 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -15,6 +15,8 @@ references: - CCE-85345-7 cci: - CCI-002132 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index b0b81d65..54e83486 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -15,6 +15,8 @@ references: - CCE-85346-5 cci: - CCI-001684 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index cd19a8fb..b872d510 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -15,6 +15,8 @@ references: - CCE-85347-3 cci: - CCI-001686 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index 20359daf..3dad5fc7 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -15,6 +15,8 @@ references: - CCE-85348-1 cci: - CCI-001744 + 800-53r5: + - CM-3(5) 800-53r4: - CM-3(5) disa_stig: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 7d063714..d6d56225 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -15,6 +15,9 @@ references: - CCE-85349-9 cci: - CCI-000206 + 800-53r5: + - IA-6 + - IA-5 800-53r4: - IA-5 - IA-6 @@ -29,11 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 8a4661a2..a16a8dc5 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -18,6 +18,8 @@ references: cci: - CCI-001812 - CCI-001764 + 800-53r5: + - CM-7(2) 800-53r4: - CM-7(2) srg: @@ -30,11 +32,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index fb424bed..6b381abd 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -13,11 +13,18 @@ fix: | references: cce: - CCE-85351-5 + 800-53r5: + - IA-5(13) + - CM-7 + - CM-7(1) + - IA-11 + - IA-5 800-53r4: - IA-5 - IA-5(13) - IA-11 - CM-7 + - CM-7(1) disa_stig: - N/A srg: @@ -31,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index ef22e29d..2ee25bff 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85352-3 cci: - N/A + 800-53r5: + - IA-5 800-53r4: - IA-5 srg: @@ -32,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 04a61d85..7fbdf575 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -13,6 +13,8 @@ fix: | references: cce: - CCE-85353-1 + 800-53r5: + - IA-5 800-53r4: - IA-5 srg: @@ -29,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 91d02b8f..03515f29 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -13,6 +13,8 @@ references: - CCE-85354-9 cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml new file mode 100644 index 00000000..4c6466c5 --- /dev/null +++ b/rules/os/os_pii_deidentification.yaml @@ -0,0 +1,32 @@ +id: os_pii_deidentification +title: "Remove Elements of Personally Identifiable Information from Datasets" +discussion: | + Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. + + De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85475-2 + cci: + - N/A + 800-53r5: + - SI-19 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_privacy + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml new file mode 100644 index 00000000..9912f9f8 --- /dev/null +++ b/rules/os/os_pii_quality_control.yaml @@ -0,0 +1,32 @@ +id: os_pii_quality_control +title: "Personally Identifiable Information Quality Operations" +discussion: | + Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle organization-defined frequency; and correct or delete inaccurate or outdated personally identifiable information. + + Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85478-6 + cci: + - N/A + 800-53r5: + - SI-18 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_privacy + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index e376b391..50b34855 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -12,7 +12,7 @@ discussion: | "You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." check: | - /bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | tr -d ' ' + /bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' ' result: integer: 1 fix: | @@ -35,6 +35,8 @@ references: - CCI-001386 - CCI-001387 - CCI-001388 + 800-53r5: + - AC-8 800-53r4: - AC-8 srg: @@ -48,11 +50,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 8eaab28c..2c3edece 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -22,6 +22,8 @@ references: - CCE-85356-4 cci: - CCI-000048 + 800-53r5: + - AC-8 800-53r4: - AC-8 srg: diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index f11eb2e0..518bdb36 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -23,6 +23,8 @@ references: cci: - CCI-000048 - CCI-000050 + 800-53r5: + - AC-8 800-53r4: - AC-8 srg: diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index 08019463..3665a4cb 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -11,6 +11,8 @@ references: - CCE-85358-0 cci: - CCI-002754 + 800-53r5: + - SI-10(3) 800-53r4: - SI-10(3) disa_stig: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 4126dc3a..f18698be 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -15,6 +15,8 @@ references: - CCE-85359-8 cci: - CCI-002233 + 800-53r5: + - AC-6(8) 800-53r4: - AC-6(8) disa_stig: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index f61d8aa5..ec75697c 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -17,6 +17,8 @@ references: - CCE-85360-6 cci: - CCI-002235 + 800-53r5: + - AC-6(10) 800-53r4: - AC-6(10) disa_stig: @@ -28,10 +30,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 19925935..f8fc6b44 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -15,6 +15,8 @@ references: - CCE-85361-4 cci: - CCI-001090 + 800-53r5: + - SC-4 800-53r4: - SC-4 disa_stig: @@ -26,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml new file mode 100644 index 00000000..69b1cb78 --- /dev/null +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -0,0 +1,32 @@ +id: os_privacy_principle_minimization +title: "Implement the Privacy Principle of Minimization" +discussion: | + Implement the privacy principle of minimization using organization-defined processes. + + The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85479-4 + cci: + - N/A + 800-53r5: + - SA-8(33) + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_privacy + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 665b8a1e..cbd9496b 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -15,8 +15,12 @@ references: - CCE-85362-2 cci: - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 disa_stig: diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml new file mode 100644 index 00000000..7dd97294 --- /dev/null +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -0,0 +1,38 @@ +id: os_prohibit_remote_activation_collab_devices +title: "Prohibit Remote Activation of Collaborative Computing Devices" +discussion: | + The inherent configuration of the macOS _IS_ in partial compliance as Apple has implemented a green light physically next to your camera that will glow when the camera is activated. + + There are no indicators when the system's microphone is listening or activated. This requires additional software to be installed. + + The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. + + link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] + + link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] + + link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/11.0/mac/11.0[] +check: | + The technology partially supports this requirement and cannot be configured to be in full compliance. +fix: | + The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. +references: + cce: + - CCE-85480-2 + 800-53r5: + - SC-15 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - permanent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index c6560eaa..1f18eacf 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -15,6 +15,8 @@ references: - CCE-85363-0 cci: - CCI-002385 + 800-53r5: + - SC-5 800-53r4: - SC-5 disa_stig: @@ -24,10 +26,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 72444928..d41c4d62 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -15,6 +15,8 @@ references: - CCE-85364-8 cci: - CCI-000015 + 800-53r5: + - AC-2(1) 800-53r4: - AC-2(1) disa_stig: @@ -24,9 +26,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index cc484182..96dd7ae1 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -11,6 +11,8 @@ references: - CCE-85365-5 cci: - CCI-002322 + 800-53r5: + - AC-17(9) 800-53r4: - AC-17(9) disa_stig: diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index 6a343a0a..86a6a998 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -13,6 +13,8 @@ references: - CCE-85366-3 cci: - CCI-002039 + 800-53r5: + - IA-11 800-53r4: - IA-11 disa_stig: @@ -22,6 +24,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index f696e9bf..c5b1bbc6 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -11,6 +11,8 @@ references: - CCE-85367-1 cci: - CCI-002038 + 800-53r5: + - IA-11 800-53r4: - IA-11 disa_stig: diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index b84f0cf1..d4d7e99f 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -11,6 +11,8 @@ references: - CCE-85368-9 cci: - CCI-002038 + 800-53r5: + - IA-11 800-53r4: - IA-11 disa_stig: @@ -21,5 +23,8 @@ macOS: - "11.0" tags: - inherent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index 483d0cd0..573f3ac0 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -11,6 +11,8 @@ references: - CCE-85369-7 cci: - CCI-002314 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index f1ece2f2..2f46d632 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -20,6 +20,8 @@ references: - CCE-85370-5 cci: - N/A + 800-53r5: + - MP-7 800-53r4: - MP-7(1) srg: @@ -31,10 +33,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 43c7a604..ef65513c 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -11,6 +11,8 @@ references: - CCE-85371-3 cci: - CCI-002617 + 800-53r5: + - SI-2(6) 800-53r4: - SI-2(6) disa_stig: diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 91d9a579..fe0a01cb 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -19,6 +19,8 @@ references: - CCE-85373-9 cci: - CCI-000803 + 800-53r5: + - IA-7 800-53r4: - IA-7 disa_stig: @@ -28,10 +30,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index cc41e762..f7f7fdd5 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -18,6 +18,9 @@ references: - CCE-85374-7 cci: - N/A + 800-53r5: + - IA-2 + - IA-2(5) 800-53r4: - IA-2 - IA-2(5) @@ -27,10 +30,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 5a9ac02d..a8db96f5 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -13,6 +13,8 @@ references: - CCE-85375-4 cci: - CCI-000060 + 800-53r5: + - AC-11(1) 800-53r4: - AC-11(1) srg: @@ -24,10 +26,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index c61443c7..aab25097 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -5,7 +5,7 @@ discussion: | Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. - Note: This will only return a proper result on a T2 Mac + NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" result: @@ -15,6 +15,11 @@ fix: | references: cce: - CCE-85376-2 + 800-53r5: + - SI-7 + - SI-7(1) + - SI-7(5) + - SI-6 800-53r4: - SI-6 srg: @@ -26,6 +31,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_high + - 800-53r5_moderate - 800-53r4_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml new file mode 100644 index 00000000..2c6c751e --- /dev/null +++ b/rules/os/os_secure_enclave.yaml @@ -0,0 +1,35 @@ +id: os_secure_enclave +title: "Protected Storage for Cryptographic Keys" +discussion: | + A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. + + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. + + link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] + + NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. +check: | + /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $? +result: + integer: 0 +fix: | + The hardware does not support the requirement. +references: + cce: + - CCE-85471-1 + cci: + - N/A + 800-53r5: + - SC-28(3) + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index c7b603ad..f0d4e907 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -2,6 +2,8 @@ id: os_secure_name_resolution title: "Secure Name Address Resolution Service" discussion: | The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. + + NOTE: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[] check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | @@ -14,6 +16,8 @@ references: - CCI-002466 - CCI-002467 - CCI-002468 + 800-53r5: + - SC-21 800-53r4: - SC-21 disa_stig: @@ -26,10 +30,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 04a68c86..1e8beff9 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -17,6 +17,9 @@ references: - CCE-85377-0 cci: - CCI-001082 + 800-53r5: + - SC-2 + - MA-4(1) 800-53r4: - SC-2 disa_stig: @@ -28,10 +31,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index cd545236..2f6c2c4a 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -4,6 +4,8 @@ discussion: | System Integrity Protection (SIP) _MUST_ be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders. + + NOTE: SIP is enabled by default in macOS. check: | /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' result: @@ -33,6 +35,15 @@ references: - CCI-001880 - CCI-001881 - CCI-001882 + 800-53r5: + - AC-3 + - AU-9 + - AU-9(3) + - CM-5 + - CM-5(6) + - SC-4 + - SI-2 + - SI-7 800-53r4: - AC-3 - AU-6(4) @@ -71,11 +82,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index a2e4b0f8..0f6fb0df 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -16,8 +16,13 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -30,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 5d8dbcce..5da0e13c 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -22,6 +22,11 @@ references: - CCE-85382-0 cci: - N/A + 800-53r5: + - AC-17(2) + - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 @@ -38,10 +43,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index 448ac475..a4daf30b 