From f09ccced9864d6011d382f68f53792f895ad7299 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 10 Mar 2021 13:43:23 -0500 Subject: [PATCH 001/135] initial rev5 conversion again --- rules/audit/audit_acls_files_configure.yaml | 2 ++ rules/audit/audit_auditd_enabled.yaml | 5 +++++ rules/audit/audit_configure_capacity_notify.yaml | 2 ++ rules/audit/audit_enforce_dual_auth.yaml | 2 ++ rules/audit/audit_flags_aa_configure.yaml | 2 ++ rules/audit/audit_flags_ad_configure.yaml | 3 +++ rules/audit/audit_flags_ex_configure.yaml | 2 ++ rules/audit/audit_flags_fd_configure.yaml | 2 ++ rules/audit/audit_flags_fm_configure.yaml | 2 ++ rules/audit/audit_flags_fr_configure.yaml | 2 ++ rules/audit/audit_flags_fw_configure.yaml | 2 ++ rules/audit/audit_flags_lo_configure.yaml | 2 ++ rules/audit/audit_off_load_records.yaml | 2 ++ rules/audit/audit_retention_configure.yaml | 2 ++ rules/audit/audit_settings_failure_notify.yaml | 2 ++ rules/auth/auth_pam_login_smartcard_enforce.yaml | 3 +++ rules/auth/auth_pam_su_smartcard_enforce.yaml | 3 +++ rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 3 +++ rules/auth/auth_smartcard_allow.yaml | 4 ++++ .../auth_smartcard_certificate_trust_enforce_high.yaml | 3 +++ .../auth_smartcard_certificate_trust_enforce_moderate.yaml | 3 +++ rules/auth/auth_smartcard_enforce.yaml | 6 ++++++ rules/auth/auth_ssh_smartcard_enforce.yaml | 7 +++++++ rules/os/os_airdrop_disable.yaml | 2 ++ rules/os/os_allow_info_passed.yaml | 2 ++ rules/os/os_anti_virus_installed.yaml | 2 ++ rules/os/os_auth_peripherals.yaml | 2 ++ rules/os/os_authenticated_root_enable.yaml | 5 +++++ rules/os/os_change_security_attributes.yaml | 2 ++ rules/os/os_crypto_audit.yaml | 2 ++ rules/os/os_filevault_autologin_disable.yaml | 3 +++ rules/os/os_firewall_default_deny_require.yaml | 2 ++ rules/os/os_firewall_log_enable.yaml | 2 ++ rules/os/os_firmware_password_require.yaml | 2 ++ rules/os/os_gatekeeper_enable.yaml | 4 ++++ rules/os/os_gatekeeper_rearm.yaml | 2 ++ rules/os/os_grant_privs.yaml | 2 ++ rules/os/os_guest_access_smb_disable.yaml | 2 ++ rules/os/os_guest_account_disable.yaml | 2 ++ rules/os/os_handoff_disable.yaml | 2 ++ rules/os/os_home_folders_secure.yaml | 2 ++ rules/os/os_httpd_disable.yaml | 2 ++ rules/os/os_identify_non-org_users.yaml | 2 ++ rules/os/os_implement_memory_protection.yaml | 2 ++ rules/os/os_internet_accounts_prefpane_disable.yaml | 2 ++ rules/os/os_isolate_security_functions.yaml | 2 ++ rules/os/os_limit_dos_attacks.yaml | 2 ++ rules/os/os_limit_gui_sessions.yaml | 2 ++ rules/os/os_logical_access.yaml | 2 ++ rules/os/os_nfsd_disable.yaml | 2 ++ rules/os/os_nonlocal_maintenance.yaml | 2 ++ rules/os/os_notify_unauthorized_baseline_change.yaml | 2 ++ rules/os/os_obscure_password.yaml | 2 ++ rules/os/os_password_autofill_disable.yaml | 2 ++ rules/os/os_policy_banner_loginwindow_enforce.yaml | 2 ++ rules/os/os_policy_banner_ssh_configure.yaml | 2 ++ rules/os/os_policy_banner_ssh_enforce.yaml | 2 ++ rules/os/os_prevent_priv_execution.yaml | 2 ++ rules/os/os_prevent_unauthorized_disclosure.yaml | 2 ++ rules/os/os_provide_disconnect_remote_access.yaml | 2 ++ rules/os/os_removable_media_disable.yaml | 2 ++ rules/os/os_remove_software_components_after_updates.yaml | 2 ++ rules/os/os_required_crypto_module.yaml | 2 ++ rules/os/os_root_disable.yaml | 3 +++ rules/os/os_screensaver_loginwindow_enforce.yaml | 2 ++ rules/os/os_secure_name_resolution.yaml | 2 ++ rules/os/os_separate_functionality.yaml | 2 ++ rules/os/os_sip_enable.yaml | 6 ++++++ rules/os/os_ssh_fips_140_ciphers.yaml | 3 +++ rules/os/os_ssh_fips_140_macs.yaml | 3 +++ rules/os/os_ssh_server_alive_count_max_configure.yaml | 2 ++ rules/os/os_ssh_server_alive_interval_configure.yaml | 2 ++ rules/os/os_sshd_client_alive_count_max_configure.yaml | 2 ++ rules/os/os_sshd_client_alive_interval_configure.yaml | 2 ++ rules/os/os_sshd_fips_140_ciphers.yaml | 3 +++ rules/os/os_sshd_fips_140_macs.yaml | 3 +++ rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 3 +++ rules/os/os_sshd_login_grace_time_configure.yaml | 2 ++ rules/os/os_sshd_permit_root_login_configure.yaml | 2 ++ rules/os/os_system_log_files_owner_group_configure.yaml | 2 ++ rules/os/os_system_log_files_permissions_configure.yaml | 2 ++ rules/os/os_system_read_only.yaml | 2 ++ rules/os/os_system_wide_preferences_configure.yaml | 3 +++ rules/os/os_tftpd_disable.yaml | 2 ++ rules/os/os_time_server_enabled.yaml | 2 ++ rules/os/os_unlock_active_user_session_disable.yaml | 3 +++ rules/os/os_uucp_disable.yaml | 2 ++ rules/os/os_verify_remote_disconnection.yaml | 2 ++ rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml | 2 ++ rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml | 2 ++ .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 2 ++ rules/sysprefs/sysprefs_afp_disable.yaml | 2 ++ rules/sysprefs/sysprefs_automatic_login_disable.yaml | 3 +++ rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_bluetooth_disable.yaml | 3 +++ rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 3 +++ rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 2 ++ rules/sysprefs/sysprefs_filevault_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_firewall_enable.yaml | 3 +++ .../sysprefs_gatekeeper_identified_developers_allowed.yaml | 4 ++++ rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml | 3 +++ rules/sysprefs/sysprefs_hot_corners_disable.yaml | 2 ++ rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 2 ++ ...prefs_loginwindow_prompt_username_password_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 2 ++ rules/sysprefs/sysprefs_password_hints_disable.yaml | 2 ++ rules/sysprefs/sysprefs_rae_disable.yaml | 2 ++ rules/sysprefs/sysprefs_screen_sharing_disable.yaml | 2 ++ rules/sysprefs/sysprefs_smbd_disable.yaml | 2 ++ rules/sysprefs/sysprefs_ssh_disable.yaml | 3 +++ rules/sysprefs/sysprefs_time_server_configure.yaml | 2 ++ rules/sysprefs/sysprefs_time_server_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_wifi_disable.yaml | 4 ++++ .../sysprefs_wifi_disable_when_connected_to_ethernet.yaml | 4 ++++ 114 files changed, 278 insertions(+) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 8e0a74a8..332fe8cc 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -19,6 +19,8 @@ references: cci: - CCI-000162 - CCI-001314 + 800-53r5: + - SI-11 800-53r4: - AU-9 - SI-11 diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 4c2c4b10..f50a8d80 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -34,6 +34,11 @@ references: - CCI-001890 - CCI-001914 - CCI-002130 + 800-53r5: + - AU-3 + - AU-3(1) + - AU-8 + - AU-12 800-53r4: - AU-3 - AU-3(1) diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 83826ecc..9044f030 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -18,6 +18,8 @@ references: - CCE-85255-8 cci: - CCI-001855 + 800-53r5: + - AU-5(1) 800-53r4: - AU-5(1) srg: diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index 6391654d..e08c0cd2 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-000366 - CCI-001896 + 800-53r5: + - AU-9(5) 800-53r4: - AU-9(5) disa_stig: diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index cb993d8e..999e917a 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85261-6 cci: - CCI-000172 + 800-53r5: + - AU-12 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 5301dd45..e1ee65d1 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -28,6 +28,9 @@ references: - CCI-001405 - CCI-002234 - CCI-002884 + 800-53r5: + - AC-6(9) + - AU-12 800-53r4: - AU-2 - AC-2(4) diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 25095593..92efdc1b 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -21,6 +21,8 @@ references: - CCE-85263-2 cci: - N/A + 800-53r5: + - AU-12 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 02d4b948..c338c662 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -23,6 +23,8 @@ references: cci: - CCI-000172 - CCI-001814 + 800-53r5: + - AU-12 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index e3e8b912..dd8e25cb 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -23,6 +23,8 @@ references: cci: - CCI-000172 - CCI-001814 + 800-53r5: + - AU-12 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 561d294f..62ec5ba1 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -23,6 +23,8 @@ references: cci: - CCI-000172 - CCI-001814 + 800-53r5: + - AU-12 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 6dded9fe..f4828fad 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -22,6 +22,8 @@ references: - CCE-85266-5 cci: - CCI-000162 + 800-53r5: + - AU-12 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index ceb373e5..ee603af4 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -21,6 +21,8 @@ references: cci: - CCI-000067 - CCI-000172 + 800-53r5: + - AU-12 800-53r4: - AU-2 - AC-17(1) diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index ce101e2d..48ec84bd 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -15,6 +15,8 @@ references: - CCE-85271-5 cci: - CCI-001851 + 800-53r5: + - AU-4(1) 800-53r4: - AU-4(1) disa_stig: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 68fc74cf..9ecf873a 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85272-3 cci: - CCI-001849 + 800-53r5: + - AU-11 800-53r4: - AU-4 - AU-11 diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 7ac711bc..aa0bf1ce 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -18,6 +18,8 @@ references: - CCE-85273-1 cci: - CCI-001858 + 800-53r5: + - AU-5(2) 800-53r4: - AU-5 - AU-5(2) diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 600d1ef3..8794f66b 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -38,6 +38,9 @@ references: - CCE-85274-9 cci: - CCI-000366 + 800-53r5: + - IA-2(1) + - IA-2(2) 800-53r4: - IA-2(3) - IA-2(4) diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 417c8d66..b5facc4c 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -33,6 +33,9 @@ references: - CCE-85275-6 cci: - CCI-000366 + 800-53r5: + - IA-2(1) + - IA-2(2) 800-53r4: - IA-2(3) - IA-2(4) diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 2204504d..afab41b6 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -32,6 +32,9 @@ references: - CCE-85276-4 cci: - CCI-000366 + 800-53r5: + - IA-2(1) + - IA-2(2) 800-53r4: - IA-2(3) - IA-2(4) diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index d334a8e5..2f329459 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -17,6 +17,10 @@ references: - CCE-85277-2 cci: - N/A + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(12) 800-53r4: - IA-2(12) - IA-5(11) diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 71371c72..6787d475 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -19,6 +19,9 @@ references: - CCE-85278-0 cci: - CCI-000186 + 800-53r5: + - IA-2(12) + - IA-5(2) 800-53r4: - IA-2(12) - IA-5(2) diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index eeec375e..5541dad5 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -23,6 +23,9 @@ references: - CCI-001991 - CCI-001953 - CCI-001954 + 800-53r5: + - IA-2(12) + - IA-5(2) 800-53r4: - IA-2(12) - IA-5(2) diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 99314c07..585f8ca3 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -23,6 +23,12 @@ references: - CCI-000187 - CCI-000767 - CCI-000768 + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(6) + - IA-2 + - IA-5(2) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml index ce66f851..69f2e545 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_smartcard_enforce.yaml @@ -21,6 +21,13 @@ references: - CCE-85281-4 cci: - N/A + 800-53r5: + - IA-2(1) + - IA-2(2) + - IA-2(6) + - IA-2 + - IA-5(2) + - MA-4 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 609470d2..1b444b38 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85293-9 cci: - CCI-000381 + 800-53r5: + - AC-3 800-53r4: - CM-7 - AC-3 diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index e1715c9f..79635bd0 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -15,6 +15,8 @@ references: - CCE-85294-7 cci: - CCI-002165 + 800-53r5: + - AC-3(4) 800-53r4: - AC-3(4) disa_stig: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index a1b28be7..e9c73d52 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -14,6 +14,8 @@ references: - CCE-85295-4 cci: - CCI-000366 + 800-53r5: + - SI-2 800-53r4: - SI-2 srg: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 4deb51eb..2b85bcd0 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -11,6 +11,8 @@ references: - CCE-85297-0 cci: - CCI-001958 + 800-53r5: + - IA-3 800-53r4: - IA-3 disa_stig: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 7be373f8..5e3825b3 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -19,6 +19,11 @@ references: - CCE-85298-8 cci: - N/A + 800-53r5: + - AC-3 + - CM-5 + - SC-34 + - SI-7(6) 800-53r4: - AC-3 - CM-5 diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index ffd92f1e..a7d90f90 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -15,6 +15,8 @@ references: - CCE-85303-6 cci: - CCI-002165 + 800-53r5: + - AC-3(4) 800-53r4: - AC-3(4) disa_stig: diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index e6e7a3ec..589d1e1e 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -17,6 +17,8 @@ references: - CCE-85305-1 cci: - CCI-001496 + 800-53r5: + - AU-9(3) 800-53r4: - AU-9(3) disa_stig: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 02dd58fa..676ec9fe 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -13,6 +13,9 @@ fix: | references: cce: - CCE-85310-1 + 800-53r5: + - AC-3 + - IA-5(13) 800-53r4: - AC-2(11) - AC-3 diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index c650f340..27deb54c 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -25,6 +25,8 @@ references: cci: - CCI-000366 - CCI-002080 + 800-53r5: + - AC-4 800-53r4: - SC-7(5) - AC-4 diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 1a870d0b..96d0eb80 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -20,6 +20,8 @@ references: - CCE-85313-5 cci: - N/A + 800-53r5: + - AU-12 800-53r4: - SC-7 - AU-12 diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index b6434726..ee2600fe 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -25,6 +25,8 @@ references: - CCE-85314-3 cci: - CCI-000366 + 800-53r5: + - AC-6 800-53r4: - AC-6 srg: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 1192eefa..1d8c4bdc 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -20,6 +20,10 @@ references: - CCE-85315-0 cci: - CCI-001749 + 800-53r5: + - CM-14 + - CM-5 + - SI-7(15) 800-53r4: - CM-5(3) - CM-5 diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index dfb01ec9..644f0543 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -13,6 +13,8 @@ references: - CCE-85316-8 cci: - N/A + 800-53r5: + - CM-5 800-53r4: - CM-5 - SI-3 diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 41754f65..f8e21f63 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -15,6 +15,8 @@ references: - CCE-85317-6 cci: - CCI-002165 + 800-53r5: + - AC-3(4) 800-53r4: - AC-3(4) disa_stig: diff --git a/rules/os/os_guest_access_smb_disable.yaml b/rules/os/os_guest_access_smb_disable.yaml index 13467469..8cf00bfa 100644 --- a/rules/os/os_guest_access_smb_disable.yaml +++ b/rules/os/os_guest_access_smb_disable.yaml @@ -13,6 +13,8 @@ fix: | references: cce: - CCE-85319-2 + 800-53r5: + - AC-2(9) 800-53r4: - AC-2 - AC-2(9) diff --git a/rules/os/os_guest_account_disable.yaml b/rules/os/os_guest_account_disable.yaml index 7142c169..b2d63ced 100644 --- a/rules/os/os_guest_account_disable.yaml +++ b/rules/os/os_guest_account_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85320-0 cci: - CCI-001813 + 800-53r5: + - AC-2(9) 800-53r4: - AC-2 - AC-2(9) diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 1a00905e..9fe9df61 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -13,6 +13,8 @@ fix: | references: cce: - CCE-85321-8 + 800-53r5: + - AC-3 800-53r4: - AC-3 - AC-20 diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 965376fe..5326f55c 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -22,6 +22,8 @@ references: - CCE-85322-6 cci: - CCI-000366 + 800-53r5: + - AC-6 800-53r4: - AC-6 srg: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 1da2e020..6feb792c 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -16,6 +16,8 @@ references: - CCE-85323-4 cci: - CCI-000381 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 15274b12..10f158f9 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -11,6 +11,8 @@ references: - CCE-85325-9 cci: - CCI-000804 + 800-53r5: + - IA-8 800-53r4: - IA-8 disa_stig: diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 5842c507..60080e5e 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -22,6 +22,8 @@ references: - CCE-85327-5 cci: - CCI-002824 + 800-53r5: + - SI-16 800-53r4: - SI-16 disa_stig: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index a84c3c85..a1035d22 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -19,6 +19,8 @@ references: cci: - CCI-001774 - CCI-000381 + 800-53r5: + - CM-7(5) 800-53r4: - AC-20 - CM-7(5) diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index fee3b1f3..37b28a89 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -13,6 +13,8 @@ references: - CCE-85330-9 cci: - CCI-001084 + 800-53r5: + - SC-3 800-53r4: - SC-3 disa_stig: diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 489356d7..306da1ab 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -15,6 +15,8 @@ references: - CCE-85332-5 cci: - CCI-001095 + 800-53r5: + - SC-5(2) 800-53r4: - SC-5(2) disa_stig: diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index 69e3fdca..c7ffec86 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -13,6 +13,8 @@ references: - CCE-85333-3 cci: - CCI-000054 + 800-53r5: + - AC-10 800-53r4: - AC-10 disa_stig: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 01cf22a2..682bdd18 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -15,6 +15,8 @@ references: - CCE-85334-1 cci: - CCI-000213 + 800-53r5: + - AC-3 800-53r4: - AC-3 disa_stig: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 37c18973..d6795d49 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85342-4 cci: - CCI-000381 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 50348c8b..3f946975 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -11,6 +11,8 @@ references: - CCE-85458-8 cci: - N/A + 800-53r5: + - MA-4 800-53r4: - MA-4 800-171r2: diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index 20359daf..3dad5fc7 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -15,6 +15,8 @@ references: - CCE-85348-1 cci: - CCI-001744 + 800-53r5: + - CM-3(5) 800-53r4: - CM-3(5) disa_stig: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 7d063714..70cf327a 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -15,6 +15,8 @@ references: - CCE-85349-9 cci: - CCI-000206 + 800-53r5: + - IA-6 800-53r4: - IA-5 - IA-6 diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index fb424bed..7ada300e 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -13,6 +13,8 @@ fix: | references: cce: - CCE-85351-5 + 800-53r5: + - IA-5(13) 800-53r4: - IA-5 - IA-5(13) diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index e376b391..583fcf74 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -35,6 +35,8 @@ references: - CCI-001386 - CCI-001387 - CCI-001388 + 800-53r5: + - AC-8 800-53r4: - AC-8 srg: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 8eaab28c..2c3edece 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -22,6 +22,8 @@ references: - CCE-85356-4 cci: - CCI-000048 + 800-53r5: + - AC-8 800-53r4: - AC-8 srg: diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index f11eb2e0..518bdb36 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -23,6 +23,8 @@ references: cci: - CCI-000048 - CCI-000050 + 800-53r5: + - AC-8 800-53r4: - AC-8 srg: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 4126dc3a..f18698be 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -15,6 +15,8 @@ references: - CCE-85359-8 cci: - CCI-002233 + 800-53r5: + - AC-6(8) 800-53r4: - AC-6(8) disa_stig: diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 19925935..4506543c 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -15,6 +15,8 @@ references: - CCE-85361-4 cci: - CCI-001090 + 800-53r5: + - SC-4 800-53r4: - SC-4 disa_stig: diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index cc484182..96dd7ae1 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -11,6 +11,8 @@ references: - CCE-85365-5 cci: - CCI-002322 + 800-53r5: + - AC-17(9) 800-53r4: - AC-17(9) disa_stig: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index f1ece2f2..e6ce3663 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -20,6 +20,8 @@ references: - CCE-85370-5 cci: - N/A + 800-53r5: + - MP-7 800-53r4: - MP-7(1) srg: diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 43c7a604..ef65513c 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -11,6 +11,8 @@ references: - CCE-85371-3 cci: - CCI-002617 + 800-53r5: + - SI-2(6) 800-53r4: - SI-2(6) disa_stig: diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 91d9a579..cc99148d 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -19,6 +19,8 @@ references: - CCE-85373-9 cci: - CCI-000803 + 800-53r5: + - IA-7 800-53r4: - IA-7 disa_stig: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index cc41e762..d28fa406 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -18,6 +18,9 @@ references: - CCE-85374-7 cci: - N/A + 800-53r5: + - IA-2 + - IA-2(5) 800-53r4: - IA-2 - IA-2(5) diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 77534b4d..409206ae 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -13,6 +13,8 @@ references: - CCE-85375-4 cci: - CCI-000060* + 800-53r5: + - AC-11(1) 800-53r4: - AC-11(1) srg: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index c7b603ad..516b3e5f 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -14,6 +14,8 @@ references: - CCI-002466 - CCI-002467 - CCI-002468 + 800-53r5: + - SC-21 800-53r4: - SC-21 disa_stig: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 04a68c86..6e5a43db 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -17,6 +17,8 @@ references: - CCE-85377-0 cci: - CCI-001082 + 800-53r5: + - SC-2 800-53r4: - SC-2 disa_stig: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index cd545236..96685f7d 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -33,6 +33,12 @@ references: - CCI-001880 - CCI-001881 - CCI-001882 + 800-53r5: + - AC-3 + - AU-9(3) + - CM-5 + - CM-5(6) + - SC-4 800-53r4: - AC-3 - AU-6(4) diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 5d8dbcce..1d102f39 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -22,6 +22,9 @@ references: - CCE-85382-0 cci: - N/A + 800-53r5: + - AC-17(2) + - IA-7 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index 448ac475..c60b8f42 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -26,6 +26,9 @@ references: - CCI-000803 - CCI-002890 - CCI-003123 + 800-53r5: + - AC-17(2) + - IA-7 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 541bd5fd..64f3ca44 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85380-4 cci: - N/A + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 5a8a3906..918a2511 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85381-2 cci: - N/A + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index e676b9af..fff86444 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85456-2 cci: - CCI-001133 + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 50857f76..4f600e9a 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85457-0 cci: - CCI-001133 + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 1319acf1..56a7ba3b 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -26,6 +26,9 @@ references: - CCI-000087 - CCI-003123 - CCI-002890 + 800-53r5: + - AC-17(2) + - IA-7 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index 0a00f81b..a45f4ba1 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -26,6 +26,9 @@ references: - CCI-000803 - CCI-002890 - CCI-003123 + 800-53r5: + - AC-17(2) + - IA-7 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 87bb0fb0..4d568ac4 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -28,6 +28,9 @@ references: - CCI-000087 - CCI-003123 - CCI-002890 + 800-53r5: + - AC-17(2) + - IA-7 800-53r4: - IA-7 - AC-17(2) diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 7c355f91..f8abc27d 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85384-6 cci: - CCI-001133 + 800-53r5: + - SC-10 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index f45eaf5d..6a15da41 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -21,6 +21,8 @@ references: - CCE-85385-3 cci: - CCI-000770 + 800-53r5: + - IA-2(5) 800-53r4: - IA-2(5) srg: diff --git a/rules/os/os_system_log_files_owner_group_configure.yaml b/rules/os/os_system_log_files_owner_group_configure.yaml index dce23950..5c23c73b 100644 --- a/rules/os/os_system_log_files_owner_group_configure.yaml +++ b/rules/os/os_system_log_files_owner_group_configure.yaml @@ -28,6 +28,8 @@ references: - N/A cci: - CCI-001314 + 800-53r5: + - SI-11 800-53r4: - SI-11 srg: diff --git a/rules/os/os_system_log_files_permissions_configure.yaml b/rules/os/os_system_log_files_permissions_configure.yaml index 35497d6c..8cdcd128 100644 --- a/rules/os/os_system_log_files_permissions_configure.yaml +++ b/rules/os/os_system_log_files_permissions_configure.yaml @@ -23,6 +23,8 @@ references: - N/A cci: - CCI-001314 + 800-53r5: + - SI-11 800-53r4: - SI-11 srg: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 622617ae..5600405c 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -13,6 +13,8 @@ references: - CCE-85388-7 cci: - N/A + 800-53r5: + - SC-34 800-53r4: - SC-34 - SI-7 diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/os/os_system_wide_preferences_configure.yaml index d1e84f47..0eac31c3 100644 --- a/rules/os/os_system_wide_preferences_configure.yaml +++ b/rules/os/os_system_wide_preferences_configure.yaml @@ -18,6 +18,9 @@ fix: | references: cce: - CCE-85389-5 + 800-53r5: + - AC-6 + - AC-6(2) 800-53r4: - AC-6 - AC-6(1) diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 392d993f..a6d8fcfd 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85391-1 cci: - CCI-000197 + 800-53r5: + - AC-3 800-53r4: - AC-3 - IA-5(1) diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 98593028..2d1ed8f9 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -17,6 +17,8 @@ references: cci: - CCI-001891 - CCI-002046 + 800-53r5: + - SC-45(1) 800-53r4: - AU-8(1) srg: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 6626ce64..c8fc807f 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -18,6 +18,9 @@ references: - CCE-85395-2 cci: - N/A + 800-53r5: + - IA-2 + - IA-2(5) 800-53r4: - IA-2 - IA-2(5) diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 27a4f51f..b2b16396 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85397-8 cci: - CCI-000381 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index cc672036..0f5edc3e 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -11,6 +11,8 @@ references: - CCE-85398-6 cci: - CCI-002891 + 800-53r5: + - MA-4(7) 800-53r4: - MA-4(7) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 82d54f1b..5898f042 