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -26,6 +26,11 @@ references: - CCI-000803 - CCI-002890 - CCI-003123 + 800-53r5: + - AC-17(2) + - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 @@ -47,11 +52,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 541bd5fd..505454cd 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85380-4 cci: - N/A + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: @@ -29,10 +31,11 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 5a8a3906..8ad42aa6 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -20,6 +20,9 @@ references: - CCE-85381-2 cci: - N/A + 800-53r5: + - SC-10 + - AC-12 800-53r4: - SC-10 srg: @@ -31,10 +34,11 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index e676b9af..fff86444 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85456-2 cci: - CCI-001133 + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 50857f76..1699918d 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -20,6 +20,9 @@ references: - CCE-85457-0 cci: - CCI-001133 + 800-53r5: + - SC-10 + - AC-12 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 1319acf1..f87ae85c 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -7,7 +7,7 @@ discussion: | Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. - NOTE: /etc/ssh/sshd_config will be a + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config result: @@ -26,6 +26,11 @@ references: - CCI-000087 - CCI-003123 - CCI-002890 + 800-53r5: + - AC-17(2) + - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index 0a00f81b..b4c5ebd2 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -26,6 +26,11 @@ references: - CCI-000803 - CCI-002890 - CCI-003123 + 800-53r5: + - AC-17(2) + - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 87bb0fb0..541aa039 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -17,17 +17,21 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config || /bin/echo 'KexAlgorithms diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- references: cce: - - N/A + - CCE-85472-9 cci: - CCI-000803 - CCI-000068 - CCI-000087 - CCI-003123 - CCI-002890 + 800-53r5: + - AC-17(2) + - IA-7 + - MA-4(6) 800-53r4: - IA-7 - AC-17(2) diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 7c355f91..f8abc27d 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85384-6 cci: - CCI-001133 + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index f45eaf5d..09f6583c 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -11,7 +11,6 @@ check: | result: integer: 1 fix: | - To ensure that "PermitRootLogin" is set disabled by sshd, run the following command: [source,bash] ---- /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd @@ -21,6 +20,8 @@ references: - CCE-85385-3 cci: - CCI-000770 + 800-53r5: + - IA-2(5) 800-53r4: - IA-2(5) srg: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 1192dc1c..1e89338f 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -15,6 +15,9 @@ references: - CCE-85386-1 cci: - CCI-000196 + 800-53r5: + - IA-5(1) + - IA-5(1)(c) 800-53r4: - IA-5(1) - IA-5(1)(c) @@ -30,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 0d137f92..f1994b08 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -18,6 +18,9 @@ references: - CCE-85387-9 cci: - CCI-000366 + 800-53r5: + - CM-5(1) + - IA-11 800-53r4: - IA-11 srg: @@ -27,6 +30,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - stig severity: "high" diff --git a/rules/os/os_system_log_files_owner_group_configure.yaml b/rules/os/os_system_log_files_owner_group_configure.yaml deleted file mode 100644 index dce23950..00000000 --- a/rules/os/os_system_log_files_owner_group_configure.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: os_system_log_files_owner_group_configure -title: "Configure System Log Files to be Owned by Root and Group-Owned by Wheel or Admin" -discussion: | - System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk. -check: | - Some system log files are controlled by "newsyslog" and "aslmanager". - - The following commands check for log files that exist on the system and print the path to the log with the corresponding ownership. Run them from inside "/var/log". - - /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null - /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null - - Each command may return zero or more files. - - If there are any system log files that are not owned by "root" and group-owned by "wheel" or admin, this is a finding. - - Service logs may be owned by the service user account or group. -fix: | - For any log file that returns an incorrect owner or group value, run the following command: - - /usr/bin/sudo chown root:wheel [log file] - - [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure that the owner:group column is set to "root:wheel" or the appropriate service user account and group. - - If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are either not present or are set to a service user account and group respectively. -references: - cce: - - N/A - cci: - - CCI-001314 - 800-53r4: - - SI-11 - srg: - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-11-004001 - 800-171r2: - - N/A -macOS: - - "11.0" -tags: - - manual - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_system_log_files_permissions_configure.yaml b/rules/os/os_system_log_files_permissions_configure.yaml deleted file mode 100644 index 35497d6c..00000000 --- a/rules/os/os_system_log_files_permissions_configure.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: os_system_log_files_permissions_configure -title: "Configure System Log Files set to mode 640 or less permissive." -discussion: | - System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. -check: | - The following commands check for log files that exist on the system and print the path to the log with the corresponding permissions. Run them from inside "/var/log": - - /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null - - /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null - - Each command may return zero or more files. If the permissions on log files are not "640" or less permissive, this is a finding. -fix: | - For any log file that returns an incorrect permission value, run the following command: - - /usr/bin/sudo chmod 640 [log file] - - [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640" or less permissive. - - If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640" or less permissive. -references: - cce: - - N/A - cci: - - CCI-001314 - 800-53r4: - - SI-11 - srg: - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-11-004002 - 800-171r2: - - N/A -macOS: - - "11.0" -tags: - - manual - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 622617ae..cbd9a5d0 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -2,6 +2,8 @@ id: os_system_read_only title: "Ensure System Volume is Read Only" discussion: | The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable. + + NOTE: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' result: @@ -13,6 +15,10 @@ references: - CCE-85388-7 cci: - N/A + 800-53r5: + - SC-34 + - MA-4(1) + - SI-7 800-53r4: - SC-34 - SI-7 @@ -23,6 +29,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high mobileconfig: false diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 48d82f12..b80e8b5e 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -11,6 +11,8 @@ references: - CCE-85390-3 cci: - CCI-000879 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 392d993f..8d8b6582 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -4,6 +4,8 @@ discussion: | If the system does not require Trivial File Tansfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. + + NOTE: TFTP service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => true' result: @@ -19,6 +21,10 @@ references: - CCE-85391-1 cci: - CCI-000197 + 800-53r5: + - AC-3 + - IA-5(1) + - AC-17 800-53r4: - AC-3 - IA-5(1) @@ -32,11 +38,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: false diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 98593028..ccca9d64 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -2,6 +2,8 @@ id: os_time_server_enabled title: "Enable Time Synchronization Daemon" discussion: | The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server. + + NOTE: The time synchronization daemon is enabled by default on macOS. check: | /bin/launchctl list | /usr/bin/grep -c com.apple.timed result: @@ -17,6 +19,9 @@ references: cci: - CCI-001891 - CCI-002046 + 800-53r5: + - AU-12(1) + - SC-45(1) 800-53r4: - AU-8(1) srg: @@ -31,6 +36,9 @@ macOS: tags: - 800-171 - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - stig diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 41c2825d..9f3693c8 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85393-7 cci: - N/A + 800-53r5: + - CM-6 800-53r4: - CM-6 srg: @@ -27,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index fa7b9d86..d3111b2c 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -1,7 +1,7 @@ id: os_unique_identification -title: "Identify and authenticate organizational users and processes" +title: "Uniquely Identify Users and Processes" discussion: | - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). + The macOS is a UNIX 03-compliant operating system. The system uniquely identifies and authenticates organizational users or processes. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | @@ -11,6 +11,8 @@ references: - CCE-85394-5 cci: - CCI-000764 + 800-53r5: + - IA-4 800-53r4: - N/A disa_stig: @@ -20,6 +22,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 6626ce64..6f75ecb9 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -18,6 +18,9 @@ references: - CCE-85395-2 cci: - N/A + 800-53r5: + - IA-2 + - IA-2(5) 800-53r4: - IA-2 - IA-2(5) @@ -33,10 +36,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 1898f8c9..3238978c 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -15,6 +15,8 @@ references: - CCE-85396-0 cci: - CCI-001812 + 800-53r5: + - CM-11(2) 800-53r4: - CM-11(2) srg: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 27a4f51f..25c8a77e 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -4,6 +4,8 @@ discussion: | The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. + + NOTE: UUCP service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => true' result: @@ -19,6 +21,9 @@ references: - CCE-85397-8 cci: - CCI-000381 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 srg: @@ -31,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index cc672036..0f5edc3e 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -11,6 +11,8 @@ references: - CCE-85398-6 cci: - CCI-002891 + 800-53r5: + - MA-4(7) 800-53r4: - MA-4(7) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index cfe5d1cc..cc31c6c5 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -15,6 +15,8 @@ references: - CCE-85399-4 cci: - CCI-000195 + 800-53r5: + - N/A 800-53r4: - IA-5 - IA-5(1)(b) @@ -40,4 +42,4 @@ tags: - 800-53r4_high - permanent mobileconfig: false -mobileconfig_info: +mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 1994cbb6..e7a6a1de 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}' result: @@ -15,6 +17,8 @@ references: - CCE-85400-0 cci: - CCI-000199 + 800-53r5: + - IA-5 800-53r4: - IA-5 - IA-5(1) @@ -37,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 66a7d869..35bc8d62 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -39,7 +39,9 @@ references: - CCE-85401-8 cci: - CCI-000795 - 800-53r4: + 800-53r5: + - AC-2(3) + 800-53r4: - IA-4 srg: - SRG-OS-000118-GPOS-00060 @@ -56,5 +58,7 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 4dba6335..ffdfa618 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85402-6 cci: - CCI-002238 + 800-53r5: + - AC-7 800-53r4: - AC-7 srg: @@ -31,6 +33,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 40147262..0722a555 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85403-4 cci: - CCI-002238 + 800-53r5: + - AC-7 800-53r4: - AC-7 srg: @@ -31,6 +33,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index f43078ea..eda7a76c 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;" result: @@ -15,6 +17,8 @@ references: - CCE-85404-2 cci: - CCI-000194 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -37,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 82d54f1b..33278ea4 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85405-9 cci: - N/A + 800-53r5: + - AC-2(2) 800-53r4: - AC-2(2) srg: @@ -28,9 +30,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index b2d8aeeb..656802e2 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -5,7 +5,7 @@ discussion: | Temporary passwords are often used for new users when accounts are created. However, once logged in to the system, users must be immediately prompted to change to a permanent password of their creation. - To for a user to change their password at next logon, run the following command: + For a user to change their password at next logon, run the following command: [source,bash] ---- /usr/bin/pwpolicy -u [USER] -setpolicy "newPasswordRequired=1" @@ -20,6 +20,8 @@ references: - CCE-85406-7 cci: - CCI-002041 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -42,6 +44,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 2b494e4c..b213e639 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -6,6 +6,8 @@ discussion: | This rule ensures that users are not allowed to re-use a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}' result: @@ -16,7 +18,9 @@ references: cce: - CCE-85407-5 cci: - - CCI-000200 + - CCI-000200 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5(1) srg: @@ -36,6 +40,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 66d98344..a64bebe4 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersLowerCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: @@ -38,7 +40,9 @@ references: cce: - CCE-85408-3 cci: - - CCI-000193 + - CCI-000193 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -61,6 +65,8 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index dde1ed7b..36c289ab 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15' result: @@ -15,6 +17,8 @@ references: - CCE-85409-1 cci: - CCI-000205 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -37,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 07e02bbe..6da78676 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: @@ -39,6 +41,8 @@ references: - CCE-85410-9 cci: - N/A + 800-53r5: + - IA-5 800-53r4: - IA-5(1) disa_stig: @@ -58,5 +62,8 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 6b1e7e48..880dcc8f 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -15,6 +15,8 @@ references: - CCE-85411-7 cci: - CCI-000366 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 54d07251..34bafa66 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0' result: @@ -15,6 +17,8 @@ references: - CCE-85412-5 cci: - N/A + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -37,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index c5779612..006ed359 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -6,6 +6,8 @@ discussion: | Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}' result: @@ -17,6 +19,8 @@ references: - CCE-85413-3 cci: - CCI-001619 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -39,6 +43,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 3c483fc4..6d4e2182 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85414-1 cci: - N/A + 800-53r5: + - AC-2(2) 800-53r4: - AC-2(2) srg: @@ -26,9 +28,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index ade2d353..3cf04045 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -25,7 +25,7 @@ check: | To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: - /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 + /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory service, this is a finding. @@ -53,13 +53,15 @@ fix: | After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file". - /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file + /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file references: cce: - CCE-85414-1 cci: - CCI-000016 - CCI-001682 + 800-53r5: + - AC-2(2) 800-53r4: - AC-2(2) srg: @@ -70,6 +72,10 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high - manual - stig severity: "medium" diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 05f30e8f..5403020e 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: @@ -39,6 +41,8 @@ references: - CCE-85415-8 cci: - CCI-000192 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) @@ -61,5 +65,8 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index ba0a2a8f..e797d7c5 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -1,9 +1,9 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 4 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 4) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 4) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 4) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. [cols="15%h, 85%a"] |=== @@ -12,7 +12,7 @@ discussion: | |Access Control (AC) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AC-1[AC-1], link:https://nvd.nist.gov/800-53/Rev4/control/AC-2[AC-2], link:https://nvd.nist.gov/800-53/Rev4/control/AC-14[AC-14], link:https://nvd.nist.gov/800-53/Rev4/control/AC-17?#enhancement-4[AC-17(4)], link:https://nvd.nist.gov/800-53/Rev4/control/AC-22[AC-22] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3[AC-3(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] |=== @@ -23,7 +23,7 @@ discussion: | |Awareness and Training (AT) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AT-1[AT-1], link:https://nvd.nist.gov/800-53/Rev4/control/AT-2[AT-2], link:https://nvd.nist.gov/800-53/Rev4/control/AT-3[AT-3], link:https://nvd.nist.gov/800-53/Rev4/control/AT-4[AT-4] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-1[AT-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-2[AT-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-3[AT-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-4[AT-4] |=== [cols="15%h, 85%a"] @@ -33,7 +33,7 @@ discussion: | |Audit and Accountability (AU) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AU-1[AU-1], link:https://nvd.nist.gov/800-53/Rev4/control/AU-6[AU-6] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9[AU-9(2)] |=== [cols="15%h, 85%a"] @@ -43,7 +43,7 @@ discussion: | |Security Assessment and Authorization (CA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/CA-1[CA-1], link:https://nvd.nist.gov/800-53/Rev4/control/CA-2[CA-2], link:https://nvd.nist.gov/800-53/Rev4/control/CA-3[CA-3], link:https://nvd.nist.gov/800-53/Rev4/control/CA-5[CA-5], link:https://nvd.nist.gov/800-53/Rev4/control/CA-6[CA-6], link:https://nvd.nist.gov/800-53/Rev4/control/CA-7[CA-7], link:https://nvd.nist.gov/800-53/Rev4/control/CA-9[CA-9] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3(6)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] |=== [cols="15%h, 85%a"] @@ -53,7 +53,7 @@ discussion: | |Configuration Management (CM) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/CM-1[CM-1], link:https://nvd.nist.gov/800-53/Rev4/control/CM-4[CM-4], link:https://nvd.nist.gov/800-53/Rev4/control/CM-8[CM-8], link:https://nvd.nist.gov/800-53/Rev4/control/CM-10[CM-10], link:https://nvd.nist.gov/800-53/Rev4/control/CM-11[CM-11] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1[CM-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4[CM-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8[CM-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10[CM-10], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11[CM-11] |=== [cols="15%h, 85%a"] @@ -63,7 +63,7 @@ discussion: | |Contingency Planning (CP) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/CP-1[CP-1], link:https://nvd.nist.gov/800-53/Rev4/control/CP-2[CP-2], link:https://nvd.nist.gov/800-53/Rev4/control/CP-3[CP-3], link:https://nvd.nist.gov/800-53/Rev4/control/CP-4[CP-4], link:https://nvd.nist.gov/800-53/Rev4/control/CP-9[CP-9], link:https://nvd.nist.gov/800-53/Rev4/control/CP-10[CP-10] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1[CP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2[CP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3[CP-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4[CP-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9[CP-9], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10[CP-10] |=== [cols="15%h, 85%a"] @@ -73,7 +73,7 @@ discussion: | |Identification and Authentication (IA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/IA-1[IA-1], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-1[IA-8(1)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-2[IA-8(2)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-3[IA-8(3)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-4[IA-8(4)] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1[IA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(4)] |=== [cols="15%h, 85%a"] @@ -83,7 +83,7 @@ discussion: | |Incident Response (IR) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/IR-1[IR-1], link:https://nvd.nist.gov/800-53/Rev4/control/IR-2[IR-2], link:https://nvd.nist.gov/800-53/Rev4/control/IR-4[IR-4], link:https://nvd.nist.gov/800-53/Rev4/control/IR-5[IR-5], link:https://nvd.nist.gov/800-53/Rev4/control/IR-6[IR-6], link:https://nvd.nist.gov/800-53/Rev4/control/IR-7[IR-7], link:https://nvd.nist.gov/800-53/Rev4/control/IR-8[IR-8], + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8] |=== [cols="15%h, 85%a"] @@ -93,7 +93,7 @@ discussion: | |Maintenance (MA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/MA-1[MA-1], link:https://nvd.nist.gov/800-53/Rev4/control/MA-2[MA-2], link:https://nvd.nist.gov/800-53/Rev4/control/MA-5[MA-5] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-1[MA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-2[MA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-5[MA-5] |=== [cols="15%h, 85%a"] @@ -103,7 +103,7 @@ discussion: | |Media Protection (MP) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/MP-1[MP-1], link:https://nvd.nist.gov/800-53/Rev4/control/MP-2[MP-2], link:https://nvd.nist.gov/800-53/Rev4/control/MP-6[MP-6], link:https://nvd.nist.gov/800-53/Rev4/control/MP-7[MP-7] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-1[MP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-2[MP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-6[MP-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-7[MP-7] |=== [cols="15%h, 85%a"] @@ -113,7 +113,7 @@ discussion: | |Physical and Environmental Protection (PE) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/PE-1[PE-1], link:https://nvd.nist.gov/800-53/Rev4/control/PE-2[PE-2], link:https://nvd.nist.gov/800-53/Rev4/control/PE-3[PE-3], link:https://nvd.nist.gov/800-53/Rev4/control/PE-6[PE-6], link:https://nvd.nist.gov/800-53/Rev4/control/PE-8[PE-8], link:https://nvd.nist.gov/800-53/Rev4/control/PE-12[PE-12], link:https://nvd.nist.gov/800-53/Rev4/control/PE-13[PE-13], link:https://nvd.nist.gov/800-53/Rev4/control/PE-14[PE-14], link:https://nvd.nist.gov/800-53/Rev4/control/PE-15[PE-15], link:https://nvd.nist.gov/800-53/Rev4/control/PE-16[PE-16] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1[PE-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2[PE-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3[PE-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6[PE-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8[PE-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12[PE-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13[PE-13], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14[PE-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15[PE-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16[PE-16] |=== [cols="15%h, 85%a"] @@ -123,7 +123,7 @@ discussion: | |Planning (PL) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/PL-1[PL-1], link:https://nvd.nist.gov/800-53/Rev4/control/PL-2[PL-2], link:https://nvd.nist.gov/800-53/Rev4/control/PL-4[PL-4] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-1[PL-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-2[PL-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-4[PL-4] |=== [cols="15%h, 85%a"] @@ -134,7 +134,7 @@ discussion: | |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/PS-1[PS-1], link:https://nvd.nist.gov/800-53/Rev4/control/PS-2[PS-2], link:https://nvd.nist.gov/800-53/Rev4/control/PS-3[PS-3], link:https://nvd.nist.gov/800-53/Rev4/control/PS-4[PS-4], link:https://nvd.nist.gov/800-53/Rev4/control/PS-5[PS-5], link:https://nvd.nist.gov/800-53/Rev4/control/PS-6[PS-6], link:https://nvd.nist.gov/800-53/Rev4/control/PS-7[PS-7], link:https://nvd.nist.gov/800-53/Rev4/control/PS-8[PS-8] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1[PS-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2[PS-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3[PS-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4[PS-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5[PS-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6[PS-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7[PS-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8[PS-8] |=== [cols="15%h, 85%a"] @@ -144,7 +144,7 @@ discussion: | |Risk Assessment (RA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/RA-1[RA-1], link:https://nvd.nist.gov/800-53/Rev4/control/RA-2[RA-2], link:https://nvd.nist.gov/800-53/Rev4/control/RA-3[RA-3], link:https://nvd.nist.gov/800-53/Rev4/control/RA-5[RA-5] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-1[RA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-2[RA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-3[RA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-5[RA-5] |=== [cols="15%h, 85%a"] @@ -154,7 +154,7 @@ discussion: | |System and Services Acquisition (SA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/SA-1[SA-1], link:https://nvd.nist.gov/800-53/Rev4/control/SA-2[SA-2], link:https://nvd.nist.gov/800-53/Rev4/control/SA-3[SA-3], link:https://nvd.nist.gov/800-53/Rev4/control/SA-4[SA-4], link:https://controlfreak.risk-redux.io/controls/SA-4%20(10)[SA-4(10)], link:https://nvd.nist.gov/800-53/Rev4/control/SA-5[SA-5], link:https://nvd.nist.gov/800-53/Rev4/control/SA-9[SA-9] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-1[SA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-2[SA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-3[SA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-4[SA-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-4[SA-4(10)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-5[SA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-9[SA-9] |=== [cols="15%h, 85%a"] @@ -164,7 +164,7 @@ discussion: | |System and Communications Protection (SC) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/SC-1[SC-1], link:https://nvd.nist.gov/800-53/Rev4/control/SC-12[SC-12], link:https://nvd.nist.gov/800-53/Rev4/control/SC-15[SC-15], link:https://nvd.nist.gov/800-53/Rev4/control/SC-20[SC-20], link:https://nvd.nist.gov/800-53/Rev4/control/SC-22[SC-22], link:https://nvd.nist.gov/800-53/Rev4/control/SC-39[SC-39] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-1[SC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(7)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(8)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(18)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(21)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12[SC-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12[SC-12(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-20[SC-20], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-22[SC-22], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-23[SC-23] |=== [cols="15%h, 85%a"] @@ -174,13 +174,15 @@ discussion: | |System and Information Integrity (SI) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/SI-1[SI-1], link:https://nvd.nist.gov/800-53/Rev4/control/SI-4[SI-4], link:https://nvd.nist.gov/800-53/Rev4/control/SI-5[SI-5], link:https://nvd.nist.gov/800-53/Rev4/control/SI-12[SI-12] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-1[SI-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(5)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(12)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(20)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(22)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-5[SI-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-7[SI-7(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-8[SI-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-12[SI-12] |=== check: | fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 0ecb0270..65e4304d 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -4,12 +4,13 @@ discussion: | The supplemental guidance found in this section is applicable for the following rules: * sysprefs_filevault_enforce - In macOS 11 the internal Apple File System (APFS) volume (including both system and data storage) can be protected by FileVault. - NOTE: On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip. + In macOS 11 the internal Apple File System (APFS) data volume can be protected by FileVault. The system volume is always cryptographically protected (T2 and Apple Silicon) and is a read-only volume. + + NOTE: FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with a secure enclave (T2 and Apple Silicon) utilize the hardware security features of the architecture. - FileVault is described in detail here: link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[]. + FileVault is described in detail here: link:https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web[]. - FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local OpenDirectory account with a valid SecureToken password. + FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local Open Directory account with a valid SecureToken password. [discrete] ==== Using the fdesetup Command @@ -18,14 +19,14 @@ discussion: | ---- /usr/bin/fdesetup enable ---- - Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for fdesetup. + Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for `fdesetup`. - NOTE: Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. + NOTE: Apple has deprecated `fdesetup` command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. [discrete] ==== Using a Configuration Profile - When managing FileVault with a configuration profile, you must deploy a profile with the payload type com.apple.MCX.FileVault2. When using the Enable key to enable FileVault with a configuration profile, you must include 1 of the following: + When managing FileVault with a configuration profile, you must deploy a profile with the payload type `com.apple.MCX.FileVault2`. When using the Enable key to enable FileVault with a configuration profile, you must include 1 of the following: [source,xml] ---- @@ -44,7 +45,7 @@ discussion: | If using the Defer key it will prompt for the user name and password at logout. - The UserEntersMissingInfo key will only work if installed through manual installation, and it will prompt for the username and password immediately. + The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately. When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple’s Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[]. @@ -56,6 +57,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 9fe2f03a..4e6729df 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -5,7 +5,7 @@ discussion: | * os_firewall_default_deny_require - macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. + macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. * The ALF can block incoming traffic on a per-application basis and prevent applications from gaining control of network ports, but it cannot be configured to block outgoing traffic. ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 @@ -13,9 +13,9 @@ discussion: | * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 4). The script will make sure the application layer firewall is enabled, set logging to “detailed”, set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy com.apple.pfctl.plist from /System/Library/LaunchDaemons/ into the /Library/LaunchDaemons folder and name it 800-53.pfctl.plist. This is done to not conflict with the system’s pf ruleset. + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to “detailed”, set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system’s pf ruleset. - The custom pf rules are created at /etc/pf.anchors/800_53_pf_anchors. + The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. The ruleset will block connections on the following ports: @@ -95,7 +95,7 @@ discussion: | |=== - For more on configuring the PF firewall check out the man pages on pf.conf and pfctl. + For more on configuring the PF firewall check out the man pages on `pf.conf` and `pfctl`. [source,bash] ---- @@ -106,6 +106,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index 3b1011d8..31ed8d98 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -8,7 +8,7 @@ discussion: | * pwpolicy_account_inactivity_enforce * pwpolicy_minimum_lifetime_enforce - Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the pwpolicy command: + Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the `pwpolicy` command: * Enforcing at least 1 lowercase character * Enforcing at least 1 uppercase character @@ -38,6 +38,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index a13fc120..abcc7cd0 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -3,18 +3,18 @@ title: "Smartcard Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - * auth_ssh_smartcard_enforce + * auth_ssh_password_authentication_disable * auth_smartcard_enforce * auth_smartcard_certificate_trust_enforce_moderate * auth_smartcard_certificate_trust_enforce_high * auth_smartcard_allow * auth_pam_sudo_smartcard_enforce * auth_pam_su_smartcard_enforce - * auth_pam_login_smartcard_enforcelist of Rule IDs + * auth_pam_login_smartcard_enforce macOS supports smartcards, such as U.S. Personal Identity Verification (PIV) cards and U.S. Department of Defense Common Access Cards (CAC). Smartcards can be used on a macOS for the following: - * Authentication (Loginwindow, Screensaver, SSH, PKINIT, Safari, Finder, and PAM Authorization (sudo, login, su) ) + * Authentication (Loginwindow, Screensaver, SSH, PKINIT, Safari, Finder, and PAM Authorization (`sudo`, `login`, and `su`) ) * Digital Encryption * Digital Signing * Remote Access (VPN:L2TP) @@ -29,7 +29,7 @@ discussion: | [discrete] ==== Smartcard Attribute Mapping - Smartcards can be used to authenticate against a directory via attribute mapping configured in /private/etc/SmartcardLogin.plist. This file takes precedence over local account pairing. Attribute mapping matches the configured certificate field values from the smart card to the value in a directory. This may be used with network accounts, mobile accounts, or local accounts. + Smartcards can be used to authenticate against a directory via attribute mapping configured in `/private/etc/SmartcardLogin.plist`. This file takes precedence over local account pairing. Attribute mapping matches the configured certificate field values from the smart card to the value in a directory. This may be used with network accounts, mobile accounts, or local accounts. [discrete] ==== Smartcard Management in macOS @@ -80,7 +80,7 @@ discussion: | |=== - A custom configuration profile (com.apple.loginwindow) should be created to disable automatic login when FileVault is enabled. This ensures that authorized users boot their Macs, enter a password at the pre-boot screen (which decrypts the boot volume), and are then presented with a login window where they can authenticate with a smartcard. + A custom configuration profile (`com.apple.loginwindow`) should be created to disable automatic login when FileVault is enabled. This ensures that authorized users boot their Macs, enter a password at the pre-boot screen (which decrypts the boot volume), and are then presented with a login window where they can authenticate with a smartcard. [%header,cols="2,1,7"] |=== @@ -94,9 +94,11 @@ discussion: | |=== + NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. + [discrete] ==== Trusted Authorities - The macOS allows users to specify which certificate authorities (CA) can be used for trust evaluation during smartcard authentication. Only CAs listed in the TrustedAuthorities section of the SmartcardLogin.plist will be evaluated as trusted. This setting only works if checkCertificateTrust is set to either 1, 2, or 3 in com.apple.security.smartcard. + The macOS allows users to specify which certificate authorities (CA) can be used for trust evaluation during smartcard authentication. Only CAs listed in the TrustedAuthorities section of the SmartcardLogin.plist will be evaluated as trusted. This setting only works if `checkCertificateTrust` is set to either 1, 2, or 3 in `com.apple.security.smartcard`. To get the SHA-256 hash in the correct format, run the following command within terminal: [source,bash] @@ -104,7 +106,7 @@ discussion: | /usr/bin/openssl x509 -noout -fingerprint -sha256 -inform pem -in | /usr/bin/awk -F '=' '{print $2}' | /usr/bin/sed 's/://g' ---- - To configure Trusted Authorities, the SmartcardLogin.plist should be minimally configured as below: + To configure Trusted Authorities, the `SmartcardLogin.plist` should be minimally configured as below: [source,xml] ---- @@ -125,19 +127,21 @@ discussion: | TrustedAuthorities - SHA256_HASH_OF_CERTDOMAIN_1 - SHA256_HASH_OF_CERTDOMAIN_2 + SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2 ---- [discrete] - ==== NotEnforcedGroup + ==== Smartcard Enforcement Exemption + + [discrete] + ===== Group Exemption - Starting in macOS 10.15, enforcement on a system can be granularly configured by adding a field to /private/etc/SmartcardLogin.plist. The NotEnforcedGroup can be added to the file to list a Directory group that will not be included in smartcard enforcement. In order to activate this feature, enforceSmartCard and allowUnmappedUsers must be applied via a configuration profile (com.apple.security.smartcard). + Starting in macOS 10.15, enforcement on a system can be granularly configured by adding a field to `/private/etc/SmartcardLogin.plist`. The `NotEnforcedGroup` can be added to the file to list a Directory group that will not be included in smartcard enforcement. In order to activate this feature, `enforceSmartCard` and `allowUnmappedUsers` must be applied via a configuration profile (`com.apple.security.smartcard`). - To configure the NotEnforcedGroup, the SmartcardLogin.plist should be minimally configured as follows: + To configure the `NotEnforcedGroup`, the `SmartcardLogin.plist` should be minimally configured as follows: [source,xml] ---- @@ -157,25 +161,66 @@ discussion: | TrustedAuthorities - SHA256_HASH_OF_CERTDOMAIN_1 - SHA256_HASH_OF_CERTDOMAIN_2 + SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2 NotEnforcedGroup - GROUPGOESHERE + EXEMPTGROUP ---- - Once a system is configured for the NotEnforcedGroup a user can be added to the assigned group by running the following: + Once a system is configured for the `NotEnforcedGroup` a user can be added to the assigned group by running the following: [source,bash] ---- /usr/sbin/dseditgroup -o edit -a -t user ---- + [discrete] + ===== User Exemption + + Alternatively, if a single user needs to be exempt for a period of time, `kDSNativeAttrTypePrefix:SmartCardEnforcement` can be set in the user's Open Directory record. The following values can be set: + + * 0 - The system default is respected. + * 1 - Smartcard enforcement is enabled. + * 2 - Smartcard enforcement is disabled. + + NOTE: In Active Directory environments, the value of the `userAccountControl` attribute is respected. + + Run the following command to set the exemption when booted from macOS: + [source,bash] + ---- + /usr/bin/dscl . -append /Users/ SmartCardEnforcement 2 + ---- + + Run the following command to set the exemption when booted from Recovery: + [source,bash] + ---- + /usr/bin/defaults write /Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/users/ SmartCardEnforcement -array-add 2 + ---- + NOTE: When booted to recovery on an Apple Silicon Mac, run the following after setting the exemption. + `/usr/sbin/diskutil apfs updatePreboot /Volumes/Macintosh\ HD` + + [discrete] + ===== Temporary Exemption + + On an Apple Silicon Mac, if a temporary exemption is needed, `security filevault skip-sc-enforcement` will disable smartcard enforcement on next boot only. + + Run the following command to set the temporary exemption when booted from Recovery: + [source,bash] + ---- + /usr/bin/security filevault skip-sc-enforcement set + ---- + + To obtain the `data volume UUID` run the following: + [source,bash] + ---- + /usr/sbin/diskutil apfs listGroups | /usr/bin/awk -F: '/ Data/ { getline; gsub(/ /,""); print $2}' + ---- + [discrete] ==== Pluggable Authentication Module (PAM) - Terminal sessions in macOS can be configured for smartcard enforcement by modifying the PAM modules for sudo, su, and login. + Terminal sessions in macOS can be configured for smartcard enforcement by modifying the PAM modules for `sudo`, `su`, and `login`. [source,bash] ---- @@ -224,6 +269,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml deleted file mode 100644 index 57c913f7..00000000 --- a/rules/sysprefs/sysprefs_afp_disable.