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85405-9 cci: - N/A + 800-53r5: + - AC-2(2) 800-53r4: - AC-2(2) srg: diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 3c483fc4..0502569f 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85414-1 cci: - N/A + 800-53r5: + - AC-2(2) 800-53r4: - AC-2(2) srg: diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index ade2d353..813b977a 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -60,6 +60,8 @@ references: cci: - CCI-000016 - CCI-001682 + 800-53r5: + - AC-2(2) 800-53r4: - AC-2(2) srg: diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml index 57c913f7..ad989c31 100644 --- a/rules/sysprefs/sysprefs_afp_disable.yaml +++ b/rules/sysprefs/sysprefs_afp_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85416-6 cci: - CCI-000381 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 5ef40608..ce16e6ba 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -15,6 +15,9 @@ references: - CCE-85419-0 cci: - CCI-000366 + 800-53r5: + - IA-2 + - IA-5(13) 800-53r4: - IA-2 - IA-5(13) diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 5a93e657..890a2017 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -18,6 +18,8 @@ references: - CCE-85424-0 cci: - CCI-002361 + 800-53r5: + - AC-12 800-53r4: - AC-12 disa_stig: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index a1e908e7..33fd0454 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -18,6 +18,9 @@ references: - CCE-85420-8 cci: - CCI-002418 + 800-53r5: + - AC-18(3) + - SC-8 800-53r4: - AC-18(3) - SC-8 diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 1047d9bb..9ba4440f 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -27,6 +27,9 @@ references: - CCE-85421-6 cci: - N/A + 800-53r5: + - AC-3 + - AC-18(4) 800-53r4: - AC-3 - AC-18 diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index c52698da..ca4d548e 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85423-2 cci: - CCI-000382 + 800-53r5: + - SI-11 800-53r4: - AC-20 - SI-11 diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 5e310924..95bfea20 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -17,6 +17,8 @@ references: - CCI-001199 - CCI-002475 - CCI-002476 + 800-53r5: + - SC-28 800-53r4: - SC-28 - SC-28(1) diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 31fee32e..a3d07b96 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -18,6 +18,9 @@ references: - CCE-85427-3 cci: - CCI-000366 + 800-53r5: + - AC-4 + - SC-7(12) 800-53r4: - AC-4 - AC-6(1) diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 4be5a3bc..cb4c26d4 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -18,6 +18,10 @@ references: - CCE-85429-9 cci: - CCI-000366 + 800-53r5: + - CM-14 + - CM-5 + - SI-7(15) 800-53r4: - CM-5(3) - CM-5 diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index cb8f5515..a87d271c 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -21,6 +21,9 @@ references: - CCE-85430-7 cci: - CCI-000366 + 800-53r5: + - CM-5 + - SI-7(15) 800-53r4: - CM-5 - SI-7(15) diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 04d49bc8..6490a1ef 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85431-5 cci: - CCI-000060* + 800-53r5: + - AC-11(1) 800-53r4: - AC-11(1) srg: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 27469bf4..f33904dc 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85433-1 cci: - CCI-000381 + 800-53r5: + - AC-4 800-53r4: - AC-4 - AC-20 diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index d984852b..63ba1961 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85435-6 cci: - N/A + 800-53r5: + - IA-2 800-53r4: - IA-2 srg: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index f6744458..d220d922 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -17,6 +17,8 @@ fix: | references: cce: - CCE-85436-4 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index af4d7969..3582a0d4 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85437-2 cci: - CCI-000366 + 800-53r5: + - IA-6 800-53r4: - IA-6 srg: diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 9f5dbf4b..626ba726 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -20,6 +20,8 @@ references: - CCE-85440-6 cci: - CCI-000382 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 1fa797d1..657d4181 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85441-4 cci: - CCI-000366 + 800-53r5: + - AC-3 800-53r4: - AC-3 - AC-17 diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index e468b930..6368f765 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -19,6 +19,8 @@ references: - CCE-85446-3 cci: - CCI-000381 + 800-53r5: + - AC-3 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 80b9f859..798dac11 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -18,6 +18,9 @@ references: - CCE-85447-1 cci: - N/A + 800-53r5: + - IA-2(8) + - AC-3 800-53r4: - AC-3 - CM-7 diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 423e7be2..6b4d2fbf 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-001891 - CCI-002046 + 800-53r5: + - SC-45(1) 800-53r4: - AU-8(1) srg: diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index e723a7f1..76f7ab00 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-001891 - CCI-002046 + 800-53r5: + - SC-45(1) 800-53r4: - AU-8(1) srg: diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 1842389a..468957c3 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -17,6 +17,10 @@ references: - N/A cci: - N/A + 800-53r5: + - AC-4 + - AC-18(1) + - AC-18(3) 800-53r4: - AC-4 - AC-18(1) diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index f7b063ba..a8fc516a 100644 --- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -15,6 +15,10 @@ references: - CCE-85452-1 cci: - N/A + 800-53r5: + - AC-4 + - AC-18(1) + - AC-18(3) 800-53r4: - AC-4 - AC-18(1) From ef5597ed2319dc05a0298502d8d3ba6a6f8cdd5e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 11 Mar 2021 10:07:37 -0500 Subject: [PATCH 002/135] rev5 baseline tags added and rev4 re-organized --- rules/audit/audit_acls_files_configure.yaml | 6 ++++-- rules/audit/audit_auditd_enabled.yaml | 7 +++++-- rules/audit/audit_configure_capacity_notify.yaml | 1 + rules/audit/audit_flags_aa_configure.yaml | 7 +++++-- rules/audit/audit_flags_ad_configure.yaml | 7 +++++-- rules/audit/audit_flags_ex_configure.yaml | 7 +++++-- rules/audit/audit_flags_fd_configure.yaml | 3 +++ rules/audit/audit_flags_fm_configure.yaml | 7 +++++-- rules/audit/audit_flags_fr_configure.yaml | 7 +++++-- rules/audit/audit_flags_fw_configure.yaml | 7 +++++-- rules/audit/audit_flags_lo_configure.yaml | 7 +++++-- rules/audit/audit_retention_configure.yaml | 6 +++++- rules/audit/audit_settings_failure_notify.yaml | 3 ++- rules/auth/auth_pam_login_smartcard_enforce.yaml | 7 +++++-- rules/auth/auth_pam_su_smartcard_enforce.yaml | 7 +++++-- rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 7 +++++-- rules/auth/auth_smartcard_allow.yaml | 5 ++++- .../auth_smartcard_certificate_trust_enforce_high.yaml | 3 +++ .../auth_smartcard_certificate_trust_enforce_moderate.yaml | 5 ++++- rules/auth/auth_smartcard_enforce.yaml | 7 +++++-- rules/auth/auth_ssh_smartcard_enforce.yaml | 3 +++ rules/os/os_airdrop_disable.yaml | 7 +++++-- rules/os/os_anti_virus_installed.yaml | 3 +++ rules/os/os_auth_peripherals.yaml | 4 +++- rules/os/os_authenticated_root_enable.yaml | 7 +++++-- rules/os/os_crypto_audit.yaml | 1 + rules/os/os_filevault_autologin_disable.yaml | 7 +++++-- rules/os/os_firewall_default_deny_require.yaml | 6 ++++-- rules/os/os_firewall_log_enable.yaml | 7 +++++-- rules/os/os_firmware_password_require.yaml | 6 ++++-- rules/os/os_gatekeeper_enable.yaml | 7 +++++-- rules/os/os_gatekeeper_rearm.yaml | 7 +++++-- rules/os/os_handoff_disable.yaml | 7 +++++-- rules/os/os_home_folders_secure.yaml | 6 ++++-- rules/os/os_httpd_disable.yaml | 7 +++++-- rules/os/os_identify_non-org_users.yaml | 5 ++++- rules/os/os_implement_memory_protection.yaml | 4 +++- rules/os/os_internet_accounts_prefpane_disable.yaml | 6 ++++-- rules/os/os_isolate_security_functions.yaml | 1 + rules/os/os_limit_gui_sessions.yaml | 1 + rules/os/os_logical_access.yaml | 7 +++++-- rules/os/os_nfsd_disable.yaml | 7 +++++-- rules/os/os_nonlocal_maintenance.yaml | 7 +++++-- rules/os/os_obscure_password.yaml | 7 +++++-- rules/os/os_policy_banner_loginwindow_enforce.yaml | 7 +++++-- rules/os/os_policy_banner_ssh_configure.yaml | 3 +++ rules/os/os_policy_banner_ssh_enforce.yaml | 3 +++ rules/os/os_prevent_unauthorized_disclosure.yaml | 6 ++++-- rules/os/os_removable_media_disable.yaml | 7 +++++-- rules/os/os_required_crypto_module.yaml | 5 ++++- rules/os/os_root_disable.yaml | 7 +++++-- rules/os/os_screensaver_loginwindow_enforce.yaml | 6 ++++-- rules/os/os_secure_name_resolution.yaml | 5 ++++- rules/os/os_separate_functionality.yaml | 6 ++++-- rules/os/os_sip_enable.yaml | 7 +++++-- rules/os/os_ssh_fips_140_ciphers.yaml | 7 +++++-- rules/os/os_ssh_fips_140_macs.yaml | 7 +++++-- rules/os/os_ssh_server_alive_count_max_configure.yaml | 6 ++++-- rules/os/os_ssh_server_alive_interval_configure.yaml | 6 ++++-- rules/os/os_sshd_client_alive_count_max_configure.yaml | 2 ++ rules/os/os_sshd_client_alive_interval_configure.yaml | 2 ++ rules/os/os_sshd_fips_140_ciphers.yaml | 3 +++ rules/os/os_sshd_fips_140_macs.yaml | 3 +++ rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 3 +++ rules/os/os_sshd_login_grace_time_configure.yaml | 2 ++ rules/os/os_sshd_permit_root_login_configure.yaml | 1 + rules/os/os_system_log_files_owner_group_configure.yaml | 2 ++ rules/os/os_system_log_files_permissions_configure.yaml | 2 ++ rules/os/os_system_wide_preferences_configure.yaml | 6 ++++-- rules/os/os_tftpd_disable.yaml | 7 +++++-- rules/os/os_unlock_active_user_session_disable.yaml | 7 +++++-- rules/os/os_uucp_disable.yaml | 7 +++++-- rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml | 4 +++- rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml | 4 +++- .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 2 ++ rules/sysprefs/sysprefs_afp_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_automatic_login_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 6 ++++-- rules/sysprefs/sysprefs_bluetooth_disable.yaml | 6 ++++-- rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 6 ++++-- rules/sysprefs/sysprefs_filevault_enforce.yaml | 6 ++++-- rules/sysprefs/sysprefs_firewall_enable.yaml | 6 ++++-- .../sysprefs_gatekeeper_identified_developers_allowed.yaml | 7 +++++-- rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml | 7 +++++-- rules/sysprefs/sysprefs_hot_corners_disable.yaml | 6 ++++-- rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 6 ++++-- ...prefs_loginwindow_prompt_username_password_enforce.yaml | 7 +++++-- rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 5 ++++- rules/sysprefs/sysprefs_password_hints_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_rae_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_screen_sharing_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_smbd_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_ssh_disable.yaml | 7 +++++-- rules/sysprefs/sysprefs_wifi_disable.yaml | 2 ++ .../sysprefs_wifi_disable_when_connected_to_ethernet.yaml | 6 ++++-- 96 files changed, 385 insertions(+), 138 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 332fe8cc..e9c4e4a3 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -34,11 +34,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index f50a8d80..b9af3da1 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -70,11 +70,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 9044f030..5a89dff8 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -29,6 +29,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - stig severity: "medium" diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 999e917a..50f3c46a 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -39,11 +39,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index e1ee65d1..bf9d1689 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -57,11 +57,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 92efdc1b..4966af47 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -37,11 +37,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index c338c662..c1fee808 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -49,6 +49,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index dd8e25cb..f9bc3461 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -51,11 +51,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 62ec5ba1..95194103 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -51,11 +51,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index f4828fad..ccbe181f 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -50,11 +50,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index ee603af4..2aa5b973 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -40,11 +40,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 9ecf873a..f10a7741 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -30,10 +30,14 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_privacy + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index aa0bf1ce..ad5e10ab 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -32,8 +32,9 @@ references: macOS: - "11.0" tags: - - 800-171 + - 800-53r5_high - 800-53r4_high + - 800-171 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 8794f66b..5f83779a 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -54,11 +54,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index b5facc4c..e15b400d 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -49,11 +49,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index afab41b6..fad73080 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -49,11 +49,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 2f329459..46487092 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -31,10 +31,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 6787d475..75d5abed 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -32,6 +32,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_high mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 5541dad5..fede4d45 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -40,8 +40,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 585f8ca3..ea077378 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -52,11 +52,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml index 69f2e545..687e3f6d 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_smartcard_enforce.yaml @@ -51,6 +51,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - none mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 1b444b38..c04d7aa8 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -35,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index e9c73d52..1d18cd15 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -25,6 +25,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - manual - stig severity: "high" diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 2b85bcd0..6a18b1e6 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -25,9 +25,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 5e3825b3..e601dd6d 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -41,11 +41,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 589d1e1e..02b21fd8 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -28,6 +28,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 676ec9fe..67016774 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -32,11 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 27deb54c..564d5011 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -40,10 +40,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 96d0eb80..28fd6547 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -38,10 +38,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index ee2600fe..58ff33da 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -38,10 +38,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 1d8c4bdc..909850ea 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -38,10 +38,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 644f0543..b51af00c 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -27,10 +27,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 9fe9df61..6066922e 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 5326f55c..47771080 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -36,10 +36,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 6feb792c..3e5e4e10 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -30,11 +30,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 10f158f9..29df7ade 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -22,10 +22,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - n_a mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 60080e5e..6d88652b 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -34,9 +34,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index a1035d22..08d79cb8 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -34,11 +34,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 37b28a89..ea3b5906 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -24,6 +24,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index c7ffec86..a51b3af2 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -24,6 +24,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 682bdd18..5c07b489 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -29,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index d6795d49..36e95268 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 3f946975..7872e85e 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -24,11 +24,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - n_a mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 70cf327a..4cf1aac5 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 583fcf74..c9b8cbd6 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -50,11 +50,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 2c3edece..47755623 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -35,6 +35,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 518bdb36..89c6d57b 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -36,6 +36,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 4506543c..f8fc6b44 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -28,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index e6ce3663..2f46d632 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -33,10 +33,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index cc99148d..fe0a01cb 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -30,10 +30,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index d28fa406..f7f7fdd5 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -30,10 +30,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 409206ae..2cc2aff8 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -26,10 +26,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 516b3e5f..b5995096 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -28,10 +28,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 6e5a43db..deed7e2e 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -30,10 +30,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 96685f7d..1e7d3825 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -77,11 +77,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 1d102f39..10da285b 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -41,10 +41,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index c60b8f42..6f63d4b1 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -50,11 +50,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 64f3ca44..3304454d 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -31,10 +31,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 918a2511..2c0c1195 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -33,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index fff86444..e2169cdc 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -31,6 +31,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 4f600e9a..3147cdae 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -33,6 +33,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 56a7ba3b..9f615032 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -46,6 +46,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index a45f4ba1..b4e2da5b 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -46,6 +46,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 4d568ac4..3b2e087c 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -49,6 +49,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index f8abc27d..42da63b2 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -31,6 +31,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 6a15da41..03d43dce 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -32,6 +32,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_system_log_files_owner_group_configure.yaml b/rules/os/os_system_log_files_owner_group_configure.yaml index 5c23c73b..57b33323 100644 --- a/rules/os/os_system_log_files_owner_group_configure.yaml +++ b/rules/os/os_system_log_files_owner_group_configure.yaml @@ -41,6 +41,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - manual - stig severity: "medium" diff --git a/rules/os/os_system_log_files_permissions_configure.yaml b/rules/os/os_system_log_files_permissions_configure.yaml index 8cdcd128..f39e4a71 100644 --- a/rules/os/os_system_log_files_permissions_configure.yaml +++ b/rules/os/os_system_log_files_permissions_configure.yaml @@ -36,6 +36,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - manual - stig severity: "medium" diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/os/os_system_wide_preferences_configure.yaml index 0eac31c3..81a32c6d 100644 --- a/rules/os/os_system_wide_preferences_configure.yaml +++ b/rules/os/os_system_wide_preferences_configure.yaml @@ -37,10 +37,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index a6d8fcfd..92c603ff 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: false diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index c8fc807f..6f75ecb9 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -36,10 +36,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index b2b16396..0e1dcc29 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 5898f042..33278ea4 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -30,9 +30,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 0502569f..6d4e2182 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -28,9 +28,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 813b977a..1ccc19e5 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -72,6 +72,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - manual - stig severity: "medium" diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml index ad989c31..2f55e365 100644 --- a/rules/sysprefs/sysprefs_afp_disable.yaml +++ b/rules/sysprefs/sysprefs_afp_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index ce16e6ba..db0a07e5 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 890a2017..283f3460 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -31,10 +31,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index 33fd0454..b6fd6d09 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -33,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 9ba4440f..4ddb33c0 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -47,11 +47,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index ca4d548e..028b2ecc 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -29,11 +29,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 95bfea20..9a27778f 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -33,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index a3d07b96..3f25216f 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -43,11 +43,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index cb4c26d4..2713ad8d 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -35,10 +35,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index a87d271c..7d414478 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -36,10 +36,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 6490a1ef..0279175c 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -28,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index f33904dc..582d7c66 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -30,11 +30,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 63ba1961..d873e232 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -29,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.loginwindow: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index d220d922..8aa27510 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -33,10 +33,13 @@ references: macOS: - "11.0" tags: - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 mobileconfig: true mobileconfig_info: com.apple.preferences.sharing.SharingPrefsExtension: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 3582a0d4..24e1528d 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -28,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 626ba726..40c5ad2b 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 657d4181..dd06833f 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 6368f765..0852d446 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 798dac11..1ab0ed3d 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -47,11 +47,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 468957c3..ef32c206 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -36,6 +36,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index a8fc516a..f27b095a 100644 --- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -33,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: \ No newline at end of file From 575a0a18c765e019f193603898ae16fd51ec773b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 12 Mar 2021 16:11:57 -0500 Subject: [PATCH 003/135] Rev5 updates to controls --- rules/audit/audit_acls_files_configure.yaml | 1 + rules/audit/audit_acls_folders_configure.yaml | 2 ++ rules/audit/audit_failure_halt.yaml | 2 ++ rules/audit/audit_files_group_configure.yaml | 2 ++ rules/audit/audit_files_mode_configure.yaml | 2 ++ rules/audit/audit_files_owner_configure.yaml | 2 ++ rules/audit/audit_flags_aa_configure.yaml | 1 + rules/audit/audit_flags_ad_configure.yaml | 2 ++ rules/audit/audit_flags_ex_configure.yaml | 1 + rules/audit/audit_flags_fd_configure.yaml | 2 ++ rules/audit/audit_flags_fm_configure.yaml | 2 ++ rules/audit/audit_flags_fr_configure.yaml | 2 ++ rules/audit/audit_flags_fw_configure.yaml | 2 ++ rules/audit/audit_flags_lo_configure.yaml | 2 ++ rules/audit/audit_folder_group_configure.yaml | 2 ++ rules/audit/audit_folder_owner_configure.yaml | 2 ++ rules/audit/audit_folders_mode_configure.yaml | 2 ++ rules/audit/audit_retention_configure.yaml | 1 + rules/audit/audit_settings_failure_notify.yaml | 1 + rules/icloud/icloud_addressbook_disable.yaml | 3 +++ rules/icloud/icloud_appleid_prefpane_disable.yaml | 3 +++ rules/icloud/icloud_bookmarks_disable.yaml | 3 +++ rules/icloud/icloud_calendar_disable.yaml | 3 +++ rules/icloud/icloud_drive_disable.yaml | 3 +++ rules/icloud/icloud_keychain_disable.yaml | 3 +++ rules/icloud/icloud_mail_disable.yaml | 3 +++ rules/icloud/icloud_notes_disable.yaml | 3 +++ rules/icloud/icloud_photos_disable.yaml | 3 +++ rules/icloud/icloud_reminders_disable.yaml | 3 +++ rules/icloud/icloud_sync_disable.yaml | 3 +++ rules/os/os_airdrop_disable.yaml | 1 + rules/os/os_appleid_prompt_disable.yaml | 2 ++ rules/os/os_calendar_app_disable.yaml | 2 ++ rules/os/os_facetime_app_disable.yaml | 2 ++ rules/os/os_firewall_default_deny_require.yaml | 1 - rules/os/os_handoff_disable.yaml | 1 + rules/os/os_icloud_storage_prompt_disable.yaml | 2 ++ rules/os/os_internet_accounts_prefpane_disable.yaml | 1 + rules/os/os_ir_support_disable.yaml | 2 ++ rules/os/os_logoff_capability_and_message.yaml | 3 +++ rules/os/os_mail_app_disable.yaml | 2 ++ rules/os/os_messages_app_disable.yaml | 2 ++ rules/os/os_prevent_priv_functions.yaml | 2 ++ rules/os/os_provide_automated_account_management.yaml | 2 ++ rules/os/os_siri_prompt_disable.yaml | 2 ++ rules/os/os_store_encrypted_passwords.yaml | 2 ++ rules/os/os_system_wide_preferences_configure.yaml | 1 + rules/pwpolicy/pwpolicy_50_percent.yaml | 2 ++ rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_force_password_change.yaml | 2 ++ rules/pwpolicy/pwpolicy_history_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 2 ++ rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml | 2 ++ rules/sysprefs/sysprefs_bluetooth_disable.yaml | 1 + rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 1 + rules/sysprefs/sysprefs_find_my_disable.yaml | 2 ++ rules/sysprefs/sysprefs_firewall_enable.yaml | 1 + rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 2 ++ rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 1 + rules/sysprefs/sysprefs_personalized_advertising_disable.yaml | 2 ++ .../sysprefs_screensaver_ask_for_password_delay_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_screensaver_password_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_siri_disable.yaml | 2 ++ rules/sysprefs/sysprefs_token_removal_enforce.yaml | 2 ++ rules/sysprefs/sysprefs_touchid_unlock_disable.yaml | 2 ++ rules/sysprefs/sysprefs_wifi_disable.yaml | 2 ++ .../sysprefs_wifi_disable_when_connected_to_ethernet.yaml | 2 ++ 76 files changed, 149 insertions(+), 1 deletion(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index e9c4e4a3..be82b34f 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -21,6 +21,7 @@ references: - CCI-001314 800-53r5: - SI-11 + - AU-9 800-53r4: - AU-9 - SI-11 diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 03129bf0..67f3c542 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85252-5 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 3f48f3c9..071dc428 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -18,6 +18,8 @@ references: - CCE-85257-4 cci: - CCI-000140 + 800-53r5: + - AU-5 800-53r4: - AU-5 srg: diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 7086bd8d..45787d32 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85258-2 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index af56b699..194a9d60 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -16,6 +16,8 @@ references: - CCE-85259-0 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 26659c2d..9709bddc 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85260-8 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 50f3c46a..63a1057b 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -22,6 +22,7 @@ references: - CCI-000172 800-53r5: - AU-12 + - AU-2 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index bf9d1689..4f6a6a99 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -31,6 +31,8 @@ references: 800-53r5: - AC-6(9) - AU-12 + - AC-2(4) + - AU-2 800-53r4: - AU-2 - AC-2(4) diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 4966af47..44aa8014 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -23,6 +23,7 @@ references: - N/A 800-53r5: - AU-12 + - AU-2 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index c1fee808..eb319c67 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -25,6 +25,8 @@ references: - CCI-001814 800-53r5: - AU-12 + - AU-2 + - AU-9 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index f9bc3461..da7bdd3f 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -25,6 +25,8 @@ references: - CCI-001814 800-53r5: - AU-12 + - AU-2 + - AU-9 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 95194103..448a1f2a 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -25,6 +25,8 @@ references: - CCI-001814 800-53r5: - AU-12 + - AU-2 + - AU-9 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index ccbe181f..0afc565f 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -24,6 +24,8 @@ references: - CCI-000162 800-53r5: - AU-12 + - AU-2 + - AU-9 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 2aa5b973..8b90d905 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -23,6 +23,8 @@ references: - CCI-000172 800-53r5: - AU-12 + - AC-17(1) + - AU-2 800-53r4: - AU-2 - AC-17(1) diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 9f7eddc1..f2c3f08c 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85268-1 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 7db1de93..06200a94 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -20,6 +20,8 @@ references: - CCE-85269-9 cci: - CCI-000162 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 18cbda04..08e103cc 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -20,6 +20,8 @@ references: - CCI-000162 - CCI-000163 - CCI-000164 + 800-53r5: + - AU-9 800-53r4: - AU-9 srg: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index f10a7741..223bc60b 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -20,6 +20,7 @@ references: - CCI-001849 800-53r5: - AU-11 + - AU-4 800-53r4: - AU-4 - AU-11 diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index ad5e10ab..5d728786 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -20,6 +20,7 @@ references: - CCI-001858 800-53r5: - AU-5(2) + - AU-5 800-53r4: - AU-5 - AU-5(2) diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 9c0d2efe..d57320d5 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index af99bc00..0c06e2be 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -15,6 +15,9 @@ references: - CCE-85283-0 cci: - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 87819382..615b1673 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 25c178de..74f0939c 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 4454a9ed..7271b5bc 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 17f5016c..25f5e54a 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index ecdd7a5e..406df51a 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 908eb428..ad7b944d 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index ca081cda..41d8e14d 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index f1d6063f..2792a0c9 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -16,6 +16,9 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 1dfeb7a1..a17dce01 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -15,6 +15,9 @@ references: - CCE-85292-1 cci: - N/A + 800-53r5: + - AC-20 + - AC-20(1) 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index c04d7aa8..33a8e4e8 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -17,6 +17,7 @@ references: - CCI-000381 800-53r5: - AC-3 + - AC-20 800-53r4: - CM-7 - AC-3 diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index c8d35572..79de8d81 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85296-2 cci: - CCI-000381 + 800-53r5: + - AC-20 800-53r4: - AC-20 srg: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 3dd033d9..66a0202e 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -18,6 +18,8 @@ references: - CCE-85300-2 cci: - CCI-000381 + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 87d1cbf4..a8cc3546 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 564d5011..9387a704 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -46,6 +46,5 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 6066922e..76978105 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -15,6 +15,7 @@ references: - CCE-85321-8 800-53r5: - AC-3 + - AC-20 800-53r4: - AC-3 - AC-20 diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 4df5deb6..868f0f39 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85324-2 cci: - CCI-000381 + 800-53r5: + - AC-20 800-53r4: - AC-20 srg: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index 08d79cb8..3728bb73 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -21,6 +21,7 @@ references: - CCI-000381 800-53r5: - CM-7(5) + - AC-20 800-53r4: - AC-20 - CM-7(5) diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 7afd5b1c..e26e71b4 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85329-1 cci: - CCI-000366 + 800-53r5: + - AC-18 800-53r4: - CM-7 - AC-18 diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index ccc3300b..1bd1116b 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -14,6 +14,9 @@ references: cci: - CCI-002363 - CCI-002364 + 800-53r5: + - AC-12(1) + - AC-12(2) 800-53r4: - AC-12(1) disa_stig: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 8ee6f7ea..552ba482 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -20,6 +20,8 @@ references: - CCE-85336-6 cci: - CCI-000381 + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index d47261db..0c075af6 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index f61d8aa5..ec2ec4e2 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -17,6 +17,8 @@ references: - CCE-85360-6 cci: - CCI-002235 + 800-53r5: + - AC-6(10) 800-53r4: - AC-6(10) disa_stig: diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 72444928..7b8f26d6 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -15,6 +15,8 @@ references: - CCE-85364-8 cci: - CCI-000015 + 800-53r5: + - AC-2(1) 800-53r4: - AC-2(1) disa_stig: diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index a2e4b0f8..6a563d06 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 1192dc1c..1d626eb1 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -15,6 +15,8 @@ references: - CCE-85386-1 cci: - CCI-000196 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5(1) - IA-5(1)(c) diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/os/os_system_wide_preferences_configure.yaml index 81a32c6d..80e0888e 100644 --- a/rules/os/os_system_wide_preferences_configure.yaml +++ b/rules/os/os_system_wide_preferences_configure.yaml @@ -21,6 +21,7 @@ references: 800-53r5: - AC-6 - AC-6(2) + - AC-6(1) 800-53r4: - AC-6 - AC-6(1) diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index cfe5d1cc..6226783c 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -15,6 +15,8 @@ references: - CCE-85399-4 cci: - CCI-000195 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1)(b) diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 1994cbb6..fada8f82 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85400-0 cci: - CCI-000199 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 4dba6335..000e8553 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85402-6 cci: - CCI-002238 + 800-53r5: + - AC-7 800-53r4: - AC-7 srg: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 40147262..95246460 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85403-4 cci: - CCI-002238 + 800-53r5: + - AC-7 800-53r4: - AC-7 srg: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index f43078ea..98ffea37 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85404-2 cci: - CCI-000194 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index b2d8aeeb..9c63e2f2 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -20,6 +20,8 @@ references: - CCE-85406-7 cci: - CCI-002041 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 2b494e4c..a75d480e 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -17,6 +17,8 @@ references: - CCE-85407-5 cci: - CCI-000200 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5(1) srg: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 66d98344..b96cd155 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -39,6 +39,8 @@ references: - CCE-85408-3 cci: - CCI-000193 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index dde1ed7b..9c7f0f07 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85409-1 cci: - CCI-000205 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 07e02bbe..3a52ff8a 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -39,6 +39,8 @@ references: - CCE-85410-9 cci: - N/A + 800-53r5: + - IA-5(1) 800-53r4: - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 54d07251..cfc16c0f 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85412-5 cci: - N/A + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index c5779612..419730c8 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -17,6 +17,8 @@ references: - CCE-85413-3 cci: - CCI-001619 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 05f30e8f..ad02e7f0 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -39,6 +39,8 @@ references: - CCE-85415-8 cci: - CCI-000192 + 800-53r5: + - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index 7c202ee0..70fe5696 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85418-2 cci: - CCI-000056* + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index b6fd6d09..91179c25 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -21,6 +21,7 @@ references: 800-53r5: - AC-18(3) - SC-8 + - AC-18(3) 800-53r4: - AC-18(3) - SC-8 diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 028b2ecc..2ce7a938 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -17,6 +17,7 @@ references: - CCI-000382 800-53r5: - SI-11 + - AC-20 800-53r4: - AC-20 - SI-11 diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 490f79e1..24e9fd5e 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85426-5 cci: - N/A + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 3f25216f..b57498a5 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -21,6 +21,7 @@ references: 800-53r5: - AC-4 - SC-7(12) + - AC-6(1) 800-53r4: - AC-4 - AC-6(1) diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index f1595b3d..1add246d 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85432-3 cci: - N/A + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 582d7c66..48ed0e7a 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -17,6 +17,7 @@ references: - CCI-000381 800-53r5: - AC-4 + - AC-20 800-53r4: - AC-4 - AC-20 diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 008f0fee..eb61ae84 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85438-0 cci: - N/A + 800-53r5: + - AC-20 800-53r4: - AC-20 - CM-7 diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index e152da01..7db85afe 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85442-2 cci: - CCI-000056* + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index d8ab220b..a1228bd5 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85443-0 cci: - CCI-000056* + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index add9f13a..4bcfc61d 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85444-8 cci: - CCI-000057* + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index b421e57c..6621bf8f 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -16,6 +16,8 @@ references: cci: - CCI-000381 - CCI-001774 + 800-53r5: + - AC-20 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index 2e030168..7a9d8486 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -20,6 +20,8 @@ references: - CCE-85450-5 cci: - CCI-000058* + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index f7a861fb..06901b6e 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -17,6 +17,8 @@ references: - CCE-85451-3 cci: - CCI-000056 + 800-53r5: + - AC-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index ef32c206..078b4033 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -21,6 +21,8 @@ references: - AC-4 - AC-18(1) - AC-18(3) + - AC-18(3) + - AC-18(1) 800-53r4: - AC-4 - AC-18(1) diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index f27b095a..b2b90f01 100644 --- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -19,6 +19,8 @@ references: - AC-4 - AC-18(1) - AC-18(3) + - AC-18(3) + - AC-18(1) 800-53r4: - AC-4 - AC-18(1) From 013a81d3476f25bc6ea425a745e45d75f4f3f432 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 17 Mar 2021 13:25:17 -0400 Subject: [PATCH 004/135] rev5 refs added --- rules/os/os_airdrop_disable.yaml | 1 - rules/os/os_authenticated_root_enable.yaml | 1 - rules/os/os_sip_enable.yaml | 1 + rules/sysprefs/sysprefs_bluetooth_disable.yaml | 1 + rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 2 +- rules/sysprefs/sysprefs_firewall_enable.yaml | 1 - rules/sysprefs/sysprefs_wifi_disable.yaml | 1 + 7 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 33a8e4e8..22c0fd75 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -21,7 +21,6 @@ references: 800-53r4: - CM-7 - AC-3 - - AC-18 - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index e601dd6d..72576690 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -49,6 +49,5 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 1e7d3825..a3ffbc20 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -35,6 +35,7 @@ references: - CCI-001882 800-53r5: - AC-3 + - AU-9 - AU-9(3) - CM-5 - CM-5(6) diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index 91179c25..1aa9f924 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -19,6 +19,7 @@ references: cci: - CCI-002418 800-53r5: + - AC-18 - AC-18(3) - SC-8 - AC-18(3) diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 4ddb33c0..55fa01b6 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -38,7 +38,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - + - N/A 800-171r2: - 3.1.1 - 3.1.2 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index b57498a5..3f25216f 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -21,7 +21,6 @@ references: 800-53r5: - AC-4 - SC-7(12) - - AC-6(1) 800-53r4: - AC-4 - AC-6(1) diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 078b4033..21a11106 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -19,6 +19,7 @@ references: - N/A 800-53r5: - AC-4 + - AC-18 - AC-18(1) - AC-18(3) - AC-18(3) From 299e9133e62676ec37da31ab7579627dfc82bb73 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 18 Mar 2021 13:47:45 -0400 Subject: [PATCH 005/135] cleaned up ssh enable rule --- rules/sysprefs/sysprefs_ssh_enable.yaml | 31 ++++--------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index b8307ae5..ab6c2147 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -9,42 +9,19 @@ result: fix: | [source,bash] ---- - /bin/launchctl disable system/com.openssh.sshd + /bin/launchctl enable system/com.openssh.sshd ---- references: cce: - CCE-85447-1 cci: - - CCI-001941 - - CCI-001942 - - CCI-002890 - - CCI-002420 - - CCI-002421 - - CCI-002422 - - CCI-003123 - - CCI-001453 - - CCI-000068 - - CCI-002418 + - N/A 800-53r4: - N/A srg: - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - - SRG-OS-000112-GPOS-00057 - - SRG-OS-000113-GPOS-00058 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000423-GPOS-00187 - - SRG-OS-000424-GPOS-00188 - - SRG-OS-000425-GPOS-00189 - - SRG-OS-000426-GPOS-00190 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000250-GPOS-00093 + - N/A disa_stig: - - APPL-11-000040 - - APPL-11-004011 - - APPL-11-004010 - - APPL-11-000011 - - APPL-11-000010 + - N/A 800-171r2: - N/A macOS: From eedeba51b36113335380812071cca3094ef54230 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Sun, 21 Mar 2021 15:34:26 -0400 Subject: [PATCH 006/135] reworked custom rule handling --- scripts/generate_guidance.py | 90 +++++++++++++++++++++++++++++------- 1 file changed, 73 insertions(+), 17 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index f831312e..68802b5b 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -23,7 +23,7 @@ from collections import namedtuple class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -41,6 +41,7 @@ class MacSecurityRule(): self.rule_tags = tags self.rule_mobileconfig = mobileconfig self.rule_mobileconfig_info = mobileconfig_info + self.rule_customized = customized def create_asciidoc(self, adoc_rule_template): """Pass an AsciiDoc template as file object to return formatted AsciiDOC""" @@ -389,7 +390,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign for sections in baseline_yaml['profile']: for profile_rule in sections['rules']: for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, False) if rule_yaml['mobileconfig']: for payload_type, info in rule_yaml['mobileconfig_info'].items(): @@ -720,13 +721,15 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" logging.debug(f"checking for rule file for {profile_rule}") if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] + custom=True logging.debug(f"{rule}") elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] + custom=False logging.debug(f"{rule}") #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, custom) if rule_yaml['id'].startswith("supplemental"): continue @@ -964,12 +967,26 @@ fi #fix_script_file.close() compliance_script_file.close() -def get_rule_yaml(rule_file): +def get_rule_yaml(rule_file, custom=False): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ + resulting_yaml = {} names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] file_name = os.path.basename(rule_file) - if file_name in names: + # if file_name in names: + # print(f"Custom settings found for rule: {rule_file}") + # try: + # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + # except IndexError: + # override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + # with open(override_path) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + # else: + # with open(rule_file) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + if custom: print(f"Custom settings found for rule: {rule_file}") try: override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] @@ -980,7 +997,34 @@ def get_rule_yaml(rule_file): else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - return rule_yaml + + try: + og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + #assume this is a completely new rule + og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + + # get original/default rule yaml for comparison + with open(og_rule_path) as og: + og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) + og.close() + + for yaml_field in og_rule_yaml: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + #print("using default data in yaml field {}".format(yaml_field)) + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + else: + print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + + return resulting_yaml def generate_xls(baseline_name, build_path, baseline_yaml): @@ -1004,7 +1048,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") counter = 1 - column_counter = 13 + column_counter = 14 sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) sheet1.write(0, 2, "Title", headers) @@ -1018,6 +1062,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) sheet1.write(0, 12, "CCI", headers) + sheet1.write(0, 13, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1100,6 +1145,12 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 12, cci, topWrap) sheet1.col(12).width = 400 * 15 + customized = (str(rule.rule_customized)).strip('[]\'') + customized = customized.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 13, customized, topWrap) + sheet1.col(13).width = 400 * 15 + if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): sheet1.write(0, column_counter, title, headers ) @@ -1132,7 +1183,8 @@ def create_rules(baseline_yaml): 'id', 'references', 'result', - 'discussion'] + 'discussion', + 'customized'] references = ['disa_stig', 'cci', 'cce', @@ -1146,18 +1198,20 @@ def create_rules(baseline_yaml): for profile_rule in sections['rules']: if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] + custom=True elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] + custom=False #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, custom) for key in keys: try: rule_yaml[key] except: #print "{} key missing ..for {}".format(key, rule) - rule_yaml.update({key: "missing"}) + rule_yaml.update({key: ""}) if key == "references": for reference in references: try: @@ -1181,7 +1235,8 @@ def create_rules(baseline_yaml): rule_yaml['tags'], rule_yaml['result'], rule_yaml['mobileconfig'], - rule_yaml['mobileconfig_info'] + rule_yaml['mobileconfig_info'], + rule_yaml['customized'] )) return all_rules @@ -1467,16 +1522,17 @@ def main(): except IndexError: logging.debug(f'defined rule {rule} does not have valid yaml file, check that rule ID and filename match.') - #check for custom rule if glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True): print(f"Custom settings found for rule: {rule_file}") - override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] - with open(override_rule) as r: - rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + #override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + rule_location = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + custom=True else: - with open(rule_path[0]) as r: - rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + rule_location = rule_path[0] + custom=False + + rule_yaml = get_rule_yaml(rule_location, custom) # Determine if the references exist and set accordingly try: From b935aa1b3113e3f5302998ad1d4481b22e5e10f3 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Sun, 21 Mar 2021 16:31:39 -0400 Subject: [PATCH 007/135] fixed generate_baseline for new custom workflow --- scripts/generate_baseline.py | 62 ++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 10 deletions(-) diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 876d7687..7830fb68 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -46,19 +46,62 @@ class MacSecurityRule(): return rule_adoc -def get_rule_yaml(rule_file): +def get_rule_yaml(rule_file, custom=False): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ - if os.path.basename(rule_file) in glob.glob1('../custom/rules/', '*.yaml'): - #print(f"Custom settings found for rule: {rule_file}") - override_rule = os.path.join( - '../custom/rules', os.path.basename(rule_file)) - with open(override_rule) as r: + resulting_yaml = {} + names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] + file_name = os.path.basename(rule_file) + # if file_name in names: + # print(f"Custom settings found for rule: {rule_file}") + # try: + # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + # except IndexError: + # override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + # with open(override_path) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + # else: + # with open(rule_file) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + if custom: + print(f"Custom settings found for rule: {rule_file}") + try: + override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + with open(override_path) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - return rule_yaml + + try: + og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + #assume this is a completely new rule + og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + + # get original/default rule yaml for comparison + with open(og_rule_path) as og: + og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) + og.close() + + for yaml_field in og_rule_yaml: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + else: + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + + return resulting_yaml def collect_rules(): """Takes a baseline yaml file and parses the rules, returns a list of containing rules @@ -84,8 +127,7 @@ def collect_rules(): for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): - rule_yaml = get_rule_yaml(rule) - + rule_yaml = get_rule_yaml(rule, custom=False) for key in keys: try: rule_yaml[key] @@ -97,7 +139,7 @@ def collect_rules(): try: rule_yaml[key][reference] except: - #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule) + #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), From 90ed20d91ed48ae69974a490683186cd70600b40 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Sun, 21 Mar 2021 17:14:49 -0400 Subject: [PATCH 008/135] removed sysprefs_afp_disable --- baselines/800-53_high.yaml | 1 - baselines/800-53_low.yaml | 1 - baselines/800-53_moderate.yaml | 1 - rules/sysprefs/sysprefs_afp_disable.yaml | 41 ------------------------ 4 files changed, 44 deletions(-) delete mode 100644 rules/sysprefs/sysprefs_afp_disable.yaml diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index bed41163..14278db8 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -123,7 +123,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index 8e029c62..c4283aee 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -100,7 +100,6 @@ profile: - sysprefs_rae_disable - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_diagnostics_reports_disable diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index 8216e699..c4bbad29 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -120,7 +120,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml deleted file mode 100644 index 57c913f7..00000000 --- a/rules/sysprefs/sysprefs_afp_disable.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: sysprefs_afp_disable -title: "Disable Apple Filing Protocol Sharing" -discussion: | - If the system does not require Apple Filing Protocol (AFP) Sharing, support it is non-essential and _MUST_ be disabled. - - The information system _MUST_ be configured to provide only essential capabilities. Disabling AFP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. -check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AppleFileServer" => true' -result: - integer: 1 -fix: | - [source,bash] - ---- - /bin/launchctl disable system/com.apple.AppleFileServer - ---- - The system may need to be restarted for the update to take effect. -references: - cce: - - CCE-85416-6 - cci: - - CCI-000381 - 800-53r4: - - AC-3 - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-11-002002 - 800-171r2: - - 3.1.1 - - 3.1.2 -macOS: - - "11.0" -tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - -mobileconfig: false -mobileconfig_info: \ No newline at end of file From 3b78a331dce6e345cf99674c537083a37b81ea79 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Sun, 21 Mar 2021 18:53:37 -0400 Subject: [PATCH 009/135] update custom reference processing --- scripts/generate_guidance.py | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 68802b5b..7298cf9f 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1049,6 +1049,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): headers = xlwt.easyxf("font: bold on") counter = 1 column_counter = 14 + custom_ref_column = {} sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) sheet1.write(0, 2, "Title", headers) @@ -1153,12 +1154,16 @@ def generate_xls(baseline_name, build_path, baseline_yaml): if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): - sheet1.write(0, column_counter, title, headers ) - sheet1.col(column_counter).width = 512 * 25 + if title not in custom_ref_column: + print("Current column counter: {}, processing Rule: {} adding title: {}".format(column_counter, rule.rule_id, title)) + custom_ref_column[title] = column_counter + column_counter = column_counter + 1 + sheet1.write(0, custom_ref_column[title], title, headers) + sheet1.col(custom_ref_column[title]).width = 512 * 25 added_ref = (str(ref)).strip('[]\'') added_ref = added_ref.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, column_counter, added_ref, topWrap) - column_counter = column_counter + 1 + sheet1.write(counter, custom_ref_column[title], added_ref, topWrap) + tall_style = xlwt.easyxf('font:height 640;') # 36pt @@ -1628,12 +1633,13 @@ def main(): rule_yaml['mobileconfig_info']) # process nist controls for grouping - nist_80053r4.sort() - res = [list(i) for j, i in groupby( - nist_80053r4, lambda a: a.split('(')[0])] - nist_controls = '' - for i in res: - nist_controls += group_ulify(i) + if not nist_80053r4 == "N/A": + nist_80053r4.sort() + res = [list(i) for j, i in groupby( + nist_80053r4, lambda a: a.split('(')[0])] + nist_controls = '' + for i in res: + nist_controls += group_ulify(i) if 'supplemental' in tags: rule_adoc = adoc_supplemental_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), From 787fe351079ad68ca98e976d0d8d19feca6bbe58 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 22 Mar 2021 07:24:34 -0400 Subject: [PATCH 010/135] fixed 800-53 sorting when empty --- scripts/generate_guidance.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 7298cf9f..07302a8d 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -781,12 +781,13 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" # group the controls - nist_80053r4.sort() - res = [list(i) for j, i in groupby( - nist_80053r4, lambda a: a.split('(')[0])] - nist_controls = '' - for i in res: - nist_controls += group_ulify(i) + if not nist_80053r4 == "N/A": + nist_80053r4.sort() + res = [list(i) for j, i in groupby( + nist_80053r4, lambda a: a.split('(')[0])] + nist_controls = '' + for i in res: + nist_controls += group_ulify(i) # print checks and result try: @@ -1003,11 +1004,11 @@ def get_rule_yaml(rule_file, custom=False): except IndexError: #assume this is a completely new rule og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + resulting_yaml['customized'] = ["customized rule"] # get original/default rule yaml for comparison with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) - og.close() for yaml_field in og_rule_yaml: try: From 9774bbcc5f2765c65398d06deedcef7f9427f161 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 22 Mar 2021 10:56:00 -0400 Subject: [PATCH 011/135] Rev5s added --- rules/audit/audit_auditd_enabled.yaml | 2 ++ rules/audit/audit_flags_ex_configure.yaml | 1 + rules/audit/audit_flags_fd_configure.yaml | 1 + rules/audit/audit_flags_fm_configure.yaml | 1 + rules/audit/audit_flags_fr_configure.yaml | 1 + rules/audit/audit_flags_fw_configure.yaml | 1 + rules/auth/auth_smartcard_enforce.yaml | 3 +++ rules/auth/auth_ssh_smartcard_enforce.yaml | 3 +++ rules/icloud/icloud_addressbook_disable.yaml | 1 + rules/icloud/icloud_appleid_prefpane_disable.yaml | 1 + rules/icloud/icloud_bookmarks_disable.yaml | 1 + rules/icloud/icloud_calendar_disable.yaml | 1 + rules/icloud/icloud_drive_disable.yaml | 1 + rules/icloud/icloud_keychain_disable.yaml | 1 + rules/icloud/icloud_mail_disable.yaml | 1 + rules/icloud/icloud_notes_disable.yaml | 1 + rules/icloud/icloud_photos_disable.yaml | 1 + rules/icloud/icloud_reminders_disable.yaml | 1 + rules/icloud/icloud_sync_disable.yaml | 1 + rules/os/os_airdrop_disable.yaml | 1 + rules/os/os_bonjour_disable.yaml | 2 ++ rules/os/os_calendar_app_disable.yaml | 1 + rules/os/os_enforce_access_restrictions.yaml | 2 ++ rules/os/os_facetime_app_disable.yaml | 1 + rules/os/os_handoff_disable.yaml | 1 + rules/os/os_ir_support_disable.yaml | 1 + rules/os/os_mail_app_disable.yaml | 1 + rules/os/os_mdm_require.yaml | 3 +++ rules/os/os_messages_app_disable.yaml | 1 + rules/os/os_parental_controls_enable.yaml | 2 ++ rules/os/os_password_autofill_disable.yaml | 1 + rules/os/os_privacy_setup_prompt_disable.yaml | 2 ++ rules/os/os_siri_prompt_disable.yaml | 1 + rules/os/os_user_app_installation_prohibit.yaml | 2 ++ rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 1 + rules/sysprefs/sysprefs_content_caching_disable.yaml | 2 ++ rules/sysprefs/sysprefs_filevault_enforce.yaml | 1 + rules/sysprefs/sysprefs_find_my_disable.yaml | 1 + rules/sysprefs/sysprefs_firewall_enable.yaml | 1 + rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 2 ++ rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 1 + rules/sysprefs/sysprefs_location_services_disable.yaml | 2 ++ rules/sysprefs/sysprefs_personalized_advertising_disable.yaml | 1 + rules/sysprefs/sysprefs_power_nap_disable.yaml | 2 ++ rules/sysprefs/sysprefs_siri_disable.yaml | 1 + rules/sysprefs/sysprefs_ssh_disable.yaml | 1 + 46 files changed, 62 insertions(+) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index b9af3da1..ea6f7e26 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -39,6 +39,8 @@ references: - AU-3(1) - AU-8 - AU-12 + - AU-12(3) + - AU-14(1) 800-53r4: - AU-3 - AU-3(1) diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 44aa8014..4a9e0ed8 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -24,6 +24,7 @@ references: 800-53r5: - AU-12 - AU-2 + - CM-5(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index eb319c67..5b652275 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -27,6 +27,7 @@ references: - AU-12 - AU-2 - AU-9 + - CM-5(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index da7bdd3f..cd7d6dae 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -27,6 +27,7 @@ references: - AU-12 - AU-2 - AU-9 + - CM-5(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 448a1f2a..4419d4cc 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -27,6 +27,7 @@ references: - AU-12 - AU-2 - AU-9 + - CM-5(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 0afc565f..3c1bd65b 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -26,6 +26,7 @@ references: - AU-12 - AU-2 - AU-9 + - CM-5(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index ea077378..b08e3147 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -29,6 +29,9 @@ references: - IA-2(6) - IA-2 - IA-5(2) + - IA-2(1) + - IA-2(2) + - IA-2(6) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml index 687e3f6d..49f3f9be 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_smartcard_enforce.yaml @@ -28,6 +28,9 @@ references: - IA-2 - IA-5(2) - MA-4 + - IA-2(1) + - IA-2(2) + - IA-2(6) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index d57320d5..38c2156d 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index 0c06e2be..53ac5589 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 615b1673..8d90ed09 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 74f0939c..b2093c64 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 7271b5bc..ba09606d 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 25f5e54a..827613c2 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 406df51a..11a15450 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index ad7b944d..0c0b265b 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 41d8e14d..eda54736 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 2792a0c9..326703f1 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index a17dce01..6613789e 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - AC-20 - AC-20(1) + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 22c0fd75..561e9c42 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - AC-3 - AC-20 + - CM-7 800-53r4: - CM-7 - AC-3 diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 7b2d73d3..75a256ce 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -13,6 +13,8 @@ references: - CCE-85299-6 cci: - CCI-000381 + 800-53r5: + - CM-7 800-53r4: - CM-7 srg: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 66a0202e..b78cf930 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -20,6 +20,7 @@ references: - CCI-000381 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 08d918b6..97f4a889 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -15,6 +15,8 @@ references: - CCE-85306-9 cci: - CCI-001813 + 800-53r5: + - CM-5(1) 800-53r4: - CM-5(1) disa_stig: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index a8cc3546..3d37f1df 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -18,6 +18,7 @@ references: - CCI-001774 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 76978105..a9fac9cc 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -16,6 +16,7 @@ references: 800-53r5: - AC-3 - AC-20 + - CM-7 800-53r4: - AC-3 - AC-20 diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index e26e71b4..0cd4164f 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -19,6 +19,7 @@ references: - CCI-000366 800-53r5: - AC-18 + - CM-7 800-53r4: - CM-7 - AC-18 diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 552ba482..4b71e94c 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -22,6 +22,7 @@ references: - CCI-000381 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 65c69a20..0c33d74a 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -27,6 +27,9 @@ fix: | references: cce: - CCE-85338-2 + 800-53r5: + - CM-2 + - CM-6 800-53r4: - CM-2 - CM-6 diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 0c075af6..2207bde5 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -18,6 +18,7 @@ references: - CCI-001774 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 8a4661a2..7cec5351 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -18,6 +18,8 @@ references: cci: - CCI-001812 - CCI-001764 + 800-53r5: + - CM-7(2) 800-53r4: - CM-7(2) srg: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 7ada300e..93b85f39 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -15,6 +15,7 @@ references: - CCE-85351-5 800-53r5: - IA-5(13) + - CM-7 800-53r4: - IA-5 - IA-5(13) diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 665b8a1e..3e59b121 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85362-2 cci: - CCI-000381 + 800-53r5: + - CM-7 800-53r4: - CM-7 srg: diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 6a563d06..45765de3 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -18,6 +18,7 @@ references: - CCI-001774 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 1898f8c9..3238978c 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -15,6 +15,8 @@ references: - CCE-85396-0 cci: - CCI-001812 + 800-53r5: + - CM-11(2) 800-53r4: - CM-11(2) srg: diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 55fa01b6..f31d3258 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -30,6 +30,7 @@ references: 800-53r5: - AC-3 - AC-18(4) + - CM-7 800-53r4: - AC-3 - AC-18 diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 76cc3d9b..fbc1cbe6 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85422-4 cci: - N/A + 800-53r5: + - CM-7 800-53r4: - CM-7 srg: diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 9a27778f..9af69ac0 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -19,6 +19,7 @@ references: - CCI-002476 800-53r5: - SC-28 + - SC-28 800-53r4: - SC-28 - SC-28(1) diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 24e9fd5e..d7ae9b78 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -19,6 +19,7 @@ references: - N/A 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 3f25216f..b9391051 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -21,6 +21,7 @@ references: 800-53r5: - AC-4 - SC-7(12) + - CM-7 800-53r4: - AC-4 - AC-6(1) diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 8093d962..013e258b 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -21,6 +21,8 @@ fix: | references: cce: - CCE-85428-1 + 800-53r5: + - CM-7 800-53r4: - SC-7 - CM-7 diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 1add246d..2048e9a1 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -17,6 +17,7 @@ references: - N/A 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index fbd49616..bd80c644 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -18,6 +18,8 @@ references: - CCE-85434-9 cci: - CCI-000381 + 800-53r5: + - CM-7 800-53r4: - CM-7 srg: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index eb61ae84..1fb1c7a7 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -17,6 +17,7 @@ references: - N/A 800-53r5: - AC-20 + - CM-7 800-53r4: - AC-20 - CM-7 diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index e5598161..e18ff559 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -25,6 +25,8 @@ fix: | references: cce: - CCE-85439-8 + 800-53r5: + - CM-7 800-53r4: - CM-7 disa_stig: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 6621bf8f..321b2610 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -18,6 +18,7 @@ references: - CCI-001774 800-53r5: - AC-20 + - CM-7 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 1ab0ed3d..83a6dc5b 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -21,6 +21,7 @@ references: 800-53r5: - IA-2(8) - AC-3 + - CM-7 800-53r4: - AC-3 - CM-7 From f174190232ea3efea5c23f9ae2bc38c9ca90fe25 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 22 Mar 2021 13:14:38 -0400 Subject: [PATCH 012/135] fixed custom refs... i think --- scripts/generate_guidance.py | 50 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 07302a8d..90416a02 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1011,19 +1011,37 @@ def get_rule_yaml(rule_file, custom=False): og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) for yaml_field in og_rule_yaml: - try: - if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: - #print("using default data in yaml field {}".format(yaml_field)) - resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] - else: - print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) - resulting_yaml[yaml_field] = rule_yaml[yaml_field] - if 'customized' in resulting_yaml: - resulting_yaml['customized'].append("customized {}".format(yaml_field)) + #print('processing field {} for rule {}'.format(yaml_field, file_name)) + if yaml_field == "references": + if not 'references' in resulting_yaml: + resulting_yaml['references'] = {} + for ref in og_rule_yaml['references']: + try: + if og_rule_yaml['references'][ref] == rule_yaml['references'][ref]: + resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + else: + resulting_yaml['references'][ref] = rule_yaml['references'][ref] + except KeyError: + # reference not found in original rule yaml, trying to use reference from custom rule + try: + resulting_yaml['references'][ref] = rule_yaml['references'][ref] + except KeyError: + resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + + else: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + #print("using default data in yaml field {}".format(yaml_field)) + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] else: - resulting_yaml['customized'] = ["customized {}".format(yaml_field)] - except KeyError: - resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + #print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] return resulting_yaml @@ -1156,7 +1174,6 @@ def generate_xls(baseline_name, build_path, baseline_yaml): if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): if title not in custom_ref_column: - print("Current column counter: {}, processing Rule: {} adding title: {}".format(column_counter, rule.rule_id, title)) custom_ref_column[title] = column_counter column_counter = column_counter + 1 sheet1.write(0, custom_ref_column[title], title, headers) @@ -1216,14 +1233,15 @@ def create_rules(baseline_yaml): try: rule_yaml[key] except: - #print "{} key missing ..for {}".format(key, rule) + #print("{} key missing ..for {}".format(key, rule)) rule_yaml.update({key: ""}) if key == "references": for reference in references: try: rule_yaml[key][reference] + #print("FOUND reference {} for key {} for rule {}".format(reference, key, rule)) except: - #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule) + #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), rule_yaml['id'].replace('|', '\|'), @@ -1497,7 +1515,7 @@ def main(): section_yaml_file = sections['section'].lower() + '.yaml' #check for custom section if section_yaml_file in glob.glob1('../custom/sections/', '*.yaml'): - print(f"Custom settings found for section: {sections['section']}") + #print(f"Custom settings found for section: {sections['section']}") override_section = os.path.join( f'../custom/sections/{section_yaml_file}') with open(override_section) as r: From 8aca460214080de5c0e570363f0a12c04e66d817 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 22 Mar 2021 13:44:04 -0400 Subject: [PATCH 013/135] custom references now included --- scripts/generate_guidance.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 90416a02..53fcccef 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1027,6 +1027,8 @@ def get_rule_yaml(rule_file, custom=False): resulting_yaml['references'][ref] = rule_yaml['references'][ref] except KeyError: resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + if "custom" in rule_yaml['references']: + resulting_yaml['references']['custom'] = rule_yaml['references']['custom'] else: try: From f114902265ba17110d08bd17c5b093964c2bcfb6 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 22 Mar 2021 14:21:46 -0400 Subject: [PATCH 014/135] added note about customized references --- scripts/generate_guidance.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 53fcccef..3ea6f195 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1029,6 +1029,10 @@ def get_rule_yaml(rule_file, custom=False): resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] if "custom" in rule_yaml['references']: resulting_yaml['references']['custom'] = rule_yaml['references']['custom'] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized references") + else: + resulting_yaml['customized'] = ["customized references"] else: try: From 1fee52a1d403a2df5b621ba5a4559a3517877229 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 22 Mar 2021 17:01:17 -0400 Subject: [PATCH 015/135] more rev5 impacted changes --- rules/audit/audit_auditd_enabled.yaml | 1 + rules/audit/audit_flags_aa_configure.yaml | 1 + rules/audit/audit_flags_ad_configure.yaml | 1 + rules/audit/audit_flags_fd_configure.yaml | 1 + rules/audit/audit_flags_fm_configure.yaml | 1 + rules/audit/audit_flags_fr_configure.yaml | 1 + rules/audit/audit_flags_fw_configure.yaml | 1 + rules/audit/audit_flags_lo_configure.yaml | 1 + rules/os/os_certificate_authority_trust.yaml | 2 ++ rules/os/os_fail_secure_state.yaml | 2 ++ rules/os/os_firewall_default_deny_require.yaml | 1 + rules/os/os_firewall_log_enable.yaml | 1 + rules/os/os_implement_cryptography.yaml | 2 ++ rules/os/os_password_autofill_disable.yaml | 1 + rules/os/os_protect_dos_attacks.yaml | 2 ++ rules/os/os_reauth_devices_change_authenticators.yaml | 2 ++ rules/os/os_reauth_privilege.yaml | 2 ++ rules/os/os_reauth_users_change_authenticators.yaml | 2 ++ rules/os/os_ssh_fips_140_ciphers.yaml | 2 ++ rules/os/os_ssh_fips_140_macs.yaml | 2 ++ rules/os/os_sshd_fips_140_ciphers.yaml | 2 ++ rules/os/os_sshd_fips_140_macs.yaml | 2 ++ rules/os/os_sudoers_tty_configure.yaml | 2 ++ rules/sysprefs/sysprefs_firewall_enable.yaml | 1 + rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 2 ++ 25 files changed, 38 insertions(+) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index ea6f7e26..f14241f1 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -41,6 +41,7 @@ references: - AU-12 - AU-12(3) - AU-14(1) + - MA-4(1) 800-53r4: - AU-3 - AU-3(1) diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 63a1057b..c8930f27 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -23,6 +23,7 @@ references: 800-53r5: - AU-12 - AU-2 + - MA-4(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 4f6a6a99..00869a6d 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -33,6 +33,7 @@ references: - AU-12 - AC-2(4) - AU-2 + - MA-4(1) 800-53r4: - AU-2 - AC-2(4) diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 5b652275..bb3b0502 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -28,6 +28,7 @@ references: - AU-2 - AU-9 - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index cd7d6dae..6798eef0 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -28,6 +28,7 @@ references: - AU-2 - AU-9 - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 4419d4cc..079920df 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -28,6 +28,7 @@ references: - AU-2 - AU-9 - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 3c1bd65b..30a193b0 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -27,6 +27,7 @@ references: - AU-2 - AU-9 - CM-5(1) + - MA-4(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 8b90d905..c048c4ea 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -25,6 +25,7 @@ references: - AU-12 - AC-17(1) - AU-2 + - MA-4(1) 800-53r4: - AU-2 - AC-17(1) diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index dd00a9ff..325c7ce2 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -14,6 +14,8 @@ references: cci: - CCI-000185 - CCI-002450 + 800-53r5: + - SC-17 800-53r4: - SC-17 disa_stig: diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 39f2cf47..a8abd55b 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -18,6 +18,8 @@ references: cci: - CCI-001190 - CCI-001665 + 800-53r5: + - SC-24 800-53r4: - SC-24 disa_stig: diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 9387a704..7bd6978d 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -27,6 +27,7 @@ references: - CCI-002080 800-53r5: - AC-4 + - SC-7(5) 800-53r4: - SC-7(5) - AC-4 diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 28fd6547..a5033eff 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -22,6 +22,7 @@ references: - N/A 800-53r5: - AU-12 + - SC-7 800-53r4: - SC-7 - AU-12 diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index d1a25e5a..3cf39351 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -19,6 +19,8 @@ references: - CCE-85326-7 cci: - CCI-002450 + 800-53r5: + - SC-13 800-53r4: - SC-13 disa_stig: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 93b85f39..003ad07c 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -16,6 +16,7 @@ references: 800-53r5: - IA-5(13) - CM-7 + - IA-11 800-53r4: - IA-5 - IA-5(13) diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index c6560eaa..0d1f946c 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -15,6 +15,8 @@ references: - CCE-85363-0 cci: - CCI-002385 + 800-53r5: + - SC-5 800-53r4: - SC-5 disa_stig: diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index 6a343a0a..dfaf1acf 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -13,6 +13,8 @@ references: - CCE-85366-3 cci: - CCI-002039 + 800-53r5: + - IA-11 800-53r4: - IA-11 disa_stig: diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index f696e9bf..c5b1bbc6 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -11,6 +11,8 @@ references: - CCE-85367-1 cci: - CCI-002038 + 800-53r5: + - IA-11 800-53r4: - IA-11 disa_stig: diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index b84f0cf1..f53f122f 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -11,6 +11,8 @@ references: - CCE-85368-9 cci: - CCI-002038 + 800-53r5: + - IA-11 800-53r4: - IA-11 disa_stig: diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 10da285b..5da0e13c 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -25,6 +25,8 @@ references: 800-53r5: - AC-17(2) - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index 6f63d4b1..a4daf30b 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -29,6 +29,8 @@ references: 800-53r5: - AC-17(2) - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 9f615032..52211e6f 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -29,6 +29,8 @@ references: 800-53r5: - AC-17(2) - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index b4e2da5b..e4458c2a 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -29,6 +29,8 @@ references: 800-53r5: - AC-17(2) - IA-7 + - SC-13 + - SC-8(1) 800-53r4: - AC-17(2) - IA-7 diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 0d137f92..2ecdd264 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -18,6 +18,8 @@ references: - CCE-85387-9 cci: - CCI-000366 + 800-53r5: + - IA-11 800-53r4: - IA-11 srg: diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index b9391051..36cff988 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -22,6 +22,7 @@ references: - AC-4 - SC-7(12) - CM-7 + - SC-7 800-53r4: - AC-4 - AC-6(1) diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 013e258b..4119c02c 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -23,6 +23,8 @@ references: - CCE-85428-1 800-53r5: - CM-7 + - SC-7(16) + - SC-7 800-53r4: - SC-7 - CM-7 From feba7d06fdeb44fdf03dcfc133dce764f82d674e Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 24 Mar 2021 14:49:23 -0400 Subject: [PATCH 016/135] don't need 800-53r4 ref --- scripts/generate_guidance.