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: sysprefs_afp_disable -title: "Disable Apple Filing Protocol Sharing" -discussion: | - If the system does not require Apple Filing Protocol (AFP) Sharing, support it is non-essential and _MUST_ be disabled. - - The information system _MUST_ be configured to provide only essential capabilities. Disabling AFP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. -check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AppleFileServer" => true' -result: - integer: 1 -fix: | - [source,bash] - ---- - /bin/launchctl disable system/com.apple.AppleFileServer - ---- - The system may need to be restarted for the update to take effect. -references: - cce: - - CCE-85416-6 - cci: - - CCI-000381 - 800-53r4: - - AC-3 - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-11-002002 - 800-171r2: - - 3.1.1 - - 3.1.2 -macOS: - - "11.0" -tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index 823bbb77..1aca90e2 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85418-2 cci: - CCI-000056 + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: @@ -26,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 5ef40608..db0a07e5 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -15,6 +15,9 @@ references: - CCE-85419-0 cci: - CCI-000366 + 800-53r5: + - IA-2 + - IA-5(13) 800-53r4: - IA-2 - IA-5(13) @@ -28,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 5a93e657..65646451 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -11,6 +11,8 @@ discussion: | ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400' +result: + integer: 1 fix: | This is implemented by a Configuration Profile. references: @@ -18,6 +20,9 @@ references: - CCE-85424-0 cci: - CCI-002361 + 800-53r5: + - AC-12 + - AC-2(5) 800-53r4: - AC-12 disa_stig: @@ -29,11 +34,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: .GlobalPreferences: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index a1e908e7..22046f1e 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -18,6 +18,10 @@ references: - CCE-85420-8 cci: - CCI-002418 + 800-53r5: + - AC-18 + - SC-8 + - AC-18(3) 800-53r4: - AC-18(3) - SC-8 @@ -30,10 +34,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 1047d9bb..d40bf1e7 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -27,15 +27,20 @@ references: - CCE-85421-6 cci: - N/A + 800-53r5: + - AC-3 + - AC-18(4) + - CM-7 + - CM-7(1) 800-53r4: - AC-3 - - AC-18 - AC-18(4) + - CM-7 - CM-7(1) srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -44,11 +49,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 76cc3d9b..12842163 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -15,8 +15,12 @@ references: - CCE-85422-4 cci: - N/A + 800-53r5: + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) srg: - N/A disa_stig: @@ -26,11 +30,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml new file mode 100644 index 00000000..12ce842c --- /dev/null +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -0,0 +1,35 @@ +id: sysprefs_critical_update_install_enforce +title: "Enforce Critical Security Updates to be Installed" +discussion: | + Ensure that security updates are installed as soon as they are available from Apple. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'CriticalUpdateInstall = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-85459-6 + cci: + - N/A + 800-53r5: + - SI-2 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: true +mobileconfig_info: + com.apple.SoftwareUpdate: + criticalUpdateInstall: true diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index c52698da..42e83b20 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -15,6 +15,10 @@ references: - CCE-85423-2 cci: - CCI-000382 + 800-53r5: + - SI-11 + - AC-20 + - SC-7(10) 800-53r4: - AC-20 - SI-11 @@ -27,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 5e310924..997ac86a 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -17,6 +17,9 @@ references: - CCI-001199 - CCI-002475 - CCI-002476 + 800-53r5: + - SC-28 + - SC-28(1) 800-53r4: - SC-28 - SC-28(1) @@ -31,10 +34,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 490f79e1..3f010c09 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -17,8 +17,13 @@ references: - CCE-85426-5 cci: - N/A + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -31,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 31fee32e..b2689de3 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -18,12 +18,19 @@ references: - CCE-85427-3 cci: - CCI-000366 + 800-53r5: + - AC-4 + - SC-7(12) + - CM-7 + - CM-7(1) + - SC-7 800-53r4: - AC-4 - AC-6(1) - AC-19 - SC-7 - CM-7 + - CM-7(1) - SC-7(12) srg: - SRG-OS-000480-GPOS-00232 @@ -40,11 +47,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 8093d962..2ffbbf72 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -21,9 +21,15 @@ fix: | references: cce: - CCE-85428-1 + 800-53r5: + - CM-7 + - CM-7(1) + - SC-7(16) + - SC-7 800-53r4: - SC-7 - CM-7 + - CM-7(1) - SC-7(16) srg: - SRG-OS-000480-GPOS-00232 @@ -39,11 +45,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 4be5a3bc..d1e120a8 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -18,6 +18,11 @@ references: - CCE-85429-9 cci: - CCI-000366 + 800-53r5: + - CM-14 + - CM-5 + - SI-7(15) + - SI-7(1) 800-53r4: - CM-5(3) - CM-5 @@ -31,10 +36,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index cb8f5515..7d414478 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -21,6 +21,9 @@ references: - CCE-85430-7 cci: - CCI-000366 + 800-53r5: + - CM-5 + - SI-7(15) 800-53r4: - CM-5 - SI-7(15) @@ -33,10 +36,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml similarity index 60% rename from rules/os/os_guest_access_smb_disable.yaml rename to rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index 13467469..46de7a8f 100644 --- a/rules/os/os_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -1,18 +1,24 @@ -id: os_guest_access_smb_disable +id: sysprefs_guest_access_smb_disable title: "Disable Guest Access to Shared SMB Folders" discussion: | Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AllowGuestAccess = 0' + /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess result: - integer: 1 + boolean: 0 fix: | - This is implemented by a Configuration Profile. + [source,bash] + ---- + /usr/sbin/sysadminctl -smbGuestAccess off + ---- references: cce: - CCE-85319-2 + 800-53r5: + - AC-2(9) + - AC-2 800-53r4: - AC-2 - AC-2(9) @@ -28,12 +34,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high -mobileconfig: true -mobileconfig_info: - com.apple.smb.server: - AllowGuestAccess: false \ No newline at end of file + - 800-171 + - cnssi-1253 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml similarity index 85% rename from rules/os/os_guest_account_disable.yaml rename to rules/sysprefs/sysprefs_guest_account_disable.yaml index 7142c169..6e91a4c4 100644 --- a/rules/os/os_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -1,4 +1,4 @@ -id: os_guest_account_disable +id: sysprefs_guest_account_disable title: "Disable the Guest Account" discussion: | Guest access _MUST_ be disabled. @@ -15,6 +15,9 @@ references: - CCE-85320-0 cci: - CCI-001813 + 800-53r5: + - AC-2 + - AC-2(9) 800-53r4: - AC-2 - AC-2(9) @@ -28,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 809f15d2..13f509a5 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85431-5 cci: - CCI-000060 + 800-53r5: + - AC-11(1) 800-53r4: - AC-11(1) srg: @@ -26,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index f1595b3d..b2fa0834 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -15,8 +15,14 @@ references: - CCE-85432-3 cci: - N/A + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - SC-7(10) 800-171r2: @@ -25,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.assistant.support: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 27469bf4..8f0bdaf6 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -15,6 +15,9 @@ references: - CCE-85433-1 cci: - CCI-000381 + 800-53r5: + - AC-4 + - AC-20 800-53r4: - AC-4 - AC-20 @@ -28,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index fbd49616..33c22ceb 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -18,8 +18,13 @@ references: - CCE-85434-9 cci: - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 disa_stig: @@ -29,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index d984852b..d873e232 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85435-6 cci: - N/A + 800-53r5: + - IA-2 800-53r4: - IA-2 srg: @@ -27,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.loginwindow: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index f6744458..f8635f9b 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -17,6 +17,9 @@ fix: | references: cce: - CCE-85436-4 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 srg: @@ -31,10 +34,13 @@ references: macOS: - "11.0" tags: - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 mobileconfig: true mobileconfig_info: com.apple.preferences.sharing.SharingPrefsExtension: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index af4d7969..24e1528d 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85437-2 cci: - CCI-000366 + 800-53r5: + - IA-6 800-53r4: - IA-6 srg: @@ -26,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 008f0fee..2d01be7a 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -15,9 +15,15 @@ references: - CCE-85438-0 cci: - N/A + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - AC-20 - CM-7 + - CM-7(1) srg: - N/A disa_stig: @@ -28,12 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.AdLib: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index e5598161..0ce38d85 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -25,8 +25,12 @@ fix: | references: cce: - CCE-85439-8 + 800-53r5: + - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) disa_stig: - N/A srg: @@ -38,10 +42,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 9f5dbf4b..97d4f216 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -20,6 +20,9 @@ references: - CCE-85440-6 cci: - CCI-000382 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 srg: @@ -32,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 1fa797d1..9ff008ab 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -19,6 +19,9 @@ references: - CCE-85441-4 cci: - CCI-000366 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 - AC-17 @@ -32,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index c7db4ff9..c82f8877 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85442-2 cci: - CCI-000056 + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: @@ -26,14 +28,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true mobileconfig_info: com.apple.screensaver: - askForPasswordDelay: 5 - + askForPasswordDelay: 5 \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 740a13b0..b90c212c 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85443-0 cci: - CCI-000056 + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: @@ -26,13 +28,15 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true mobileconfig_info: com.apple.screensaver: - askForPassword: true + askForPassword: true \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 4ac2818a..3099fb6b 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -1,13 +1,13 @@ id: sysprefs_screensaver_timeout_enforce title: "Enforce Screen Saver Timeout" discussion: | - The screen saver timeout _MUST_ be set to 15 minutes. + The screen saver timeout _MUST_ be set to 15 minutes or a shorter length of time. - This rule ensures that a full session lock is triggered after 15 minutes of inactivity. + This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'idleTime = 900' + /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"} else {print "No"}}' result: - integer: 1 + string: "Yes" fix: | This is implemented by a Configuration Profile. references: @@ -15,6 +15,9 @@ references: - CCE-85444-8 cci: - CCI-000057 + 800-53r5: + - AC-11 + - IA-11 800-53r4: - AC-11 srg: @@ -26,10 +29,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index b421e57c..44f544fc 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -16,8 +16,14 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -30,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index e468b930..57d4d4f0 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -19,6 +19,9 @@ references: - CCE-85446-3 cci: - CCI-000381 + 800-53r5: + - AC-3 + - AC-17 800-53r4: - AC-3 srg: @@ -31,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 80b9f859..8e11e81c 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -18,9 +18,16 @@ references: - CCE-85447-1 cci: - N/A + 800-53r5: + - IA-2(8) + - AC-3 + - CM-7 + - CM-7(1) + - AC-17 800-53r4: - AC-3 - CM-7 + - CM-7(1) - IA-2(8) - IA-2(9) srg: @@ -44,11 +51,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index