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 3ea6f195..207a4e98 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1665,6 +1665,9 @@ def main(): nist_controls = '' for i in res: nist_controls += group_ulify(i) + else: + nist_controls = "N/A" + if 'supplemental' in tags: rule_adoc = adoc_supplemental_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), From da4c40d8b31ab50048555f50b44a4f31ec31511a Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 24 Mar 2021 14:52:45 -0400 Subject: [PATCH 017/135] scripts too --- scripts/generate_guidance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 207a4e98..c490a345 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -788,6 +788,8 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" nist_controls = '' for i in res: nist_controls += group_ulify(i) + else: + nist_controls = "N/A" # print checks and result try: @@ -1667,7 +1669,7 @@ def main(): nist_controls += group_ulify(i) else: nist_controls = "N/A" - + if 'supplemental' in tags: rule_adoc = adoc_supplemental_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), From d8102d6648c6cb3e5f2d59ed066d161190fda772 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 25 Mar 2021 12:12:36 -0400 Subject: [PATCH 018/135] Fixed refs --- scripts/generate_guidance.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index c490a345..519a7b6d 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1577,7 +1577,7 @@ def main(): try: rule_yaml['references']['cce'] except KeyError: - cce = 'N/A' + cce = '- N/A' else: cce = ulify(rule_yaml['references']['cce']) @@ -1592,7 +1592,7 @@ def main(): try: rule_yaml['references']['800-171r2'] except KeyError: - nist_800171 = '• N/A' + nist_800171 = '- N/A' else: #nist_80053r4 = ulify(rule_yaml['references']['800-53r4']) nist_800171 = ulify(rule_yaml['references']['800-171r2']) @@ -1600,14 +1600,14 @@ def main(): try: rule_yaml['references']['disa_stig'] except KeyError: - disa_stig = 'N/A' + disa_stig = '- N/A' else: disa_stig = ulify(rule_yaml['references']['disa_stig']) try: rule_yaml['references']['srg'] except KeyError: - srg = 'N/A' + srg = '- N/A' else: srg = ulify(rule_yaml['references']['srg']) @@ -1668,7 +1668,7 @@ def main(): for i in res: nist_controls += group_ulify(i) else: - nist_controls = "N/A" + nist_controls = "- N/A" if 'supplemental' in tags: rule_adoc = adoc_supplemental_template.substitute( From 30bf7d8502acc310c1d747d856bb7d5f86ee4a71 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 29 Mar 2021 14:20:15 -0400 Subject: [PATCH 019/135] IA-5 and IA-5(1) R5 --- rules/os/os_obscure_password.yaml | 1 + rules/os/os_password_autofill_disable.yaml | 1 + rules/os/os_password_proximity_disable.yaml | 2 ++ rules/os/os_password_sharing_disable.yaml | 2 ++ rules/os/os_store_encrypted_passwords.yaml | 1 + rules/os/os_tftpd_disable.yaml | 1 + rules/pwpolicy/pwpolicy_50_percent.yaml | 2 -- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 2 -- rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 1 + rules/pwpolicy/pwpolicy_force_password_change.yaml | 1 + rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 1 + rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 1 + rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 2 -- rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 1 + rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 1 + rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 1 + 16 files changed, 15 insertions(+), 6 deletions(-) diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 4cf1aac5..d6d56225 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -17,6 +17,7 @@ references: - CCI-000206 800-53r5: - IA-6 + - IA-5 800-53r4: - IA-5 - IA-6 diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 003ad07c..fb6b8646 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -17,6 +17,7 @@ references: - IA-5(13) - CM-7 - IA-11 + - IA-5 800-53r4: - IA-5 - IA-5(13) diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index ef22e29d..81d5310d 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85352-3 cci: - N/A + 800-53r5: + - IA-5 800-53r4: - IA-5 srg: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 04a61d85..f8e47da6 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -13,6 +13,8 @@ fix: | references: cce: - CCE-85353-1 + 800-53r5: + - IA-5 800-53r4: - IA-5 srg: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 1d626eb1..2c01203e 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -17,6 +17,7 @@ references: - CCI-000196 800-53r5: - IA-5(1) + - IA-5(1) 800-53r4: - IA-5(1) - IA-5(1)(c) diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 92c603ff..cddcb1f3 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -21,6 +21,7 @@ references: - CCI-000197 800-53r5: - AC-3 + - IA-5(1) 800-53r4: - AC-3 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index 6226783c..cfe5d1cc 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -15,8 +15,6 @@ references: - CCE-85399-4 cci: - CCI-000195 - 800-53r5: - - IA-5(1) 800-53r4: - IA-5 - IA-5(1)(b) diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index fada8f82..1994cbb6 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -15,8 +15,6 @@ references: - CCE-85400-0 cci: - CCI-000199 - 800-53r5: - - IA-5(1) 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 98ffea37..5e814f61 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -16,6 +16,7 @@ references: cci: - CCI-000194 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 9c63e2f2..f7130abf 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -21,6 +21,7 @@ references: cci: - CCI-002041 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index b96cd155..729fe8f1 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -40,6 +40,7 @@ references: cci: - CCI-000193 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 9c7f0f07..b2b199b1 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -16,6 +16,7 @@ references: cci: - CCI-000205 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 3a52ff8a..07e02bbe 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -39,8 +39,6 @@ references: - CCE-85410-9 cci: - N/A - 800-53r5: - - IA-5(1) 800-53r4: - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index cfc16c0f..fa7b9dae 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -16,6 +16,7 @@ references: cci: - N/A 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 419730c8..5ba7dfa0 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -18,6 +18,7 @@ references: cci: - CCI-001619 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index ad02e7f0..6e040409 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -40,6 +40,7 @@ references: cci: - CCI-000192 800-53r5: + - IA-5 - IA-5(1) 800-53r4: - IA-5 From 02515c83c8d76ca2a36ed3ae51dd5c84421b2b90 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 5 Apr 2021 15:22:58 -0400 Subject: [PATCH 020/135] Rev5 reviewing and additions --- rules/audit/audit_auditd_enabled.yaml | 1 + rules/audit/audit_flags_aa_configure.yaml | 1 + rules/audit/audit_flags_ad_configure.yaml | 1 + ...rtcard_certificate_trust_enforce_high.yaml | 3 +- ...rd_certificate_trust_enforce_moderate.yaml | 3 +- rules/auth/auth_smartcard_enforce.yaml | 4 +- rules/auth/auth_ssh_smartcard_enforce.yaml | 6 --- rules/icloud/icloud_addressbook_disable.yaml | 1 + rules/icloud/icloud_bookmarks_disable.yaml | 1 + rules/icloud/icloud_calendar_disable.yaml | 1 + rules/icloud/icloud_drive_disable.yaml | 1 + rules/icloud/icloud_keychain_disable.yaml | 1 + rules/icloud/icloud_mail_disable.yaml | 1 + rules/icloud/icloud_notes_disable.yaml | 1 + rules/icloud/icloud_photos_disable.yaml | 1 + rules/icloud/icloud_reminders_disable.yaml | 1 + rules/icloud/icloud_sync_disable.yaml | 1 + rules/os/os_authenticated_root_enable.yaml | 2 + rules/os/os_camera_disable.yaml | 2 + .../os/os_directory_services_configured.yaml | 2 +- rules/os/os_filevault_autologin_disable.yaml | 1 + rules/os/os_filevault_user_account.yaml | 2 + rules/os/os_firmware_password_require.yaml | 2 + rules/os/os_gatekeeper_enable.yaml | 1 + rules/os/os_guest_access_smb_disable.yaml | 1 + rules/os/os_guest_account_disable.yaml | 1 + rules/os/os_hbss_installed.yaml | 2 + rules/os/os_httpd_disable.yaml | 1 + rules/os/os_nfsd_disable.yaml | 1 + rules/os/os_policy_banner_ssh_configure.yaml | 3 -- rules/os/os_policy_banner_ssh_enforce.yaml | 3 -- rules/os/os_secure_boot_verify.yaml | 3 ++ rules/os/os_separate_functionality.yaml | 1 + ..._ssh_server_alive_count_max_configure.yaml | 1 - ...s_ssh_server_alive_interval_configure.yaml | 1 - ...sshd_client_alive_count_max_configure.yaml | 2 - ..._sshd_client_alive_interval_configure.yaml | 2 - rules/os/os_sshd_fips_140_ciphers.yaml | 3 -- rules/os/os_sshd_fips_140_macs.yaml | 3 -- ...sshd_key_exchange_algorithm_configure.yaml | 4 +- .../os_sshd_login_grace_time_configure.yaml | 2 - .../os_sshd_permit_root_login_configure.yaml | 1 - rules/os/os_store_encrypted_passwords.yaml | 2 +- rules/os/os_sudoers_tty_configure.yaml | 4 ++ rules/os/os_system_read_only.yaml | 1 + rules/os/os_tftpd_disable.yaml | 1 + rules/os/os_touchid_prompt_disable.yaml | 2 + rules/os/os_unique_identification.yaml | 2 + rules/os/os_uucp_disable.yaml | 1 + rules/sysprefs/sysprefs_afp_disable.yaml | 46 ------------------- .../sysprefs/sysprefs_bluetooth_disable.yaml | 1 - .../sysprefs_bluetooth_sharing_disable.yaml | 1 - .../sysprefs_diagnostics_reports_disable.yaml | 1 + .../sysprefs/sysprefs_filevault_enforce.yaml | 2 +- ...sprefs_improve_siri_dictation_disable.yaml | 1 + .../sysprefs_location_services_disable.yaml | 1 + .../sysprefs_media_sharing_disabled.yaml | 1 + ...refs_personalized_advertising_disable.yaml | 1 + rules/sysprefs/sysprefs_rae_disable.yaml | 1 + .../sysprefs_screen_sharing_disable.yaml | 1 + .../sysprefs_screensaver_timeout_enforce.yaml | 1 + rules/sysprefs/sysprefs_siri_disable.yaml | 1 + rules/sysprefs/sysprefs_smbd_disable.yaml | 1 + rules/sysprefs/sysprefs_ssh_disable.yaml | 1 + rules/sysprefs/sysprefs_wifi_disable.yaml | 2 - ...fi_disable_when_connected_to_ethernet.yaml | 2 - 66 files changed, 62 insertions(+), 92 deletions(-) delete mode 100644 rules/sysprefs/sysprefs_afp_disable.yaml diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index f14241f1..c14505fb 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -42,6 +42,7 @@ references: - AU-12(3) - AU-14(1) - MA-4(1) + - CM-5(1) 800-53r4: - AU-3 - AU-3(1) diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index c8930f27..e005ed54 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -24,6 +24,7 @@ references: - AU-12 - AU-2 - MA-4(1) + - CM-5(1) 800-53r4: - AU-2 - AU-12 diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 00869a6d..257445c7 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -34,6 +34,7 @@ references: - AC-2(4) - AU-2 - MA-4(1) + - CM-5(1) 800-53r4: - AU-2 - AC-2(4) diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 75d5abed..59b34b02 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -22,6 +22,7 @@ references: 800-53r5: - IA-2(12) - IA-5(2) + - SC-17 800-53r4: - IA-2(12) - IA-5(2) @@ -32,8 +33,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - 800-53r5_high - 800-53r4_high mobileconfig: true diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index fede4d45..1d3d268b 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -26,6 +26,7 @@ references: 800-53r5: - IA-2(12) - IA-5(2) + - SC-17 800-53r4: - IA-2(12) - IA-5(2) @@ -40,9 +41,7 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high - 800-53r4_moderate - cnssi-1253 - stig diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index b08e3147..f96a770a 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -29,9 +29,7 @@ references: - IA-2(6) - IA-2 - IA-5(2) - - IA-2(1) - - IA-2(2) - - IA-2(6) + - IA-2(12) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml index 49f3f9be..69f2e545 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_smartcard_enforce.yaml @@ -28,9 +28,6 @@ references: - IA-2 - IA-5(2) - MA-4 - - IA-2(1) - - IA-2(2) - - IA-2(6) 800-53r4: - IA-2 - IA-2(1) @@ -54,9 +51,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - none mobileconfig: false mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 38c2156d..6c246160 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 8d90ed09..bcad7510 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index b2093c64..16c0abc1 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index ba09606d..989131c8 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 827613c2..407a0ef3 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 11a15450..4900f031 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 0c0b265b..099f583c 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index eda54736..786c0e60 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 326703f1..d2143f1c 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -20,6 +20,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 6613789e..fe6fc104 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -19,6 +19,7 @@ references: - AC-20 - AC-20(1) - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 72576690..826600d6 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -24,6 +24,8 @@ references: - CM-5 - SC-34 - SI-7(6) + - SI-7 + - MA-4(1) 800-53r4: - AC-3 - CM-5 diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index acf3546b..9851d7ac 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -15,6 +15,8 @@ references: - CCI-000381 - CCI-001150 - CCI-001153 + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 93fda98c..c543f511 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -1,5 +1,5 @@ id: os_directory_services_configured -title: The macOS system must be integrated into a directory services infrastructure. +title: "The macOS system must be integrated into a directory services infrastructure." discussion: | Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords. check: | diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 67016774..aa278aa1 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -16,6 +16,7 @@ references: 800-53r5: - AC-3 - IA-5(13) + - AC-2(11) 800-53r4: - AC-2(11) - AC-3 diff --git a/rules/os/os_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml index 7cb2628c..338a5b13 100644 --- a/rules/os/os_filevault_user_account.yaml +++ b/rules/os/os_filevault_user_account.yaml @@ -47,6 +47,8 @@ references: - CCE-85311-9 cci: - CCI-002143 + 800-53r5: + - AC-2(11) 800-53r4: - AC-2(11) srg: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 58ff33da..b90bf2ce 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -14,6 +14,8 @@ discussion: | NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated. + NOTE: Firmware passwords are not supported on Apple Silicon devices. + check: | /usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" result: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 909850ea..9010c66f 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -24,6 +24,7 @@ references: - CM-14 - CM-5 - SI-7(15) + - SI-3 800-53r4: - CM-5(3) - CM-5 diff --git a/rules/os/os_guest_access_smb_disable.yaml b/rules/os/os_guest_access_smb_disable.yaml index 8cf00bfa..ec74c888 100644 --- a/rules/os/os_guest_access_smb_disable.yaml +++ b/rules/os/os_guest_access_smb_disable.yaml @@ -15,6 +15,7 @@ references: - CCE-85319-2 800-53r5: - AC-2(9) + - AC-2 800-53r4: - AC-2 - AC-2(9) diff --git a/rules/os/os_guest_account_disable.yaml b/rules/os/os_guest_account_disable.yaml index b2d63ced..0a027bbb 100644 --- a/rules/os/os_guest_account_disable.yaml +++ b/rules/os/os_guest_account_disable.yaml @@ -16,6 +16,7 @@ references: cci: - CCI-001813 800-53r5: + - AC-2 - AC-2(9) 800-53r4: - AC-2 diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml index 5c22ba07..60c51d22 100644 --- a/rules/os/os_hbss_installed.yaml +++ b/rules/os/os_hbss_installed.yaml @@ -14,6 +14,8 @@ references: - N/A cci: - CCI-001233 + 800-53r5: + - SI-2(2) 800-53r4: - SI-2(2) srg: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 3e5e4e10..5f019e5a 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -18,6 +18,7 @@ references: - CCI-000381 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 srg: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 36e95268..d4c50a3f 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -19,6 +19,7 @@ references: - CCI-000381 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 srg: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 47755623..2c3edece 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -35,9 +35,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 89c6d57b..518bdb36 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -36,9 +36,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index c61443c7..817d48dd 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -15,6 +15,9 @@ fix: | references: cce: - CCE-85376-2 + 800-53r5: + - SI-7 + - SI-6 800-53r4: - SI-6 srg: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index deed7e2e..1e8beff9 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -19,6 +19,7 @@ references: - CCI-001082 800-53r5: - SC-2 + - MA-4(1) 800-53r4: - SC-2 disa_stig: diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 3304454d..505454cd 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -37,6 +37,5 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 2c0c1195..bb67a23e 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -39,6 +39,5 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index e2169cdc..fff86444 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -31,8 +31,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 3147cdae..4f600e9a 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -33,8 +33,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 52211e6f..033bb8be 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -48,9 +48,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r5_low - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index e4458c2a..b4c5ebd2 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -48,9 +48,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r5_low - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 3b2e087c..94a48a01 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -31,6 +31,7 @@ references: 800-53r5: - AC-17(2) - IA-7 + - MA-4(6) 800-53r4: - IA-7 - AC-17(2) @@ -49,9 +50,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r5_low - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 42da63b2..f8abc27d 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -31,8 +31,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 03d43dce..6a15da41 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -32,7 +32,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_high - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 2c01203e..8da1d53c 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -17,7 +17,7 @@ references: - CCI-000196 800-53r5: - IA-5(1) - - IA-5(1) + - IA-5(1)(c) 800-53r4: - IA-5(1) - IA-5(1)(c) diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 2ecdd264..f1994b08 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -19,6 +19,7 @@ references: cci: - CCI-000366 800-53r5: + - CM-5(1) - IA-11 800-53r4: - IA-11 @@ -29,6 +30,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - stig severity: "high" diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 5600405c..9d400cc3 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -15,6 +15,7 @@ references: - N/A 800-53r5: - SC-34 + - MA-4(1) 800-53r4: - SC-34 - SI-7 diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index cddcb1f3..f73e78ac 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -22,6 +22,7 @@ references: 800-53r5: - AC-3 - IA-5(1) + - AC-17 800-53r4: - AC-3 - IA-5(1) diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 41c2825d..efd63976 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -15,6 +15,8 @@ references: - CCE-85393-7 cci: - N/A + 800-53r5: + - CM-6 800-53r4: - CM-6 srg: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index fa7b9d86..ac2f885b 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -11,6 +11,8 @@ references: - CCE-85394-5 cci: - CCI-000764 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 0e1dcc29..d5f26232 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -21,6 +21,7 @@ references: - CCI-000381 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml deleted file mode 100644 index 2f55e365..00000000 --- a/rules/sysprefs/sysprefs_afp_disable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: sysprefs_afp_disable -title: "Disable Apple Filing Protocol Sharing" -discussion: | - If the system does not require Apple Filing Protocol (AFP) Sharing, support it is non-essential and _MUST_ be disabled. - - The information system _MUST_ be configured to provide only essential capabilities. Disabling AFP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. -check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AppleFileServer" => true' -result: - integer: 1 -fix: | - [source,bash] - ---- - /bin/launchctl disable system/com.apple.AppleFileServer - ---- - The system may need to be restarted for the update to take effect. -references: - cce: - - CCE-85416-6 - cci: - - CCI-000381 - 800-53r5: - - AC-3 - 800-53r4: - - AC-3 - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-11-002002 - 800-171r2: - - 3.1.1 - - 3.1.2 -macOS: - - "11.0" -tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cnssi-1253 - -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index 1aa9f924..8634ab80 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -20,7 +20,6 @@ references: - CCI-002418 800-53r5: - AC-18 - - AC-18(3) - SC-8 - AC-18(3) 800-53r4: diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index f31d3258..4a137dec 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -33,7 +33,6 @@ references: - CM-7 800-53r4: - AC-3 - - AC-18 - AC-18(4) - CM-7(1) srg: diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 2ce7a938..1abde1d0 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - SI-11 - AC-20 + - SC-7(10) 800-53r4: - AC-20 - SI-11 diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 9af69ac0..997ac86a 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -19,7 +19,7 @@ references: - CCI-002476 800-53r5: - SC-28 - - SC-28 + - SC-28(1) 800-53r4: - SC-28 - SC-28(1) diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 2048e9a1..dfba2743 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - AC-20 - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index bd80c644..ed721eb2 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -20,6 +20,7 @@ references: - CCI-000381 800-53r5: - CM-7 + - SC-7(10) 800-53r4: - CM-7 srg: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 8aa27510..f8635f9b 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -19,6 +19,7 @@ references: - CCE-85436-4 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 1fb1c7a7..2afa156f 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - AC-20 - CM-7 + - SC-7(10) 800-53r4: - AC-20 - CM-7 diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 40c5ad2b..97d4f216 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -22,6 +22,7 @@ references: - CCI-000382 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index dd06833f..9ff008ab 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -21,6 +21,7 @@ references: - CCI-000366 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 - AC-17 diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 4bcfc61d..c65c85ba 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -17,6 +17,7 @@ references: - CCI-000057* 800-53r5: - AC-11 + - IA-11 800-53r4: - AC-11 srg: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 321b2610..b805b168 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -19,6 +19,7 @@ references: 800-53r5: - AC-20 - CM-7 + - SC-7(10) 800-53r4: - CM-7 - AC-20 diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 0852d446..57d4d4f0 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -21,6 +21,7 @@ references: - CCI-000381 800-53r5: - AC-3 + - AC-17 800-53r4: - AC-3 srg: diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 83a6dc5b..e0feaad2 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -22,6 +22,7 @@ references: - IA-2(8) - AC-3 - CM-7 + - AC-17 800-53r4: - AC-3 - CM-7 diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 21a11106..62e35ea9 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -22,8 +22,6 @@ references: - AC-18 - AC-18(1) - AC-18(3) - - AC-18(3) - - AC-18(1) 800-53r4: - AC-4 - AC-18(1) diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index b2b90f01..f27b095a 100644 --- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -19,8 +19,6 @@ references: - AC-4 - AC-18(1) - AC-18(3) - - AC-18(3) - - AC-18(1) 800-53r4: - AC-4 - AC-18(1) From eb55eaacd245a74ff4ec9b11ca8b7eb51c34def0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 8 Apr 2021 17:00:55 -0400 Subject: [PATCH 021/135] system_wide_preferences moved to sysprefs --- ...efs_system_wide_preferences_configure.yaml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml new file mode 100644 index 00000000..cfcbbd42 --- /dev/null +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -0,0 +1,50 @@ +id: sysprefs_system_wide_preferences_configure +title: "Require Administrator Password to Modify System-Wide Preferences" +discussion: | + The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. + + Some Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations. +check: | + /usr/bin/security authorizationdb read system.preferences 2> /dev/null | /usr/bin/grep -A 1 "shared" | /usr/bin/grep -c "" +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist + /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist + /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist + ---- +references: + cce: + - CCE-85389-5 + 800-53r5: + - AC-6 + - AC-6(2) + - AC-6(1) + 800-53r4: + - AC-6 + - AC-6(1) + - AC-6(2) + disa_stig: + - APPL-11-002069 + srg: + - SRG-OS-000378-GPOS-00163 + cci: + - CCI-001958 + 800-171r2: + - 3.1.5 + - 3.1.6 +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 272300ba78ab051b79cf6747edc57891ff0b42f6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 8 Apr 2021 17:01:53 -0400 Subject: [PATCH 022/135] New rule files added --- ...s_apple_mobile_file_integrity_enforce.yaml | 37 +++++++++++++++++++ rules/os/os_config_data_install_enforce.yaml | 35 ++++++++++++++++++ ...prefs_critical_update_install_enforce.yaml | 35 ++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 rules/os/os_apple_mobile_file_integrity_enforce.yaml create mode 100644 rules/os/os_config_data_install_enforce.yaml create mode 100644 rules/sysprefs/sysprefs_critical_update_install_enforce.yaml diff --git a/rules/os/os_apple_mobile_file_integrity_enforce.yaml b/rules/os/os_apple_mobile_file_integrity_enforce.yaml new file mode 100644 index 00000000..50dcff09 --- /dev/null +++ b/rules/os/os_apple_mobile_file_integrity_enforce.yaml @@ -0,0 +1,37 @@ +id: os_apple_mobile_file_integrity_enforce +title: "Enforce Apple Mobile File Integrity" +discussion: + Apple Mobile File Integrity (AMFI) is a macOS kernel module that enforces the code-signing validation within Gatekeeper and library validation. AMFI checks the signatures of every app that is run. +check: | + /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/nvram boot-args="" + ---- +references: + cce: + - CCE-85461-2 + cci: + - N/A + 800-53r5: + - SI-7(1) + - SI-3 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml new file mode 100644 index 00000000..9b6ce6ff --- /dev/null +++ b/rules/os/os_config_data_install_enforce.yaml @@ -0,0 +1,35 @@ +id: os_config_data_install_enforce +title: "Enforce Installation of XProtect, MRT, and Gatekeeper Updates Automatically" +discussion: + This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-85460-4 + cci: + - N/A + 800-53r5: + - SI-3 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: true +mobileconfig_info: + com.apple.softwareupdate: + configdatainstall: true diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml new file mode 100644 index 00000000..f43af514 --- /dev/null +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -0,0 +1,35 @@ +id: sysprefs_critical_update_install_enforce +title: "Enforce Critical Security Updates to be Installed" +discussion: | + Ensure that security updates are installed as soon as they are available from Apple. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'CriticalUpdateInstall = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-85459-6 + cci: + - N/A + 800-53r5: + - SI-2 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: true +mobileconfig_info: + com.apple.softwareupdate: + criticalUpdateInstall: true From a1625498e0829044e7d618883fb2f0920ee612b2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 8 Apr 2021 17:02:14 -0400 Subject: [PATCH 023/135] removed system_wide_pref from os --- .../os_system_wide_preferences_configure.yaml | 50 ------------------- 1 file changed, 50 deletions(-) delete mode 100644 rules/os/os_system_wide_preferences_configure.yaml diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/os/os_system_wide_preferences_configure.yaml deleted file mode 100644 index 80e0888e..00000000 --- a/rules/os/os_system_wide_preferences_configure.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: os_system_wide_preferences_configure -title: "Require Administrator Password to Modify System-Wide Preferences" -discussion: | - The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. - - Some Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations. -check: | - /usr/bin/security authorizationdb read system.preferences 2> /dev/null | /usr/bin/grep -A 1 "shared" | /usr/bin/grep -c "" -result: - integer: 1 -fix: | - [source,bash] - ---- - /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist - /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist - /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist - ---- -references: - cce: - - CCE-85389-5 - 800-53r5: - - AC-6 - - AC-6(2) - - AC-6(1) - 800-53r4: - - AC-6 - - AC-6(1) - - AC-6(2) - disa_stig: - - APPL-11-002069 - srg: - - SRG-OS-000378-GPOS-00163 - cci: - - CCI-001958 - 800-171r2: - - 3.1.5 - - 3.1.6 -macOS: - - "11.0" -tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cnssi-1253 - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file From b5eae8e76063df21f6e53aa666a89430e57dd9f2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 8 Apr 2021 17:02:52 -0400 Subject: [PATCH 024/135] added rev5 references and modified baseline files --- baselines/800-171.yaml | 2 +- baselines/800-53_high.yaml | 2 +- baselines/800-53_moderate.yaml | 2 +- baselines/DISA-STIG.yaml | 2 +- baselines/all_rules.yaml | 2 +- baselines/cnssi-1253.yaml | 2 +- rules/auth/auth_pam_login_smartcard_enforce.yaml | 1 + rules/auth/auth_pam_su_smartcard_enforce.yaml | 1 + rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 1 + rules/auth/auth_smartcard_enforce.yaml | 1 + rules/auth/auth_ssh_smartcard_enforce.yaml | 1 + rules/os/os_gatekeeper_enable.yaml | 1 + rules/os/os_secure_boot_verify.yaml | 1 + rules/os/os_sip_enable.yaml | 1 + rules/os/os_system_read_only.yaml | 1 + rules/os/os_unique_identification.yaml | 9 ++++++--- ...ysprefs_gatekeeper_identified_developers_allowed.yaml | 1 + 17 files changed, 22 insertions(+), 9 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 79ab9cc2..2566c27b 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -41,7 +41,6 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable @@ -138,6 +137,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_automatic_logout_enforce + - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_prevent_priv_functions diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index bed41163..a79f8fd4 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -45,7 +45,6 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable @@ -145,6 +144,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_automatic_logout_enforce + - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_enforce_access_restrictions diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index 8216e699..e2503ae9 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -42,7 +42,6 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable @@ -142,6 +141,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_automatic_logout_enforce + - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_prevent_priv_functions diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml index ce2d81c3..ed2c65c3 100644 --- a/baselines/DISA-STIG.yaml +++ b/baselines/DISA-STIG.yaml @@ -41,7 +41,6 @@ profile: - os_anti_virus_installed - os_screensaver_loginwindow_enforce - os_sshd_key_exchange_algorithm_configure - - os_system_wide_preferences_configure - os_tftpd_disable - os_sshd_client_alive_interval_configure - os_system_log_files_owner_group_configure @@ -126,6 +125,7 @@ profile: - sysprefs_siri_disable - sysprefs_filevault_enforce - sysprefs_password_hints_disable + - sysprefs_system_wide_preferences_configure - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index e9e962c3..f3d37d02 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -48,7 +48,6 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable @@ -160,6 +159,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_automatic_logout_enforce + - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_enforce_access_restrictions diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index ff74ab85..7ca3d1f6 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -42,7 +42,6 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable - - os_system_wide_preferences_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable @@ -142,6 +141,7 @@ profile: - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - sysprefs_automatic_logout_enforce + - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_prevent_priv_functions diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 5f83779a..e44cd526 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -41,6 +41,7 @@ references: 800-53r5: - IA-2(1) - IA-2(2) + - IA-2(8) 800-53r4: - IA-2(3) - IA-2(4) diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index e15b400d..4295f675 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -36,6 +36,7 @@ references: 800-53r5: - IA-2(1) - IA-2(2) + - IA-2(8) 800-53r4: - IA-2(3) - IA-2(4) diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index fad73080..bf3ba162 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -35,6 +35,7 @@ references: 800-53r5: - IA-2(1) - IA-2(2) + - IA-2(8) 800-53r4: - IA-2(3) - IA-2(4) diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index f96a770a..5dee57dc 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -30,6 +30,7 @@ references: - IA-2 - IA-5(2) - IA-2(12) + - IA-2(8) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml index 69f2e545..d362c699 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_smartcard_enforce.yaml @@ -28,6 +28,7 @@ references: - IA-2 - IA-5(2) - MA-4 + - IA-2(8) 800-53r4: - IA-2 - IA-2(1) diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 9010c66f..62e23bef 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -23,6 +23,7 @@ references: 800-53r5: - CM-14 - CM-5 + - SI-7(1) - SI-7(15) - SI-3 800-53r4: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 817d48dd..d91462b7 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -17,6 +17,7 @@ references: - CCE-85376-2 800-53r5: - SI-7 + - SI-7(1) - SI-6 800-53r4: - SI-6 diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index a3ffbc20..d094ea48 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -40,6 +40,7 @@ references: - CM-5 - CM-5(6) - SC-4 + - SI-7 800-53r4: - AC-3 - AU-6(4) diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 9d400cc3..cf70029d 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -16,6 +16,7 @@ references: 800-53r5: - SC-34 - MA-4(1) + - SI-7 800-53r4: - SC-34 - SI-7 diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index ac2f885b..d3111b2c 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -1,7 +1,7 @@ id: os_unique_identification -title: "Identify and authenticate organizational users and processes" +title: "Uniquely Identify Users and Processes" discussion: | - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). + The macOS is a UNIX 03-compliant operating system. The system uniquely identifies and authenticates organizational users or processes. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | @@ -12,7 +12,7 @@ references: cci: - CCI-000764 800-53r5: - - N/A + - IA-4 800-53r4: - N/A disa_stig: @@ -22,6 +22,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 2713ad8d..d1e120a8 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -22,6 +22,7 @@ references: - CM-14 - CM-5 - SI-7(15) + - SI-7(1) 800-53r4: - CM-5(3) - CM-5 From 3d43c87bb1a927be0942974319e0f122ee9fa3c5 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 14 Apr 2021 11:02:32 -0400 Subject: [PATCH 025/135] fixes for #60 --- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 7086bd8d..9ddfbd63 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -13,7 +13,7 @@ result: fix: | [source,bash] ---- - /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index af56b699..913a4054 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 26659c2d..bd2681bf 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -13,7 +13,7 @@ result: fix: | [source,bash] ---- - /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: From dcce2499a66493ef736bf4708ef9e04250572498 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 14 Apr 2021 11:56:55 -0400 Subject: [PATCH 026/135] fix for #61 on origin/big_sur --- rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 5a93e657..f02096e2 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -11,6 +11,8 @@ discussion: | ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400' +result: + integer: 1 fix: | This is implemented by a Configuration Profile. references: From f4ba489100c2252b840ad597c31f0caac4c45689 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 30 Apr 2021 15:14:19 -0400 Subject: [PATCH 027/135] Issue #71 --- rules/os/os_airdrop_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 609470d2..7e24d574 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -5,7 +5,7 @@ discussion: AirDrop allows users to share and receive files from other nearby Apple devices. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableAirDrop = 1' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAirDrop = 0' result: integer: 1 fix: | From 653dbfe1f3630c824bbc859b36fc18da35d4a6fe Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 30 Apr 2021 15:28:14 -0400 Subject: [PATCH 028/135] Issue #67 --- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 87bb0fb0..9f0a4901 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -17,7 +17,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config || /bin/echo 'KexAlgorithms diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- references: cce: From 5a1355ff0d3bbf5e38b103b2a1239b0650c038e2 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 10 May 2021 16:15:33 -0400 Subject: [PATCH 029/135] cleaned up baselines --- baselines/800-171.yaml | 1 - baselines/all_rules.yaml | 1 - baselines/cnssi-1253.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 79ab9cc2..341c946b 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -116,7 +116,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index e9e962c3..285fdf50 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -138,7 +138,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index ff74ab85..fe0b249e 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -120,7 +120,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure From 7330d1c6120ee3672bd20ce2143d39b7bae917c6 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 20 May 2021 10:24:04 -0400 Subject: [PATCH 030/135] Fixed \| in custom rules --- scripts/generate_guidance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 519a7b6d..ebeec89a 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1694,7 +1694,7 @@ def main(): rule_adoc = adoc_rule_custom_refs_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'],#.replace('|', '\|'), rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, From 566d105685117ffd151b8214d9fd24d6b37f0fb6 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 28 May 2021 14:45:14 -0400 Subject: [PATCH 031/135] 15 or fewer --- rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 4ac2818a..1aa2c98c 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -1,13 +1,13 @@ id: sysprefs_screensaver_timeout_enforce title: "Enforce Screen Saver Timeout" discussion: | - The screen saver timeout _MUST_ be set to 15 minutes. + The screen saver timeout _MUST_ be set to 15 minutes or a shorter length of time. - This rule ensures that a full session lock is triggered after 15 minutes of inactivity. + This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'idleTime = 900' + /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"}}' result: - integer: 1 + string: "Yes" fix: | This is implemented by a Configuration Profile. references: From 34db49d850cd69c4c8ff4608b7a988dba1018e09 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 28 May 2021 14:48:08 -0400 Subject: [PATCH 032/135] Forgot else --- rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 1aa2c98c..92aba577 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"} else {print "No"}}' result: string: "Yes" fix: | From ebde472bf07ad56659f0614d755fbf3c623f07d7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 2 Jun 2021 10:29:31 -0400 Subject: [PATCH 033/135] rev5 additions --- ...it_record_reduction_report_generation.yaml | 33 ++++++++++++++++++ rules/audit/audit_records_processing.yaml | 31 +++++++++++++++++ .../os/os_access_control_mobile_devices.yaml | 34 +++++++++++++++++++ rules/os/os_malicious_code_prevention.yaml | 30 ++++++++++++++++ 4 files changed, 128 insertions(+) create mode 100644 rules/audit/audit_record_reduction_report_generation.yaml create mode 100644 rules/audit/audit_records_processing.yaml create mode 100644 rules/os/os_access_control_mobile_devices.yaml create mode 100644 rules/os/os_malicious_code_prevention.yaml diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml new file mode 100644 index 00000000..e6cadb40 --- /dev/null +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -0,0 +1,33 @@ +id: audit_record_reduction_report_generation +title: "Audit Record Reduction and Report Generation" +discussion: | + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. + + Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-7 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r4_high + - inherent +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml new file mode 100644 index 00000000..27a95ee8 --- /dev/null +++ b/rules/audit/audit_records_processing.yaml @@ -0,0 +1,31 @@ +id: audit_records_processing +title: "Audit Record Reduction and Report Generation" +discussion: | + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. +check: | + The technology does not support this requirement. This is an applicable-does not meet finding. +fix: | + This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-7(1) + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r4_high + - permanent +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml new file mode 100644 index 00000000..c5f1c7fb --- /dev/null +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -0,0 +1,34 @@ +id: os_access_control_mobile_devices +title: "Access Control for Mobile Devices" +discussion: | + A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. + + Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. + + Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. +check: | + The technology does not support this requirement. This is an applicable-does not meet finding. +fix: | + This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-19 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml new file mode 100644 index 00000000..9d3aa4a7 --- /dev/null +++ b/rules/os/os_malicious_code_prevention.yaml @@ -0,0 +1,30 @@ +id: os_verify_remote_disconnection +title: "Verify remote disconnection of sessions" +discussion: | + XProtect and MRT +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-3 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: From 0673b2ed26a2a169ddf9911410a8939586b44248 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 2 Jun 2021 14:46:10 -0400 Subject: [PATCH 034/135] malicious code prevention rules --- rules/os/os_configdatainstall_enforce.yaml | 37 ++++++++++++++++++++++ rules/os/os_malicious_code_prevention.yaml | 19 +++++++++-- 2 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 rules/os/os_configdatainstall_enforce.yaml diff --git a/rules/os/os_configdatainstall_enforce.yaml b/rules/os/os_configdatainstall_enforce.yaml new file mode 100644 index 00000000..4553b1be --- /dev/null +++ b/rules/os/os_configdatainstall_enforce.yaml @@ -0,0 +1,37 @@ +id: os_configdatainstall_enforce +title: "Enforce XProtect, MRT, and Gatekeepr updates" +discussion: | + Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. + + Apple issues the updates for XProtect and MRT automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily. Notarization updates are distributed using CloudKit sync and are much more frequent. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-3 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: true +mobileconfig_info: + com.apple.softwareupdate: + ConfigDataInstall: true diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 9d3aa4a7..5093aa9c 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -1,7 +1,20 @@ -id: os_verify_remote_disconnection -title: "Verify remote disconnection of sessions" +id: os_malicious_code_prevention +title: "Malicious Code Prevention" discussion: | - XProtect and MRT + Apple provides layers of protection to help ensure that apps are free of known malware and haven’t been tampered with. The macOS implements malicious code protection mechasims by quarantining files downloaded from the internet, preventing and blocking excution of known malware, and finally remediating and removing malware that has executed. + + This first layer of defense is designed to inhibit the distribution of malware, and prevent it from launching even once—this is the goal of the App Store, and Gatekeeper combined with Notarization. macOS includes built-in antivirus technology called XProtect for the signature-based detection of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically—independent from system updates—to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever: + * An app is first launched + * An app has been changed (in the file system) + * XProtect signatures are updated + + The next layer of defense is to help ensure that if malware appears on any Mac, it’s quickly identified and blocked, both to halt spread and to remediate the Mac systems it’s already gained a foothold on. XProtect adds to this defense, along with Gatekeeper and Notarization. + + Finally, Malware Removal Tool (MRT) acts to remediate malware that has managed to successfully execute. Should malware make its way onto a Mac, macOS also includes technology to remediate infections. MRT is an engine in macOS that remediates infections based on updates automatically delivered from Apple. MRT removes malware upon receiving updated information, and it continues to check for infections on restart and login. MRT doesn’t automatically reboot the Mac. + + link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] + + link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | From dc41f844022cf49a30e9281e4ee29571fd842907 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 2 Jun 2021 14:46:32 -0400 Subject: [PATCH 035/135] T2 and Apple Silicon rule --- rules/os/os_secure_enclave.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/os/os_secure_enclave.yaml diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml new file mode 100644 index 00000000..a8cab17d --- /dev/null +++ b/rules/os/os_secure_enclave.yaml @@ -0,0 +1,29 @@ +id: os_secure_enclave +title: "Protected Storage for Cryptographic Keys" +discussion: | + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys. + + link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SC-28(3) + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent +mobileconfig: false +mobileconfig_info: From af718be4980da5383562439450158f97930351dd Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Jun 2021 16:16:54 -0400 Subject: [PATCH 036/135] rev5 pwpolicy --- rules/os/os_configdatainstall_enforce.yaml | 37 ------------------- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 2 + .../pwpolicy_account_inactivity_enforce.yaml | 4 +- .../pwpolicy_alpha_numeric_enforce.yaml | 1 - .../pwpolicy_force_password_change.yaml | 1 - ...pwpolicy_lower_case_character_enforce.yaml | 1 - .../pwpolicy_minimum_length_enforce.yaml | 1 - .../pwpolicy_minimum_lifetime_enforce.yaml | 2 + .../pwpolicy_simple_sequence_disable.yaml | 1 - .../pwpolicy_special_character_enforce.yaml | 1 - ...pwpolicy_upper_case_character_enforce.yaml | 1 - 11 files changed, 7 insertions(+), 45 deletions(-) delete mode 100644 rules/os/os_configdatainstall_enforce.yaml diff --git a/rules/os/os_configdatainstall_enforce.yaml b/rules/os/os_configdatainstall_enforce.yaml deleted file mode 100644 index 4553b1be..00000000 --- a/rules/os/os_configdatainstall_enforce.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: os_configdatainstall_enforce -title: "Enforce XProtect, MRT, and Gatekeepr updates" -discussion: | - Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. - - Apple issues the updates for XProtect and MRT automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily. Notarization updates are distributed using CloudKit sync and are much more frequent. -check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - SI-3 - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A -macOS: - - "11.0" -tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high -mobileconfig: true -mobileconfig_info: - com.apple.softwareupdate: - ConfigDataInstall: true diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 1994cbb6..475468b2 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -15,6 +15,8 @@ references: - CCE-85400-0 cci: - CCI-000199 + 800-53r5: + - IA-5 800-53r4: - IA-5 - IA-5(1) diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 66a7d869..3e7187be 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -39,7 +39,9 @@ references: - CCE-85401-8 cci: - CCI-000795 - 800-53r4: + 800-53r5: + - AC-2(3) + 800-53r4: - IA-4 srg: - SRG-OS-000118-GPOS-00060 diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 5e814f61..98ffea37 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -16,7 +16,6 @@ references: cci: - CCI-000194 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index f7130abf..9c63e2f2 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -21,7 +21,6 @@ references: cci: - CCI-002041 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 729fe8f1..b96cd155 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -40,7 +40,6 @@ references: cci: - CCI-000193 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index b2b199b1..9c7f0f07 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -16,7 +16,6 @@ references: cci: - CCI-000205 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 07e02bbe..45cb6d38 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -39,6 +39,8 @@ references: - CCE-85410-9 cci: - N/A + 800-53r5: + - IA-5 800-53r4: - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index fa7b9dae..cfc16c0f 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -16,7 +16,6 @@ references: cci: - N/A 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 5ba7dfa0..419730c8 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -18,7 +18,6 @@ references: cci: - CCI-001619 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 6e040409..ad02e7f0 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -40,7 +40,6 @@ references: cci: - CCI-000192 800-53r5: - - IA-5 - IA-5(1) 800-53r4: - IA-5 From 78756b826bab44395f9c36cbfa20c62f33d3ae0f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Jun 2021 16:17:19 -0400 Subject: [PATCH 037/135] audit controls --- rules/audit/audit_flags_fm_configure.yaml | 8 ++++---- rules/audit/audit_record_reduction_report_generation.yaml | 2 ++ rules/audit/audit_records_processing.yaml | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 6798eef0..fa50e2ad 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -1,7 +1,7 @@ id: audit_flags_fm_configure -title: "Configure System to Audit All Change of Object Attributes" +title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). @@ -9,13 +9,13 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*fm" /etc/security/audit_control + /usr/bin/grep -Ec "^flags.