b8307ae5..8bf947ca 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -3,48 +3,27 @@ title: "Enable SSH Server for Remote Access Sessions" discussion: | Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => false' result: integer: 1 fix: | [source,bash] ---- - /bin/launchctl disable system/com.openssh.sshd + /bin/launchctl enable system/com.openssh.sshd ---- references: cce: - CCE-85447-1 cci: - - CCI-001941 - - CCI-001942 - - CCI-002890 - - CCI-002420 - - CCI-002421 - - CCI-002422 - - CCI-003123 - - CCI-001453 - - CCI-000068 - - CCI-002418 + - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - - SRG-OS-000112-GPOS-00057 - - SRG-OS-000113-GPOS-00058 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000423-GPOS-00187 - - SRG-OS-000424-GPOS-00188 - - SRG-OS-000425-GPOS-00189 - - SRG-OS-000426-GPOS-00190 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000250-GPOS-00093 + - N/A disa_stig: - - APPL-11-000040 - - APPL-11-004011 - - APPL-11-004010 - - APPL-11-000011 - - APPL-11-000010 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml similarity index 90% rename from rules/os/os_system_wide_preferences_configure.yaml rename to rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index d1e84f47..cfcbbd42 100644 --- a/rules/os/os_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -1,4 +1,4 @@ -id: os_system_wide_preferences_configure +id: sysprefs_system_wide_preferences_configure title: "Require Administrator Password to Modify System-Wide Preferences" discussion: | The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. @@ -18,6 +18,10 @@ fix: | references: cce: - CCE-85389-5 + 800-53r5: + - AC-6 + - AC-6(2) + - AC-6(1) 800-53r4: - AC-6 - AC-6(1) @@ -34,10 +38,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 423e7be2..5aaae6e6 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-001891 - CCI-002046 + 800-53r5: + - AU-12(1) + - SC-45(1) 800-53r4: - AU-8(1) srg: @@ -30,6 +33,9 @@ macOS: tags: - 800-171 - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - stig diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index e723a7f1..23f8b588 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-001891 - CCI-002046 + 800-53r5: + - AU-12(1) + - SC-45(1) 800-53r4: - AU-8(1) srg: @@ -30,6 +33,9 @@ macOS: tags: - 800-171 - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - stig diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index 661181b0..83fa14cc 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -20,6 +20,8 @@ references: - CCE-85450-5 cci: - CCI-000058 + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: @@ -31,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index f7a861fb..70e2cd96 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85451-3 cci: - CCI-000056 + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: @@ -28,11 +30,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 1842389a..c691eb6c 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_wifi_disable title: "Disable Wi-Fi Interface" discussion: | - The macOS system must be configured with Wi-Fi support software disabled. + The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. @@ -11,12 +11,21 @@ check: | result: integer: 1 fix: | + To disable Wi-Fi on a macOS system, run the following command. + [source,bash] + ---- /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off + ---- references: cce: - - N/A + - CCE-85473-7 cci: - N/A + 800-53r5: + - AC-4 + - AC-18 + - AC-18(1) + - AC-18(3) 800-53r4: - AC-4 - AC-18(1) @@ -33,6 +42,14 @@ macOS: - "11.0" tags: - stig + - manual + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index f7b063ba..f27b095a 100644 --- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -15,6 +15,10 @@ references: - CCE-85452-1 cci: - N/A + 800-53r5: + - AC-4 + - AC-18(1) + - AC-18(3) 800-53r4: - AC-4 - AC-18(1) @@ -29,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 876d7687..228dac46 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -46,19 +46,62 @@ class MacSecurityRule(): return rule_adoc -def get_rule_yaml(rule_file): +def get_rule_yaml(rule_file, custom=False): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ - if os.path.basename(rule_file) in glob.glob1('../custom/rules/', '*.yaml'): - #print(f"Custom settings found for rule: {rule_file}") - override_rule = os.path.join( - '../custom/rules', os.path.basename(rule_file)) - with open(override_rule) as r: + resulting_yaml = {} + names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] + file_name = os.path.basename(rule_file) + # if file_name in names: + # print(f"Custom settings found for rule: {rule_file}") + # try: + # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + # except IndexError: + # override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + # with open(override_path) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + # else: + # with open(rule_file) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + if custom: + print(f"Custom settings found for rule: {rule_file}") + try: + override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + with open(override_path) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - return rule_yaml + + try: + og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + #assume this is a completely new rule + og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + + # get original/default rule yaml for comparison + with open(og_rule_path) as og: + og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) + og.close() + + for yaml_field in og_rule_yaml: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + else: + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + + return resulting_yaml def collect_rules(): """Takes a baseline yaml file and parses the rules, returns a list of containing rules @@ -84,8 +127,7 @@ def collect_rules(): for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): - rule_yaml = get_rule_yaml(rule) - + rule_yaml = get_rule_yaml(rule, custom=False) for key in keys: try: rule_yaml[key] @@ -97,7 +139,7 @@ def collect_rules(): try: rule_yaml[key][reference] except: - #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule) + #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), @@ -156,9 +198,6 @@ def get_controls(all_rules): all_controls.append(control) all_controls.sort() - - # for control in all_controls: - # print(control) return all_controls @@ -174,7 +213,7 @@ def available_tags(all_rules): for tag in all_tags: if tag not in available_tags: available_tags.append(tag) - + available_tags.append("all_rules") available_tags.sort() for tag in available_tags: @@ -304,7 +343,7 @@ def main(): found_rules = [] for rule in all_rules: - if args.keyword in rule.rule_tags or args.keyword == "all": + if args.keyword in rule.rule_tags or args.keyword == "all_rules": found_rules.append(rule) # assume all baselines will contain the supplemental rules if "supplemental" in rule.rule_tags: diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index f831312e..4f657002 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -23,7 +23,7 @@ from collections import namedtuple class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -32,7 +32,7 @@ class MacSecurityRule(): self.rule_fix = fix self.rule_cci = cci self.rule_cce = cce - self.rule_80053r4 = nist_controls + self.rule_80053r5 = nist_controls self.rule_800171 = nist_171 self.rule_disa_stig = disa_stig self.rule_srg = srg @@ -41,6 +41,7 @@ class MacSecurityRule(): self.rule_tags = tags self.rule_mobileconfig = mobileconfig self.rule_mobileconfig_info = mobileconfig_info + self.rule_customized = customized def create_asciidoc(self, adoc_rule_template): """Pass an AsciiDoc template as file object to return formatted AsciiDOC""" @@ -53,7 +54,7 @@ class MacSecurityRule(): rule_check=self.rule_check, rule_fix=self.rule_fix, rule_cci=self.rule_cci, - rule_80053r4=self.rule_80053r4, + rule_80053r5=self.rule_80053r5, rule_disa_stig=self.rule_disa_stig, rule_srg=self.rule_srg, rule_result=self.rule_result_value @@ -389,7 +390,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign for sections in baseline_yaml['profile']: for profile_rule in sections['rules']: for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, False) if rule_yaml['mobileconfig']: for payload_type, info in rule_yaml['mobileconfig_info'].items(): @@ -659,23 +660,41 @@ read_options(){{ esac }} -generate_report(){{ - non_compliant=0 +# Generate the Compliant and Non-Compliant counts. Returns: Array (Compliant, Non-Compliant) +compliance_count(){{ compliant=0 + non_compliant=0 results=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.{baseline_name}.audit.plist) - + while IFS= read -r line; do - if [[ "$line" =~ "finding" ]];then - if [[ "$line" =~ "true" ]]; then - non_compliant=$((non_compliant+1)) - fi - if [[ "$line" =~ "false" ]]; then - compliant=$((compliant+1)) - fi + if [[ "$line" =~ "false" ]]; then + compliant=$((compliant+1)) + fi + if [[ "$line" =~ "true" ]]; then + non_compliant=$((non_compliant+1)) fi - done <<< "$results" + + # Enable output of just the compliant or non-compliant numbers. + if [[ $1 = "compliant" ]] + then + echo $compliant + elif [[ $1 = "non-compliant" ]] + then + echo $non_compliant + else # no matching args output the array + array=($compliant $non_compliant) + echo ${{array[@]}} + fi +}} + + +generate_report(){{ + count=($(compliance_count)) + compliant=${{count[1]}} + non_compliant=${{count[2]}} + total=$((non_compliant + compliant)) percentage=$(printf %.2f $(( compliant * 100. / total )) ) echo @@ -695,6 +714,17 @@ view_report(){{ fi }} +# Designed for use with MDM - single unformatted output of the Compliance Report +generate_stats(){{ + count=($(compliance_count)) + compliant=${{count[1]}} + non_compliant=${{count[2]}} + + total=$((non_compliant + compliant)) + percentage=$(printf %.2f $(( compliant * 100. / total )) ) + echo "PASSED: $compliant FAILED: $non_compliant, $percentage percent compliant!" +}} + run_scan(){{ # append to existing logfile if [[ $(/usr/bin/tail -n 1 "$audit_log" 2>/dev/null) = *"Remediation complete" ]]; then @@ -720,13 +750,15 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" logging.debug(f"checking for rule file for {profile_rule}") if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] + custom=True logging.debug(f"{rule}") elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] + custom=False logging.debug(f"{rule}") #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, custom) if rule_yaml['id'].startswith("supplemental"): continue @@ -734,11 +766,11 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" continue # grab the 800-53 controls try: - rule_yaml['references']['800-53r4'] + rule_yaml['references']['800-53r5'] except KeyError: - nist_80053r4 = 'N/A' + nist_80053r5 = 'N/A' else: - nist_80053r4 = rule_yaml['references']['800-53r4'] + nist_80053r5 = rule_yaml['references']['800-53r5'] #try: # rule_yaml['references']['disa_stig'] @@ -778,12 +810,15 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" # group the controls - nist_80053r4.sort() - res = [list(i) for j, i in groupby( - nist_80053r4, lambda a: a.split('(')[0])] - nist_controls = '' - for i in res: - nist_controls += group_ulify(i) + if not nist_80053r5 == "N/A": + nist_80053r5.sort() + res = [list(i) for j, i in groupby( + nist_80053r5, lambda a: a.split('(')[0])] + nist_controls = '' + for i in res: + nist_controls += group_ulify(i) + else: + nist_controls = "N/A" # print checks and result try: @@ -933,14 +968,18 @@ if (( # >= 2));then exit 1 fi -zparseopts -D -E -check=check -fix=fix -configure=configure +zparseopts -D -E -check=check -fix=fix -stats=stats -compliant=compliant -non_compliant=non_compliant if [[ $check ]];then run_scan elif [[ $fix ]];then run_fix -elif [[ $configure ]];then - run_configure +elif [[ $stats ]];then + generate_stats +elif [[ $compliant ]];then + compliance_count "compliant" +elif [[ $non_compliant ]];then + compliance_count "non-compliant" else while true; do show_menus @@ -964,12 +1003,26 @@ fi #fix_script_file.close() compliance_script_file.close() -def get_rule_yaml(rule_file): +def get_rule_yaml(rule_file, custom=False): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ + resulting_yaml = {} names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] file_name = os.path.basename(rule_file) - if file_name in names: + # if file_name in names: + # print(f"Custom settings found for rule: {rule_file}") + # try: + # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + # except IndexError: + # override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + # with open(override_path) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + # else: + # with open(rule_file) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + if custom: print(f"Custom settings found for rule: {rule_file}") try: override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] @@ -980,7 +1033,58 @@ def get_rule_yaml(rule_file): else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - return rule_yaml + + try: + og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + #assume this is a completely new rule + og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + resulting_yaml['customized'] = ["customized rule"] + + # get original/default rule yaml for comparison + with open(og_rule_path) as og: + og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) + + for yaml_field in og_rule_yaml: + #print('processing field {} for rule {}'.format(yaml_field, file_name)) + if yaml_field == "references": + if not 'references' in resulting_yaml: + resulting_yaml['references'] = {} + for ref in og_rule_yaml['references']: + try: + if og_rule_yaml['references'][ref] == rule_yaml['references'][ref]: + resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + else: + resulting_yaml['references'][ref] = rule_yaml['references'][ref] + except KeyError: + # reference not found in original rule yaml, trying to use reference from custom rule + try: + resulting_yaml['references'][ref] = rule_yaml['references'][ref] + except KeyError: + resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + if "custom" in rule_yaml['references']: + resulting_yaml['references']['custom'] = rule_yaml['references']['custom'] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized references") + else: + resulting_yaml['customized'] = ["customized references"] + + else: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + #print("using default data in yaml field {}".format(yaml_field)) + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + else: + #print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + + return resulting_yaml def generate_xls(baseline_name, build_path, baseline_yaml): @@ -1004,7 +1108,8 @@ def generate_xls(baseline_name, build_path, baseline_yaml): top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") counter = 1 - column_counter = 13 + column_counter = 14 + custom_ref_column = {} sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) sheet1.write(0, 2, "Title", headers) @@ -1013,11 +1118,12 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 5, "Check", headers) sheet1.write(0, 6, "Check Result", headers) sheet1.write(0, 7, "Fix", headers) - sheet1.write(0, 8, "800-53r4", headers) + sheet1.write(0, 8, "800-53r5", headers) sheet1.write(0, 9, "800-171", headers) sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) sheet1.write(0, 12, "CCI", headers) + sheet1.write(0, 13, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1069,7 +1175,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.col(7).width = 1000 * 50 baseline_refs = ( - str(rule.rule_80053r4)).strip('[]\'') + str(rule.rule_80053r5)).strip('[]\'') baseline_refs = baseline_refs.replace(", ", "\n").replace("\'", "") sheet1.write(counter, 8, baseline_refs, topWrap) @@ -1100,14 +1206,23 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 12, cci, topWrap) sheet1.col(12).width = 400 * 15 + customized = (str(rule.rule_customized)).strip('[]\'') + customized = customized.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 13, customized, topWrap) + sheet1.col(13).width = 400 * 15 + if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): - sheet1.write(0, column_counter, title, headers ) - sheet1.col(column_counter).width = 512 * 25 + if title not in custom_ref_column: + custom_ref_column[title] = column_counter + column_counter = column_counter + 1 + sheet1.write(0, custom_ref_column[title], title, headers) + sheet1.col(custom_ref_column[title]).width = 512 * 25 added_ref = (str(ref)).strip('[]\'') added_ref = added_ref.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, column_counter, added_ref, topWrap) - column_counter = column_counter + 1 + sheet1.write(counter, custom_ref_column[title], added_ref, topWrap) + tall_style = xlwt.easyxf('font:height 640;') # 36pt @@ -1132,11 +1247,12 @@ def create_rules(baseline_yaml): 'id', 'references', 'result', - 'discussion'] + 'discussion', + 'customized'] references = ['disa_stig', 'cci', 'cce', - '800-53r4', + '800-53r5', '800-171r2', 'srg', 'custom'] @@ -1146,24 +1262,27 @@ def create_rules(baseline_yaml): for profile_rule in sections['rules']: if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] + custom=True elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] + custom=False #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, custom) for key in keys: try: rule_yaml[key] except: - #print "{} key missing ..for {}".format(key, rule) - rule_yaml.update({key: "missing"}) + #print("{} key missing ..for {}".format(key, rule)) + rule_yaml.update({key: ""}) if key == "references": for reference in references: try: rule_yaml[key][reference] + #print("FOUND reference {} for key {} for rule {}".format(reference, key, rule)) except: - #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule) + #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), rule_yaml['id'].replace('|', '\|'), @@ -1173,7 +1292,7 @@ def create_rules(baseline_yaml): rule_yaml['fix'].replace('|', '\|'), rule_yaml['references']['cci'], rule_yaml['references']['cce'], - rule_yaml['references']['800-53r4'], + rule_yaml['references']['800-53r5'], rule_yaml['references']['800-171r2'], rule_yaml['references']['disa_stig'], rule_yaml['references']['srg'], @@ -1181,7 +1300,8 @@ def create_rules(baseline_yaml): rule_yaml['tags'], rule_yaml['result'], rule_yaml['mobileconfig'], - rule_yaml['mobileconfig_info'] + rule_yaml['mobileconfig_info'], + rule_yaml['customized'] )) return all_rules @@ -1436,7 +1556,7 @@ def main(): section_yaml_file = sections['section'].lower() + '.yaml' #check for custom section if section_yaml_file in glob.glob1('../custom/sections/', '*.yaml'): - print(f"Custom settings found for section: {sections['section']}") + #print(f"Custom settings found for section: {sections['section']}") override_section = os.path.join( f'../custom/sections/{section_yaml_file}') with open(override_section) as r: @@ -1467,16 +1587,17 @@ def main(): except IndexError: logging.debug(f'defined rule {rule} does not have valid yaml file, check that rule ID and filename match.') - #check for custom rule if glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True): print(f"Custom settings found for rule: {rule_file}") - override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] - with open(override_rule) as r: - rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + #override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + rule_location = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + custom=True else: - with open(rule_path[0]) as r: - rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + rule_location = rule_path[0] + custom=False + + rule_yaml = get_rule_yaml(rule_location, custom) # Determine if the references exist and set accordingly try: @@ -1489,37 +1610,37 @@ def main(): try: rule_yaml['references']['cce'] except KeyError: - cce = 'N/A' + cce = '- N/A' else: cce = ulify(rule_yaml['references']['cce']) try: - rule_yaml['references']['800-53r4'] + rule_yaml['references']['800-53r5'] except KeyError: - nist_80053r4 = 'N/A' + nist_80053r5 = 'N/A' else: - #nist_80053r4 = ulify(rule_yaml['references']['800-53r4']) - nist_80053r4 = rule_yaml['references']['800-53r4'] + #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) + nist_80053r5 = rule_yaml['references']['800-53r5'] try: rule_yaml['references']['800-171r2'] except KeyError: - nist_800171 = '• N/A' + nist_800171 = '- N/A' else: - #nist_80053r4 = ulify(rule_yaml['references']['800-53r4']) + #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) nist_800171 = ulify(rule_yaml['references']['800-171r2']) try: rule_yaml['references']['disa_stig'] except KeyError: - disa_stig = 'N/A' + disa_stig = '- N/A' else: disa_stig = ulify(rule_yaml['references']['disa_stig']) try: rule_yaml['references']['srg'] except KeyError: - srg = 'N/A' + srg = '- N/A' else: srg = ulify(rule_yaml['references']['srg']) @@ -1572,12 +1693,16 @@ def main(): rule_yaml['mobileconfig_info']) # process nist controls for grouping - nist_80053r4.sort() - res = [list(i) for j, i in groupby( - nist_80053r4, lambda a: a.split('(')[0])] - nist_controls = '' - for i in res: - nist_controls += group_ulify(i) + if not nist_80053r5 == "N/A": + nist_80053r5.sort() + res = [list(i) for j, i in groupby( + nist_80053r5, lambda a: a.split('(')[0])] + nist_controls = '' + for i in res: + nist_controls += group_ulify(i) + else: + nist_controls = "- N/A" + if 'supplemental' in tags: rule_adoc = adoc_supplemental_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), @@ -1591,7 +1716,7 @@ def main(): rule_discussion=rule_yaml['discussion'].replace('|', '\|'), rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, - rule_80053r4=nist_controls, + rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cce=cce, @@ -1602,11 +1727,11 @@ def main(): rule_adoc = adoc_rule_custom_refs_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'],#.replace('|', '\|'), rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, - rule_80053r4=nist_controls, + rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cce=cce, @@ -1623,7 +1748,7 @@ def main(): rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, - rule_80053r4=nist_controls, + rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cce=cce, diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py new file mode 100755 index 00000000..e84a2f1e --- /dev/null +++ b/scripts/generate_mapping.py @@ -0,0 +1,345 @@ +#!/usr/bin/env python3 + +import sys +import csv +import os +import io +import glob +import yaml +import re +import argparse +from pathlib import Path + +def sort_nicely( l ): +# """ Sort the given list in the way that humans expect. +# """ + convert = lambda text: int(text) if text.isdigit() else text + alphanum_key = lambda key: [ convert(c) for c in re.split('([0-9]+)', key) ] + l.sort( key=alphanum_key ) + + +def main(): + file_dir = os.path.dirname(os.path.abspath(__file__)) + + os.chdir(file_dir) + + nist_header = "" + other_header = "" + sub_directory = "" + def dir_path(string): + if os.path.isdir(string): + return string + else: + raise NotADirectoryError(string) + + home = str(Path.home()) + + parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') + parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) + parser.add_argument("-f", "--framework", default="800-53r5", help="Specificy framework for the source. If no framework is specified, the default is 800-53r5.", action="store") + + try: + results = parser.parse_args() + print("Mapping CSV: " + results.CSV.name) + print("Source compliance framework: " + str(results.framework)) + + + except IOError as msg: + + parser.error(str(msg)) + + for rule in glob.glob('../rules/*/*.yaml'): + sub_directory = rule.split(".yaml")[0].split("/")[2] + + if "supplemental" in rule or "srg" in rule: + continue + + with open(rule) as r: + rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + + + control_array = [] + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: + csv_reader = csv.DictReader(csvfile,dialect='excel') + modded_reader = csv_reader + dict_from_csv = dict(list(modded_reader)[0]) + + + list_of_column_names = list(dict_from_csv.keys()) + + + nist_header = list_of_column_names[1] + other_header = list_of_column_names[0] + + + + + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: + reader = csv.DictReader(csvfile,dialect='excel') + + for row in reader: + + if results.framework != nist_header: + sys.exit(str(results.framework) + " not found in CSV") + + if "N/A" in row[nist_header]: + continue + + controls = row[nist_header].split(',') + + duplicate = "" + csv_duplicate = "" + for control in controls: + + try: + rule_yaml['references'] + + for yaml_control in rule_yaml['references'][results.framework]: + if duplicate == yaml_control.split("(")[0]: + continue + if csv_duplicate == str(row[other_header]): + continue + + if control.replace(" ",'') == yaml_control: + duplicate = yaml_control.split("(")[0] + csv_duplicate = str(row[other_header]) + row_array = str(row[other_header]).split(",") + for item in row_array: + control_array.append(item) + print(rule_yaml['id'] + " - " + str(results.framework) + " " + yaml_control + " maps to " + other_header + " " + item) + + except: + continue + + if len(control_array) == 0: + continue + + custom_rule = '''references: + custom: + {}:'''.format(other_header) + + for control in control_array: + custom_rule = custom_rule + ''' + - {}'''.format(control) + + custom_rule = custom_rule + ''' +tags: + - {}'''.format(other_header) + + if os.path.isdir("../build/" + other_header) == False: + os.mkdir("../build/" + other_header) + if os.path.isdir("../build/" + other_header + "/rules/") == False: + os.mkdir("../build/" + other_header + "/rules/") + if os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) == False: + os.mkdir("../build/" + other_header + "/rules/" + sub_directory) + + try: + with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as r: + custom_yaml = r.read() + + custom_yaml = custom_yaml.replace(other_header + ": ", custom_rule) + with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: + fw.write(custom_yaml) + except: + with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: + fw.write(custom_rule) + + + for rule in glob.glob("../build/" + other_header + "/rules/*/*"): + if "supplemental" in rule or "srg" in rule: + continue + + with open(rule) as r: + custom_rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + othercontrols = [] + + if other_header in custom_rule_yaml['references']['custom']: + + for control in custom_rule_yaml['references']['custom'][other_header]: + + if str(control) in othercontrols: + continue + else: + + othercontrols.append(str(control)) + + sort_nicely(othercontrols) + + refs = " " + + custom_rule = '''references: + custom: + {}:'''.format(other_header) + + for control in othercontrols: + custom_rule = custom_rule + ''' + - {}'''.format(control) + + custom_rule = custom_rule + ''' +tags: + - {}'''.format(other_header) + + with