*-fm" /etc/security/audit_control result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index e6cadb40..f049c333 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -1,6 +1,8 @@ id: audit_record_reduction_report_generation title: "Audit Record Reduction and Report Generation" discussion: | + The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index 27a95ee8..c0f4f556 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -1,6 +1,8 @@ id: audit_records_processing title: "Audit Record Reduction and Report Generation" discussion: | + The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. check: | The technology does not support this requirement. This is an applicable-does not meet finding. From 5d3bca32dd292fedee7347cb323a639858390341 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Jun 2021 16:17:52 -0400 Subject: [PATCH 038/135] os new rules rev5 --- rules/os/os_config_data_install_enforce.yaml | 2 ++ rules/os/os_secure_enclave.yaml | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 9b6ce6ff..05bfe742 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -1,6 +1,8 @@ id: os_config_data_install_enforce title: "Enforce Installation of XProtect, MRT, and Gatekeeper Updates Automatically" discussion: + Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. + This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index a8cab17d..71beb3b4 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -1,7 +1,9 @@ id: os_secure_enclave title: "Protected Storage for Cryptographic Keys" discussion: | - Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys. + A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. + + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] check: | From e6bf4cea60a9c1a5070e93ff2bdf501080e3e7ca Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 4 Jun 2021 10:04:55 -0400 Subject: [PATCH 039/135] removed afp from baselines --- baselines/800-171.yaml | 1 - baselines/800-53_high.yaml | 1 - baselines/800-53_low.yaml | 1 - baselines/800-53_moderate.yaml | 1 - baselines/all_rules.yaml | 1 - baselines/cnssi-1253.yaml | 1 - 6 files changed, 6 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 2566c27b..dbb78f8a 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -115,7 +115,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index a79f8fd4..9be601fd 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -122,7 +122,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index 8e029c62..c4283aee 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -100,7 +100,6 @@ profile: - sysprefs_rae_disable - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_diagnostics_reports_disable diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index e2503ae9..2de19761 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -119,7 +119,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index f3d37d02..cac10501 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -137,7 +137,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index 7ca3d1f6..d246113d 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -119,7 +119,6 @@ profile: - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - - sysprefs_afp_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure From dc3e5e1e278b95b5c6dc4cf2a69265f1af07ff6e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 7 Jun 2021 14:02:27 -0400 Subject: [PATCH 040/135] note about sandboxing added --- rules/audit/audit_flags_ad_configure.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 257445c7..445a48e3 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -8,6 +8,8 @@ discussion: | Audit records can be generated from various components within the information system (e.g., via a module or policy filter). The information system audits the execution of privileged functions. + + NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. check: | /usr/bin/grep -Ec "^flags.*ad" /etc/security/audit_control result: From 8e64f17af8fbcfa3466813cb271f38267846c120 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 7 Jun 2021 14:02:53 -0400 Subject: [PATCH 041/135] added note about auditing being deprecated --- sections/auditing.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sections/auditing.yaml b/sections/auditing.yaml index 31be8b46..6314ac5e 100644 --- a/sections/auditing.yaml +++ b/sections/auditing.yaml @@ -2,4 +2,6 @@ description: | This section contains the configuration and enforcement of the OpenBSM settings. + NOTE: The BSM Audit subsystem has been marked as deprecated by Apple. + NOTE: The check/fix commands outlined in this section _MUST_ be run with elevated privileges. \ No newline at end of file From db011a3f8ab039ab5229ac45e8f06afa9f8b4e7d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 7 Jun 2021 14:03:42 -0400 Subject: [PATCH 042/135] small changes --- rules/os/os_config_data_install_enforce.yaml | 3 ++- rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 05bfe742..9183db2b 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -12,11 +12,12 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-85460-4 + - N/A cci: - N/A 800-53r5: - SI-3 + - SI-2(5) 800-53r4: - N/A srg: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index b96cd155..70c3a752 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -38,7 +38,7 @@ references: cce: - CCE-85408-3 cci: - - CCI-000193 + - CCI-000193 800-53r5: - IA-5(1) 800-53r4: From 4c8fbf9f724e3a08339b8b790bd2db0724cb841b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 7 Jun 2021 16:48:18 -0400 Subject: [PATCH 043/135] wording updated to more reflect macOS 11 --- rules/supplemental/supplemental_filevault.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 0ecb0270..bc1f394c 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -4,10 +4,11 @@ discussion: | The supplemental guidance found in this section is applicable for the following rules: * sysprefs_filevault_enforce - In macOS 11 the internal Apple File System (APFS) volume (including both system and data storage) can be protected by FileVault. - NOTE: On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip. + In macOS 11 the internal Apple File System (APFS) data volume can be protected by FileVault. The system volume is always cryptographically protected (T2 and Apple Silicon) and is a read-only volume. + + NOTE: FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with a secure enclave (T2 and Apple Silicon) utilize the hardware security features of the architecture. - FileVault is described in detail here: link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[]. + FileVault is described in detail here: link:https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web[]. FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local OpenDirectory account with a valid SecureToken password. From 42a3ef844ae38526a09d557553a3792dfabc8e27 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Jun 2021 16:20:23 -0400 Subject: [PATCH 044/135] fixed #74 --- .../sysprefs_guest_access_smb_disable.yaml} | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename rules/{os/os_guest_access_smb_disable.yaml => sysprefs/sysprefs_guest_access_smb_disable.yaml} (64%) diff --git a/rules/os/os_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml similarity index 64% rename from rules/os/os_guest_access_smb_disable.yaml rename to rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index ec74c888..d38f799c 100644 --- a/rules/os/os_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -1,15 +1,18 @@ -id: os_guest_access_smb_disable +id: sysprefs_guest_access_smb_disable title: "Disable Guest Access to Shared SMB Folders" discussion: | Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AllowGuestAccess = 0' + /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess result: - integer: 1 + boolean: 0 fix: | - This is implemented by a Configuration Profile. + [source,bash] + ---- + /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false + ---- references: cce: - CCE-85319-2 @@ -36,7 +39,4 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high -mobileconfig: true -mobileconfig_info: - com.apple.smb.server: - AllowGuestAccess: false \ No newline at end of file +mobileconfig: false \ No newline at end of file From 4b2e1d5067b0240b4db64fa3feec876eadce94e3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:14:57 -0400 Subject: [PATCH 045/135] created and updated check/fix for asl and newsyslog permissions --- ...s_asl_log_files_owner_group_configure.yaml | 38 ++++++++++++++++++ ...s_asl_log_files_permissions_configure.yaml | 38 ++++++++++++++++++ ...newsyslog_files_owner_group_configure.yaml | 40 +++++++++++++++++++ ...newsyslog_files_permissions_configure.yaml | 39 ++++++++++++++++++ 4 files changed, 155 insertions(+) create mode 100644 rules/os/os_asl_log_files_owner_group_configure.yaml create mode 100644 rules/os/os_asl_log_files_permissions_configure.yaml create mode 100644 rules/os/os_newsyslog_files_owner_group_configure.yaml create mode 100644 rules/os/os_newsyslog_files_permissions_configure.yaml diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml new file mode 100644 index 00000000..c80c96ed --- /dev/null +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -0,0 +1,38 @@ +id: os_asl_log_files_owner_group_configure +title: "Configure Apple System Log Files Owned by Root and Group to Wheel" +discussion: | + The Apple System Logs (ASL) _MUST_ be owned by root. + + ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. +check: | + /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +fix: | + [source,bash] + ---- + /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004001 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml new file mode 100644 index 00000000..5657f4d2 --- /dev/null +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -0,0 +1,38 @@ +id: os_asl_log_files_permissions_configure +title: "Configure Apple System Log Files To Mode 640 or Less Permissive" +discussion: | + The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. +check: | + /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004002 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml new file mode 100644 index 00000000..30c01dd4 --- /dev/null +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -0,0 +1,40 @@ +id: os_newsyslog_files_owner_group_configure +title: "Configure System Log Files Owned by Root and Group to Wheel" +discussion: | + The system log files _MUST_ be owned by root. + + System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. +check: | + /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004001 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml new file mode 100644 index 00000000..07004f65 --- /dev/null +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -0,0 +1,39 @@ +id: os_newsyslog_files_permissions_configure +title: "Configure System Log Files to Mode 640 or Less Permissive" +discussion: | + The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. + +check: | + /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004002 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file From f69a0cdd49e73500c9dd96adc6dcceef289da8a2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:18:12 -0400 Subject: [PATCH 046/135] fixed check command --- rules/os/os_directory_services_configured.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index c543f511..6ad2ee38 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -7,7 +7,7 @@ check: | To determine if the system is integrated to a directory service, ask the System Administrator (SA) or Information System Security Officer (ISSO) or run the following command: - /usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)' + /usr/bin/dscl localhost -list . | /usr/bin/grep -vE '(Contact|Search|Local|^$)' If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding. fix: | From deba810cb47481c03448b0631019bc894e216eee Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:19:11 -0400 Subject: [PATCH 047/135] added [^-] to not match -flag --- rules/audit/audit_flags_aa_configure.yaml | 2 +- rules/audit/audit_flags_ad_configure.yaml | 2 +- rules/audit/audit_flags_lo_configure.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index e005ed54..cd7cb404 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -7,7 +7,7 @@ discussion: | Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | - /usr/bin/grep -Ec "^flags.*aa" /etc/security/audit_control + /usr/bin/grep -Ec "^flags.*[^-]aa" /etc/security/audit_control result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 445a48e3..8a5b80ac 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -11,7 +11,7 @@ discussion: | NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. check: | - /usr/bin/grep -Ec "^flags.*ad" /etc/security/audit_control + /usr/bin/grep -Ec "^flags.*[^-]ad" /etc/security/audit_control result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index c048c4ea..2371f267 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -7,7 +7,7 @@ discussion: | The information system monitors login and logout events. check: | - /usr/bin/grep -Ec "^flags*.lo" /etc/security/audit_control + /usr/bin/grep -Ec "^flags*.[^-]lo" /etc/security/audit_control result: integer: 1 fix: | From 8c1d6829e2744d5016b233c8be1d5f52dd885da0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:19:46 -0400 Subject: [PATCH 048/135] added link to Apple documentation --- rules/os/os_config_data_install_enforce.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 9183db2b..2c2e9df8 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -4,6 +4,8 @@ discussion: Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. + + link:https://support.apple.com/en-us/HT207005[] check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' result: From 9d2d3e1c4479b17693beabdf1966732977173a78 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:20:29 -0400 Subject: [PATCH 049/135] added full path for tr --- rules/os/os_policy_banner_loginwindow_enforce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index c9b8cbd6..50b34855 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -12,7 +12,7 @@ discussion: | "You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." check: | - /bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | tr -d ' ' + /bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' ' result: integer: 1 fix: | From b1749a4afed30be6b42602f7525839a540d8e8a1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:20:56 -0400 Subject: [PATCH 050/135] removed and renamed to newsyslog and asl rules --- ...ystem_log_files_owner_group_configure.yaml | 50 ------------------- ...ystem_log_files_permissions_configure.yaml | 45 ----------------- 2 files changed, 95 deletions(-) delete mode 100644 rules/os/os_system_log_files_owner_group_configure.yaml delete mode 100644 rules/os/os_system_log_files_permissions_configure.yaml diff --git a/rules/os/os_system_log_files_owner_group_configure.yaml b/rules/os/os_system_log_files_owner_group_configure.yaml deleted file mode 100644 index 57b33323..00000000 --- a/rules/os/os_system_log_files_owner_group_configure.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: os_system_log_files_owner_group_configure -title: "Configure System Log Files to be Owned by Root and Group-Owned by Wheel or Admin" -discussion: | - System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk. -check: | - Some system log files are controlled by "newsyslog" and "aslmanager". - - The following commands check for log files that exist on the system and print the path to the log with the corresponding ownership. Run them from inside "/var/log". - - /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null - /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null - - Each command may return zero or more files. - - If there are any system log files that are not owned by "root" and group-owned by "wheel" or admin, this is a finding. - - Service logs may be owned by the service user account or group. -fix: | - For any log file that returns an incorrect owner or group value, run the following command: - - /usr/bin/sudo chown root:wheel [log file] - - [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure that the owner:group column is set to "root:wheel" or the appropriate service user account and group. - - If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are either not present or are set to a service user account and group respectively. -references: - cce: - - N/A - cci: - - CCI-001314 - 800-53r5: - - SI-11 - 800-53r4: - - SI-11 - srg: - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-11-004001 - 800-171r2: - - N/A -macOS: - - "11.0" -tags: - - 800-53r5_moderate - - 800-53r5_high - - manual - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_system_log_files_permissions_configure.yaml b/rules/os/os_system_log_files_permissions_configure.yaml deleted file mode 100644 index f39e4a71..00000000 --- a/rules/os/os_system_log_files_permissions_configure.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: os_system_log_files_permissions_configure -title: "Configure System Log Files set to mode 640 or less permissive." -discussion: | - System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. -check: | - The following commands check for log files that exist on the system and print the path to the log with the corresponding permissions. Run them from inside "/var/log": - - /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null - - /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null - - Each command may return zero or more files. If the permissions on log files are not "640" or less permissive, this is a finding. -fix: | - For any log file that returns an incorrect permission value, run the following command: - - /usr/bin/sudo chmod 640 [log file] - - [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640" or less permissive. - - If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640" or less permissive. -references: - cce: - - N/A - cci: - - CCI-001314 - 800-53r5: - - SI-11 - 800-53r4: - - SI-11 - srg: - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-11-004002 - 800-171r2: - - N/A -macOS: - - "11.0" -tags: - - 800-53r5_moderate - - 800-53r5_high - - manual - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file From 7241e43bd7d1c305527d894ea93ee65d44164512 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 24 Jun 2021 12:53:17 -0400 Subject: [PATCH 051/135] removed some text from the fix --- rules/os/os_sshd_permit_root_login_configure.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 6a15da41..09f6583c 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -11,7 +11,6 @@ check: | result: integer: 1 fix: | - To ensure that "PermitRootLogin" is set disabled by sshd, run the following command: [source,bash] ---- /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd From 2d220935dd758bb60daeacccf0cb5ed1925b55af Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 24 Jun 2021 12:54:10 -0400 Subject: [PATCH 052/135] added grep -qE to fix to prevent fix from double fixing --- rules/audit/audit_flags_aa_configure.yaml | 2 +- rules/audit/audit_flags_ad_configure.yaml | 2 +- rules/audit/audit_flags_ex_configure.yaml | 2 +- rules/audit/audit_flags_fd_configure.yaml | 2 +- rules/audit/audit_flags_fm_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 2 +- rules/audit/audit_flags_fw_configure.yaml | 2 +- rules/audit/audit_flags_lo_configure.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index cd7cb404..4d2abc40 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -13,7 +13,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 8a5b80ac..7065a999 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -17,7 +17,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 4a9e0ed8..d75793f1 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -14,7 +14,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index bb3b0502..1cd183b1 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -15,7 +15,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index fa50e2ad..8b0c2aae 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -15,7 +15,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 079920df..e2ed4ec9 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -15,7 +15,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 30a193b0..c0a980a6 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -15,7 +15,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 2371f267..67407f07 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -13,7 +13,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: From b3aca7f0c4689fe5e9e493a5b47f4d34eb20994d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 24 Jun 2021 13:04:02 -0400 Subject: [PATCH 053/135] added grep -qE to fix to prevent fix from double fixing --- rules/audit/audit_flags_fd_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 1cd183b1..7e45ac2b 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -15,7 +15,7 @@ result: fix: | [source,bash] ---- - /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s + /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s ---- references: cce: From 2d121bbe665cddc6893b9e9ce34dbfd3ec3048e4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 09:37:02 -0400 Subject: [PATCH 054/135] Disabling guest access with sysadminctl --- rules/sysprefs/sysprefs_guest_access_smb_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index d38f799c..fe4a2593 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -11,7 +11,7 @@ result: fix: | [source,bash] ---- - /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false + /usr/sbin/sysadminctl -smbGuestAccess off ---- references: cce: From ee0494b4e0f4e485f171be8903fcea5b4f9bff2e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 09:37:33 -0400 Subject: [PATCH 055/135] added a note about T2/Apple Silicon --- rules/os/os_secure_boot_verify.yaml | 2 +- rules/os/os_secure_enclave.yaml | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index d91462b7..a89e1024 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -5,7 +5,7 @@ discussion: | Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. - Note: This will only return a proper result on a T2 Mac + Note: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" result: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 71beb3b4..47d30612 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -6,10 +6,14 @@ discussion: | Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] + + Note: This will only return a proper result on a T2 or Apple Silicon Macs. check: | - The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. + /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $? +result: + integer: 0 fix: | - The technology inherently meets this requirement. No fix is required. + The hardware does not support the requirement. references: cce: - N/A From ceb8d4151c13266f44617cec1e5c50c3130bbbfb Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:16:13 -0400 Subject: [PATCH 056/135] new check implemented --- rules/audit/audit_flags_aa_configure.yaml | 2 +- rules/audit/audit_flags_ad_configure.yaml | 2 +- rules/audit/audit_flags_ex_configure.yaml | 2 +- rules/audit/audit_flags_fd_configure.yaml | 2 +- rules/audit/audit_flags_fm_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 2 +- rules/audit/audit_flags_fw_configure.yaml | 2 +- rules/audit/audit_flags_lo_configure.yaml | 2 +- ...nforce.yaml => auth_ssh_passwordauthentication_disable.yaml} | 0 9 files changed, 8 insertions(+), 8 deletions(-) rename rules/auth/{auth_ssh_smartcard_enforce.yaml => auth_ssh_passwordauthentication_disable.yaml} (100%) diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 4d2abc40..55e8a3e3 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -7,7 +7,7 @@ discussion: | Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | - /usr/bin/grep -Ec "^flags.*[^-]aa" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 7065a999..bfc5ab38 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -11,7 +11,7 @@ discussion: | NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. check: | - /usr/bin/grep -Ec "^flags.*[^-]ad" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index d75793f1..ea37c958 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -8,7 +8,7 @@ discussion: | This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-ex" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 7e45ac2b..22b91d91 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -9,7 +9,7 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fd" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 8b0c2aae..6f877453 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -9,7 +9,7 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fm" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fm' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index e2ed4ec9..09cf775f 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -9,7 +9,7 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fr" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index c0a980a6..4164aec8 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -9,7 +9,7 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/grep -Ec "^flags.*-fw" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 67407f07..67936907 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -7,7 +7,7 @@ discussion: | The information system monitors login and logout events. check: | - /usr/bin/grep -Ec "^flags*.[^-]lo" /etc/security/audit_control + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'lo' result: integer: 1 fix: | diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_passwordauthentication_disable.yaml similarity index 100% rename from rules/auth/auth_ssh_smartcard_enforce.yaml rename to rules/auth/auth_ssh_passwordauthentication_disable.yaml From bc50b2bede3caf15a6b8a5ac00ea4e0b475c0165 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:16:41 -0400 Subject: [PATCH 057/135] new check and fix to remove cnt --- rules/audit/audit_failure_halt.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 071dc428..77494dfb 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -5,13 +5,13 @@ discussion: | Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/grep -Ec "^policy.