open(rule, 'w') as rite: + rite.write(custom_rule) + + + audit = [] + auth = [] + icloud = [] + os_section = [] + pwpolicy = [] + sysprefs = [] + inherent = [] + na = [] + perm = [] + + for rule in glob.glob('../build/' + other_header + '/rules/*/*.yaml'): + if "supplemental" in rule or "srg" in rule or "baseline" in rule: + continue + + with open(rule) as r: + custom_rule = yaml.load(r, Loader=yaml.SafeLoader) + rule_id = rule.split(".yaml")[0].split("/")[5] + + + if other_header in custom_rule['tags']: + if "inherent" in rule_yaml['tags']: + inherent.append(rule_id) + continue + if "permanent" in custom_rule['tags']: + perm.append(rule_id) + continue + if "n_a" in custom_rule['tags']: + na.append(rule_id) + continue + + if "/audit/" in rule: + audit.append(rule_id) + + continue + if "/auth/" in rule: + auth.append(rule_id) + continue + if "/icloud/" in rule: + icloud.append(rule_id) + continue + if "/os/" in rule: + os_section.append(rule_id) + continue + if "/pwpolicy/" in rule: + pwpolicy.append(rule_id) + continue + if "/sysprefs/" in rule: + sysprefs.append(rule_id) + continue + + full_baseline = '''title: "macOS 11 (Big Sur): Security Configuration - {}" +description: | + This guide describes the actions to take when securing a macOS 11 system against the {}. +profile:'''.format(other_header,other_header) + + if len(audit) != 0: + + full_baseline = full_baseline + ''' + - section: "Auditing" + rules:''' + audit.sort() + + for rule in audit: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + if len(auth) != 0: + full_baseline = full_baseline + ''' + - section: "Authentication" + rules:''' + auth.sort() + + for rule in auth: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(sysprefs) != 0: + full_baseline = full_baseline + ''' + - section: "SystemPreferences" + rules:''' + sysprefs.sort() + + for rule in sysprefs: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(icloud) != 0: + full_baseline = full_baseline + ''' + - section: "iCloud" + rules:''' + icloud.sort() + for rule in icloud: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(os_section) != 0: + full_baseline = full_baseline + ''' + - section: "macOS" + rules:''' + os_section.sort() + for rule in os_section: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(pwpolicy) != 0: + full_baseline = full_baseline + ''' + - section: "PasswordPolicy" + rules:''' + pwpolicy.sort() + for rule in pwpolicy: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(inherent) != 0: + full_baseline = full_baseline + ''' + - section: "Inherent" + rules:''' + inherent.sort() + for rule in inherent: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(perm) != 0: + full_baseline = full_baseline + ''' + - section: "Permanent" + rules:''' + perm.sort() + for rule in perm: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(na) != 0: + full_baseline = full_baseline + ''' + - section: "not_applicable" + rules:''' + na.sort() + for rule in na: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + full_baseline = full_baseline + ''' + - section: "Supplemental" + rules: + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard + ''' + + + + + if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: + os.mkdir("../build/" + other_header.lower() + "/baseline") + + with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower() + ".yaml",'w') as fw: + fw.write(full_baseline) + print(other_header.lower() + ".yaml baseline file created in build/" + other_header + "/baseline/") + + print("Move all of the folders in rules into the custom folder.") +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index 7aa526f1..f7a6d336 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -91,7 +91,13 @@ def main(): if "manual" in rule_yaml['tags']: print(rule_yaml['id'] + " - Manual Check") continue - + + if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check']: + print(rule_yaml['id'] + " - Manual Check Required") + continue + if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']: + print(rule_yaml['id'] + " - pwpolicy getaccountpolicies - no relevant oval") + continue if "os_home_folders_secure" in rule_file: oval_definition = oval_definition + ''' @@ -843,6 +849,7 @@ def main(): '''.format(rule_yaml['id'],x,x,x) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") + if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: oval_object = oval_object + ''' @@ -890,7 +897,7 @@ def main(): else: - + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split()[check_length-1] @@ -910,6 +917,17 @@ def main(): '''.format(x,plist,x+999) + else: + if plist[-6:] != ".plist": + plist = plist + ".plist" + + plist_key = rule_yaml['check'].split(" ")[3].rstrip() + oval_object = oval_object + ''' + + {} + {} + 1 + '''.format(rule_yaml['id'],x,plist_key,plist) datatype = "" for key in rule_yaml['result']: @@ -1103,8 +1121,8 @@ def main(): '''.format(x,rule_yaml['id'],x,x) - - if "-" in fix_command and "R" in fix_command: + + if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": behavior = '' if "audit" in rule_file: filename = 'current' @@ -1226,7 +1244,7 @@ def main(): state_test = state_test + ''' false false - true''' + false''' if perms[2] == "1": state_test = state_test + ''' false @@ -1314,20 +1332,36 @@ def main(): x += 1 continue if "awk" in command[3]: + awk_file = "" + awk_search = "" + field_sep = "" - awk_file = rule_yaml['check'].split("'")[2].strip(" ") - - awk_search = rule_yaml['check'].split("'")[1].split("/")[1] - field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") - - try: - - awk_result = rule_yaml['result']['string'] + if "grep -qE" in rule_yaml['fix']: + awk_file = rule_yaml['fix'].split(" ")[3].strip(" ") + awk_search = rule_yaml['fix'].split(" ")[2].strip("\"") - except: - - awk_result = str(rule_yaml['result']['integer']) + elif "grep" in rule_yaml['check']: + awk_file = rule_yaml['check'].split("|")[0].split(" ")[-2] + awk_search = rule_yaml['check'].split("|")[-1].split(" ")[-2].strip("\'") + + else: + awk_file = rule_yaml['check'].split("'")[2].strip(" ") + awk_search = rule_yaml['check'].split("'")[1].split("/")[1] + field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") + + try: + + awk_result = rule_yaml['result']['string'] + + except: + + awk_result = str(rule_yaml['result']['integer']) + + awk_search = "^" + awk_search + field_sep + awk_result + + + oval_definition = oval_definition + ''' @@ -1351,7 +1385,7 @@ def main(): {} 1 - '''.format(x,rule_yaml['id'],awk_file.rstrip(),"^" + awk_search + field_sep + awk_result) + '''.format(x,rule_yaml['id'],awk_file.rstrip(), awk_search) x += 1 continue if "grep" in command[3]: diff --git a/sections/auditing.yaml b/sections/auditing.yaml index 31be8b46..6314ac5e 100644 --- a/sections/auditing.yaml +++ b/sections/auditing.yaml @@ -2,4 +2,6 @@ description: | This section contains the configuration and enforcement of the OpenBSM settings. + NOTE: The BSM Audit subsystem has been marked as deprecated by Apple. + NOTE: The check/fix commands outlined in this section _MUST_ be run with elevated privileges. \ No newline at end of file diff --git a/sections/authentication.yaml b/sections/authentication.yaml index 8dbc7a2d..231871e8 100644 --- a/sections/authentication.yaml +++ b/sections/authentication.yaml @@ -1,5 +1,5 @@ name: "Authentication" description: | - This section contains the configuration and enforcement of smartcard authentication settings. + This section contains the configuration of authentication settings, including the enforcement of smartcard authentication. NOTE: The check/fix commands outlined in this section must be run with elevated privileges. \ No newline at end of file diff --git a/sections/not_applicable.yaml b/sections/not_applicable.yaml index 4ae3407a..0f6c2244 100644 --- a/sections/not_applicable.yaml +++ b/sections/not_applicable.yaml @@ -1,3 +1,3 @@ name: "Not Applicable" description: | - This section contains the controls that are defined in the NIST 800-53 revision 4 but are not applicable when configuring a macOS system. \ No newline at end of file + This section contains the controls that are defined in the NIST 800-53 revision 5 but are not applicable when configuring a macOS system. \ No newline at end of file diff --git a/sections/passwordpolicy.yaml b/sections/passwordpolicy.yaml index b6e8f52c..02dd17bb 100644 --- a/sections/passwordpolicy.yaml +++ b/sections/passwordpolicy.yaml @@ -6,7 +6,7 @@ [IMPORTANT] ==== - The password policy recommendations used to develop these rules fall under the NIST SP 800-53 (Rev. 4), however the NIST SP 800-53 (Rev. 5) was released on September 23rd, 2020 with updated guidance on password policies. + The password policy recommendations in the NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. ==== NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible. \ No newline at end of file diff --git a/sections/permanent.yaml b/sections/permanent.yaml index c6748a84..00b3d6b1 100644 --- a/sections/permanent.yaml +++ b/sections/permanent.yaml @@ -1,3 +1,3 @@ name: "Permanent Findings" description: | - This section contains the controls that are defined in NIST 800-53 revision 4 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section. \ No newline at end of file + This section contains the controls that are defined in NIST 800-53 revision 5 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section. \ No newline at end of file diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 3e69ed54..ba642505 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -7,7 +7,7 @@ ASSOCIATED DOCUMENTS Example: [%header, cols=2*a] <-- table format block |==== <-- table opening tag - |Document Number|Document Title <-- header line + |Document Number or Descriptor|Document Title <-- header line <-- empty line for readability (optional) <-- empty line for readability (optional) @@ -16,39 +16,25 @@ ASSOCIATED DOCUMENTS [%header, cols=2*a] .National Institute of Standards and Technology (NIST) |=== -|Document Number -|Document Title -|link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 4]|_NIST Special Publication 800-53 Rev 4_ -|=== - -[%header, cols=2*a] -.National Institute of Standards and Technology (NIST) -|=== -|Document Number +|Document Number or Descriptor |Document Title +|link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_ -|=== - -[%header, cols=2*a] -.National Institute of Standards and Technology (NIST) -|=== -|Document Number -|Document Title |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_ |=== [%header, cols=2*a] .Defense Information Systems Agency (DISA) |=== -|Document Number +|Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple OS X 10.15 (Catalina) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_11_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 11 (Big Sur) STIG_ |=== [%header, cols=2*a] .Committee on National Security Systems (CNSS) |=== -|Document Number +|Document Number or Descriptor |Document Title |link:https://www.cnss.gov/CNSS/issuances/Instructions.cfm[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_ |=== @@ -57,15 +43,11 @@ ASSOCIATED DOCUMENTS [%header, cols=2*a] .Apple |=== -|Document Number +|Document Number or Descriptor |Document Title +|link:https://support.apple.com/guide/security/welcome/web[Apple Platform Security Guide]|_Apple Platform Security_ +|link:https://support.apple.com/guide/deployment-reference-macos/welcome/web[Deployment Reference for Mac]|_Deployment Reference_ |link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_ -|=== - -[%header, cols=2*a] -.Apple -|=== -|Document Number -|Document Title -|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Apple Developer]|_Profile-Specific Payload Keys_ +|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_ +|link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ |=== \ No newline at end of file diff --git a/templates/adoc_authors.adoc b/templates/adoc_authors.adoc index 89f53d2f..d8ad420e 100644 --- a/templates/adoc_authors.adoc +++ b/templates/adoc_authors.adoc @@ -9,5 +9,4 @@ |Joshua Glemza|National Aeronautics and Space Administration |Elyse Anderson|National Aeronautics and Space Administration |Gary Gapinski|National Aeronautics and Space Administration -|Paige Ramsey|Los Alamos National Laboratory |=== \ No newline at end of file diff --git a/templates/adoc_foreword.adoc b/templates/adoc_foreword.adoc index 707ede9c..1b31428a 100644 --- a/templates/adoc_foreword.adoc +++ b/templates/adoc_foreword.adoc @@ -1,7 +1,7 @@ == Foreword -The macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. +The macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 4). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index d741b09f..df9683bd 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -32,8 +32,8 @@ $rule_fix [grid="cols"] !=== -!800-53r4 -!$rule_80053r4 +!800-53r5 +!$rule_80053r5 ifdef::show_171[] !800-171r2 diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc index 8ffbd2ea..19cd3165 100644 --- a/templates/adoc_rule_custom_refs.adoc +++ b/templates/adoc_rule_custom_refs.adoc @@ -32,8 +32,8 @@ $rule_fix [grid="cols"] !=== -!800-53r4 -!$rule_80053r4 +!800-53r5 +!$rule_80053r5 ifdef::show_171[] !800-171r2 diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc index 48f0de0f..a0a4a207 100644 --- a/templates/adoc_rule_no_setting.adoc +++ b/templates/adoc_rule_no_setting.adoc @@ -18,8 +18,8 @@ $rule_check [grid="cols"] !=== -!800-53r4 -!$rule_80053r4 +!800-53r5 +!$rule_80053r5 ifdef::show_171[] !800-171r2