*ahlt" /etc/security/audit_control + /usr/bin/awk -F':' '/^policy/ {print $NF}' audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: From e1087fc67dae9d3784ee3c9bf06517d221126328 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:17:19 -0400 Subject: [PATCH 058/135] #79 --- rules/auth/auth_ssh_passwordauthentication_disable.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/auth/auth_ssh_passwordauthentication_disable.yaml b/rules/auth/auth_ssh_passwordauthentication_disable.yaml index d362c699..fc5ef0b4 100644 --- a/rules/auth/auth_ssh_passwordauthentication_disable.yaml +++ b/rules/auth/auth_ssh_passwordauthentication_disable.yaml @@ -1,7 +1,7 @@ -id: auth_ssh_smartcard_enforce -title: "Enforce Smartcard Authentication for SSH" +id: auth_ssh_passwordauthentication_disable +title: "Disable Password Authentication for SSH" discussion: | - If remote login through SSH is enabled, smartcard authentication _MUST_ be enforced for user login. + If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. @@ -11,7 +11,6 @@ check: | result: integer: 2 fix: | - The following commands must be run to disable passcode based authentication for SSHD: [source,bash] ---- /usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd From c9a09666200cf52f31a7dcb7263efc06e388436f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:17:59 -0400 Subject: [PATCH 059/135] removed rev4 reference, updated rev5 --- templates/adoc_additional_docs.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 3e69ed54..e696e735 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -18,7 +18,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number |Document Title -|link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 4]|_NIST Special Publication 800-53 Rev 4_ +|link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ |=== [%header, cols=2*a] @@ -42,7 +42,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple OS X 10.15 (Catalina) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_11_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 11 (Big Sur) STIG_ |=== [%header, cols=2*a] From 42f1dcb699f4e2f42201911ef602963d546d3439 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:18:32 -0400 Subject: [PATCH 060/135] issue #75 --- rules/os/os_facetime_app_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 3d37f1df..50e95d21 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -26,7 +26,7 @@ references: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 disa_stig: - - ASOX-14-002010 + - ASOX-11-002010 800-171r2: - 3.1.20 - 3.4.6 From 5d324cb780aa8d56f7ac27598bfbe974e41289c8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:18:59 -0400 Subject: [PATCH 061/135] added a note about apple silicon --- rules/os/os_filevault_autologin_disable.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index aa278aa1..c22820df 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -4,6 +4,8 @@ discussion: | If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. + + NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableFDEAutoLogin = 1' result: From 26ceea7eb55d087971faa69b042c0cb6193b279e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:19:33 -0400 Subject: [PATCH 062/135] Password policy note for 800-53r5 IA-5 and IA-5(1) --- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_history_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 2 ++ rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 2 ++ sections/passwordpolicy.yaml | 2 +- 10 files changed, 18 insertions(+), 2 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 475468b2..cd94cc09 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}' result: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 98ffea37..37bb0cb3 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;" result: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index a75d480e..93b7ee5f 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -16,7 +16,7 @@ references: cce: - CCE-85407-5 cci: - - CCI-000200 + - CCI-000200 800-53r5: - IA-5(1) 800-53r4: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 70c3a752..6d0a6f6e 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersLowerCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 9c7f0f07..487962f7 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15' result: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 45cb6d38..7aeef2a6 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index cfc16c0f..06e27081 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0' result: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 419730c8..bddd6c53 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -6,6 +6,8 @@ discussion: | Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}' result: diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index ad02e7f0..7e675226 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: diff --git a/sections/passwordpolicy.yaml b/sections/passwordpolicy.yaml index b6e8f52c..02dd17bb 100644 --- a/sections/passwordpolicy.yaml +++ b/sections/passwordpolicy.yaml @@ -6,7 +6,7 @@ [IMPORTANT] ==== - The password policy recommendations used to develop these rules fall under the NIST SP 800-53 (Rev. 4), however the NIST SP 800-53 (Rev. 5) was released on September 23rd, 2020 with updated guidance on password policies. + The password policy recommendations in the NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. ==== NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible. \ No newline at end of file From 0b7846355a21eb180922725a5fb88314c637e4f7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:28:09 -0400 Subject: [PATCH 063/135] added missing mobileconfig info --- rules/sysprefs/sysprefs_guest_access_smb_disable.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index fe4a2593..4ac07a63 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -39,4 +39,5 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high -mobileconfig: false \ No newline at end of file +mobileconfig: false +mobileconfig_info: \ No newline at end of file From e9821f61a1bc48c67e9c5188bd892a82dd78f3d3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 15:56:05 -0400 Subject: [PATCH 064/135] minor changes to the test --- rules/audit/audit_failure_halt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 77494dfb..a6806f39 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -5,7 +5,7 @@ discussion: | Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/awk -F':' '/^policy/ {print $NF}' audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' + /usr/bin/awk -F':' '/^policy/ {print $NF}' audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | From d242372bf25c15d2b7f33ce31cf2d3336f747ee7 Mon Sep 17 00:00:00 2001 From: Gendler Date: Thu, 1 Jul 2021 12:03:32 -0400 Subject: [PATCH 065/135] baseline tags added --- rules/pwpolicy/pwpolicy_50_percent.yaml | 2 ++ rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml | 2 ++ rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_force_password_change.yaml | 3 +++ rules/pwpolicy/pwpolicy_history_enforce.yaml | 5 +++++ rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 4 +++- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 3 +++ rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 3 +++ .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 2 ++ rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 3 +++ 15 files changed, 44 insertions(+), 1 deletion(-) diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index cfe5d1cc..e161d4b6 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -15,6 +15,8 @@ references: - CCE-85399-4 cci: - CCI-000195 + 800-54r5: + - N/A 800-53r4: - IA-5 - IA-5(1)(b) diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index cd94cc09..e7a6a1de 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -41,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 3e7187be..35bc8d62 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -58,5 +58,7 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 000e8553..ffdfa618 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -33,6 +33,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 95246460..0722a555 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -33,6 +33,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 37bb0cb3..cdc6150e 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -41,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 9c63e2f2..7624014e 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -44,6 +44,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 93b7ee5f..ec1de736 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -6,6 +6,8 @@ discussion: | This rule ensures that users are not allowed to re-use a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}' result: @@ -38,6 +40,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 6d0a6f6e..821354f3 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -65,6 +65,8 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 487962f7..11c22d26 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -41,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 7aeef2a6..809c8042 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -62,5 +62,8 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 06e27081..34bafa66 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -41,6 +41,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index bddd6c53..a85c693b 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -43,6 +43,9 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 1ccc19e5..168095f4 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -74,6 +74,8 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high - manual - stig severity: "medium" diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 7e675226..902625a7 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -65,5 +65,8 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file From 01c0f4a7ba506d5101fea807ebe8edb5d999fd45 Mon Sep 17 00:00:00 2001 From: Gendler Date: Thu, 1 Jul 2021 12:13:38 -0400 Subject: [PATCH 066/135] added 800-53r5 N/A --- rules/supplemental/supplemental_controls.yaml | 2 ++ rules/supplemental/supplemental_filevault.yaml | 2 ++ rules/supplemental/supplemental_firewall_pf.yaml | 2 ++ rules/supplemental/supplemental_password_policy.yaml | 2 ++ rules/supplemental/supplemental_smartcard.yaml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index ba0a2a8f..fed402a1 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -181,6 +181,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index bc1f394c..2e77defb 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -57,6 +57,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 9fe2f03a..db2823df 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -106,6 +106,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index 3b1011d8..f3869e77 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -38,6 +38,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index a13fc120..53b08b70 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -224,6 +224,8 @@ fix: | references: cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: From 7ccb4813e206083c3158d5af1732fe4097133c30 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 1 Jul 2021 13:11:08 -0400 Subject: [PATCH 067/135] changed softwareupdate to SoftwareUpdate --- rules/os/os_config_data_install_enforce.yaml | 2 +- rules/sysprefs/sysprefs_critical_update_install_enforce.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 2c2e9df8..773437cc 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -36,5 +36,5 @@ tags: - 800-53r5_high mobileconfig: true mobileconfig_info: - com.apple.softwareupdate: + com.apple.SoftwareUpdate: configdatainstall: true diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index f43af514..12ce842c 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -31,5 +31,5 @@ tags: - 800-53r5_high mobileconfig: true mobileconfig_info: - com.apple.softwareupdate: + com.apple.SoftwareUpdate: criticalUpdateInstall: true From ea48d605de4c3a0b3f831da66c37f1a3e20db63d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 1 Jul 2021 13:11:54 -0400 Subject: [PATCH 068/135] generate guidance and templates updated for 800-53r5 --- scripts/generate_guidance.py | 42 ++++++++++++++-------------- templates/adoc_rule.adoc | 4 +-- templates/adoc_rule_custom_refs.adoc | 4 +-- templates/adoc_rule_no_setting.adoc | 4 +-- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 29475829..cddbf0fa 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -32,7 +32,7 @@ class MacSecurityRule(): self.rule_fix = fix self.rule_cci = cci self.rule_cce = cce - self.rule_80053r4 = nist_controls + self.rule_80053r5 = nist_controls self.rule_800171 = nist_171 self.rule_disa_stig = disa_stig self.rule_srg = srg @@ -53,7 +53,7 @@ class MacSecurityRule(): rule_check=self.rule_check, rule_fix=self.rule_fix, rule_cci=self.rule_cci, - rule_80053r4=self.rule_80053r4, + rule_80053r5=self.rule_80053r5, rule_disa_stig=self.rule_disa_stig, rule_srg=self.rule_srg, rule_result=self.rule_result_value @@ -734,11 +734,11 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" continue # grab the 800-53 controls try: - rule_yaml['references']['800-53r4'] + rule_yaml['references']['800-53r5'] except KeyError: - nist_80053r4 = 'N/A' + nist_80053r5 = 'N/A' else: - nist_80053r4 = rule_yaml['references']['800-53r4'] + nist_80053r5 = rule_yaml['references']['800-53r5'] #try: # rule_yaml['references']['disa_stig'] @@ -778,9 +778,9 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" # group the controls - nist_80053r4.sort() + nist_80053r5.sort() res = [list(i) for j, i in groupby( - nist_80053r4, lambda a: a.split('(')[0])] + nist_80053r5, lambda a: a.split('(')[0])] nist_controls = '' for i in res: nist_controls += group_ulify(i) @@ -1013,7 +1013,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 5, "Check", headers) sheet1.write(0, 6, "Check Result", headers) sheet1.write(0, 7, "Fix", headers) - sheet1.write(0, 8, "800-53r4", headers) + sheet1.write(0, 8, "800-53r5", headers) sheet1.write(0, 9, "800-171", headers) sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) @@ -1069,7 +1069,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.col(7).width = 1000 * 50 baseline_refs = ( - str(rule.rule_80053r4)).strip('[]\'') + str(rule.rule_80053r5)).strip('[]\'') baseline_refs = baseline_refs.replace(", ", "\n").replace("\'", "") sheet1.write(counter, 8, baseline_refs, topWrap) @@ -1136,7 +1136,7 @@ def create_rules(baseline_yaml): references = ['disa_stig', 'cci', 'cce', - '800-53r4', + '800-53r5', '800-171r2', 'srg', 'custom'] @@ -1173,7 +1173,7 @@ def create_rules(baseline_yaml): rule_yaml['fix'].replace('|', '\|'), rule_yaml['references']['cci'], rule_yaml['references']['cce'], - rule_yaml['references']['800-53r4'], + rule_yaml['references']['800-53r5'], rule_yaml['references']['800-171r2'], rule_yaml['references']['disa_stig'], rule_yaml['references']['srg'], @@ -1494,19 +1494,19 @@ def main(): cce = ulify(rule_yaml['references']['cce']) try: - rule_yaml['references']['800-53r4'] + rule_yaml['references']['800-53r5'] except KeyError: - nist_80053r4 = 'N/A' + nist_80053r5 = 'N/A' else: - #nist_80053r4 = ulify(rule_yaml['references']['800-53r4']) - nist_80053r4 = rule_yaml['references']['800-53r4'] + #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) + nist_80053r5 = rule_yaml['references']['800-53r5'] try: rule_yaml['references']['800-171r2'] except KeyError: nist_800171 = '• N/A' else: - #nist_80053r4 = ulify(rule_yaml['references']['800-53r4']) + #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) nist_800171 = ulify(rule_yaml['references']['800-171r2']) try: @@ -1572,9 +1572,9 @@ def main(): rule_yaml['mobileconfig_info']) # process nist controls for grouping - nist_80053r4.sort() + nist_80053r5.sort() res = [list(i) for j, i in groupby( - nist_80053r4, lambda a: a.split('(')[0])] + nist_80053r5, lambda a: a.split('(')[0])] nist_controls = '' for i in res: nist_controls += group_ulify(i) @@ -1591,7 +1591,7 @@ def main(): rule_discussion=rule_yaml['discussion'].replace('|', '\|'), rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, - rule_80053r4=nist_controls, + rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cce=cce, @@ -1606,7 +1606,7 @@ def main(): rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, - rule_80053r4=nist_controls, + rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cce=cce, @@ -1623,7 +1623,7 @@ def main(): rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, - rule_80053r4=nist_controls, + rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, rule_cce=cce, diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index d741b09f..df9683bd 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -32,8 +32,8 @@ $rule_fix [grid="cols"] !=== -!800-53r4 -!$rule_80053r4 +!800-53r5 +!$rule_80053r5 ifdef::show_171[] !800-171r2 diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc index 8ffbd2ea..19cd3165 100644 --- a/templates/adoc_rule_custom_refs.adoc +++ b/templates/adoc_rule_custom_refs.adoc @@ -32,8 +32,8 @@ $rule_fix [grid="cols"] !=== -!800-53r4 -!$rule_80053r4 +!800-53r5 +!$rule_80053r5 ifdef::show_171[] !800-171r2 diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc index 48f0de0f..a0a4a207 100644 --- a/templates/adoc_rule_no_setting.adoc +++ b/templates/adoc_rule_no_setting.adoc @@ -18,8 +18,8 @@ $rule_check [grid="cols"] !=== -!800-53r4 -!$rule_80053r4 +!800-53r5 +!$rule_80053r5 ifdef::show_171[] !800-171r2 From 55d8f77c9be6a665b0027d3cbe011502c87487dc Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 2 Jul 2021 13:40:41 -0400 Subject: [PATCH 069/135] baseline tags added for r5 --- rules/audit/audit_acls_files_configure.yaml | 5 +-- rules/audit/audit_acls_folders_configure.yaml | 7 +++-- rules/audit/audit_failure_halt.yaml | 7 +++-- rules/audit/audit_files_group_configure.yaml | 7 +++-- rules/audit/audit_files_mode_configure.yaml | 7 +++-- rules/audit/audit_files_owner_configure.yaml | 7 +++-- rules/audit/audit_flags_aa_configure.yaml | 7 +++-- rules/audit/audit_flags_ad_configure.yaml | 7 +++-- rules/audit/audit_flags_ex_configure.yaml | 8 ++--- rules/audit/audit_flags_fd_configure.yaml | 1 + rules/audit/audit_flags_fm_configure.yaml | 7 +++-- rules/audit/audit_flags_fr_configure.yaml | 7 +++-- rules/audit/audit_flags_fw_configure.yaml | 7 +++-- rules/audit/audit_flags_lo_configure.yaml | 7 +++-- rules/audit/audit_folder_group_configure.yaml | 7 +++-- rules/audit/audit_folder_owner_configure.yaml | 7 +++-- rules/audit/audit_folders_mode_configure.yaml | 7 +++-- ...it_record_reduction_report_generation.yaml | 3 +- rules/audit/audit_records_processing.yaml | 3 +- rules/audit/audit_retention_configure.yaml | 6 ++-- .../audit/audit_settings_failure_notify.yaml | 4 ++- ...rtcard_certificate_trust_enforce_high.yaml | 3 +- ...rd_certificate_trust_enforce_moderate.yaml | 3 +- rules/icloud/icloud_addressbook_disable.yaml | 7 +++-- .../icloud_appleid_prefpane_disable.yaml | 7 +++-- rules/icloud/icloud_bookmarks_disable.yaml | 7 +++-- rules/icloud/icloud_calendar_disable.yaml | 7 +++-- rules/icloud/icloud_drive_disable.yaml | 7 +++-- rules/icloud/icloud_keychain_disable.yaml | 7 +++-- rules/icloud/icloud_mail_disable.yaml | 7 +++-- rules/icloud/icloud_notes_disable.yaml | 7 +++-- rules/icloud/icloud_photos_disable.yaml | 7 +++-- rules/icloud/icloud_reminders_disable.yaml | 7 +++-- rules/icloud/icloud_sync_disable.yaml | 7 +++-- rules/os/os_appleid_prompt_disable.yaml | 7 +++-- rules/os/os_bonjour_disable.yaml | 7 +++-- rules/os/os_calendar_app_disable.yaml | 7 +++-- rules/os/os_certificate_authority_trust.yaml | 4 ++- rules/os/os_continuous_monitoring.yaml | 7 +++-- rules/os/os_enforce_access_restrictions.yaml | 1 + rules/os/os_facetime_app_disable.yaml | 7 +++-- rules/os/os_fail_secure_state.yaml | 1 + rules/os/os_filevault_user_account.yaml | 4 +-- rules/os/os_guest_account_disable.yaml | 7 +++-- rules/os/os_hbss_installed.yaml | 2 +- .../os/os_icloud_storage_prompt_disable.yaml | 7 +++-- rules/os/os_implement_cryptography.yaml | 11 ++++--- ...os_internet_accounts_prefpane_disable.yaml | 5 +-- rules/os/os_ir_support_disable.yaml | 7 +++-- rules/os/os_mail_app_disable.yaml | 7 +++-- rules/os/os_malicious_code_prevention.yaml | 31 +++++++++++++------ rules/os/os_mdm_require.yaml | 7 +++-- rules/os/os_messages_app_disable.yaml | 7 +++-- rules/os/os_parental_controls_enable.yaml | 7 +++-- rules/os/os_password_autofill_disable.yaml | 7 +++-- rules/os/os_password_proximity_disable.yaml | 7 +++-- rules/os/os_password_sharing_disable.yaml | 7 +++-- rules/os/os_prevent_priv_functions.yaml | 6 ++-- rules/os/os_protect_dos_attacks.yaml | 5 ++- ..._provide_automated_account_management.yaml | 4 ++- rules/os/os_secure_boot_verify.yaml | 2 ++ rules/os/os_siri_prompt_disable.yaml | 7 +++-- rules/os/os_store_encrypted_passwords.yaml | 7 +++-- rules/os/os_system_read_only.yaml | 2 ++ rules/os/os_touchid_prompt_disable.yaml | 7 +++-- .../sysprefs_apple_watch_unlock_disable.yaml | 6 ++-- .../sysprefs/sysprefs_bluetooth_disable.yaml | 5 +-- .../sysprefs_content_caching_disable.yaml | 7 +++-- .../sysprefs_diagnostics_reports_disable.yaml | 5 +-- rules/sysprefs/sysprefs_find_my_disable.yaml | 7 +++-- rules/sysprefs/sysprefs_firewall_enable.yaml | 5 +-- ...sysprefs_firewall_stealth_mode_enable.yaml | 7 +++-- .../sysprefs_guest_access_smb_disable.yaml | 7 +++-- ...sprefs_improve_siri_dictation_disable.yaml | 7 +++-- .../sysprefs_internet_sharing_disable.yaml | 5 +-- .../sysprefs_location_services_disable.yaml | 7 +++-- ...refs_personalized_advertising_disable.yaml | 8 +++-- .../sysprefs/sysprefs_power_nap_disable.yaml | 7 +++-- ...nsaver_ask_for_password_delay_enforce.yaml | 6 ++-- ...sysprefs_screensaver_password_enforce.yaml | 6 ++-- .../sysprefs_screensaver_timeout_enforce.yaml | 7 +++-- rules/sysprefs/sysprefs_siri_disable.yaml | 7 +++-- .../sysprefs_token_removal_enforce.yaml | 6 ++-- .../sysprefs_touchid_unlock_disable.yaml | 7 +++-- rules/sysprefs/sysprefs_wifi_disable.yaml | 2 -- 85 files changed, 365 insertions(+), 174 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index be82b34f..fefcfe33 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -35,11 +35,12 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 67f3c542..ebc8a4b3 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index a6806f39..afa0e68a 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 45787d32..66e22114 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 194a9d60..960ec60c 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -29,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 9709bddc..bb87af4b 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 55e8a3e3..e7a82ef6 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -42,12 +42,13 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index bfc5ab38..6996fd18 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -63,12 +63,13 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r5_low + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index ea37c958..0ceac32d 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -39,14 +39,14 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 22b91d91..5582bdef 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -53,6 +53,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_privacy - 800-53r5_low - 800-53r5_moderate - 800-53r5_high diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 6f877453..e8913f45 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -55,12 +55,13 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 09cf775f..0e59cded 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -55,12 +55,13 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 4164aec8..c234b8db 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -54,12 +54,13 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 67936907..449372ba 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -43,12 +43,13 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index f2c3f08c..3797c791 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 06200a94..f04a1fb6 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 08e103cc..9e042f5c 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -35,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index f049c333..8e3a0fde 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -28,8 +28,9 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate + - 800-53r5_high - 800-53r4_high + - 800-53r5_moderate - inherent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index c0f4f556..b69ff929 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -26,8 +26,9 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate + - 800-53r5_high - 800-53r4_high + - 800-53r5_moderate - permanent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 223bc60b..995c352a 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -32,12 +32,12 @@ macOS: - "11.0" tags: - 800-53r5_privacy - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - stig severity: "medium" diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 5d728786..1e85fcf9 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -33,8 +33,10 @@ references: macOS: - "11.0" tags: - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r4_high + - 800-53r5_high - 800-171 - stig severity: "medium" diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 59b34b02..3c99fa0f 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -20,7 +20,6 @@ references: cci: - CCI-000186 800-53r5: - - IA-2(12) - IA-5(2) - SC-17 800-53r4: @@ -33,8 +32,8 @@ references: macOS: - "11.0" tags: - - 800-53r5_high - 800-53r4_high + - 800-53r5_high mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 1d3d268b..11de0e23 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -24,7 +24,6 @@ references: - CCI-001953 - CCI-001954 800-53r5: - - IA-2(12) - IA-5(2) - SC-17 800-53r4: @@ -41,8 +40,8 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - 800-53r4_moderate + - 800-53r5_moderate - cnssi-1253 - stig severity: "medium" diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 6c246160..3e61d382 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index 53ac5589..2a38ca86 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index bcad7510..491e1bd4 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 16c0abc1..33ae062e 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 989131c8..d4dee654 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 407a0ef3..71f05b1f 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 4900f031..d42aca9b 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 099f583c..dd95bbb7 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 786c0e60..33bd890e 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index d2143f1c..f905a380 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index fe6fc104..4675b690 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -35,11 +35,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index 79de8d81..ece0335e 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -28,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 75a256ce..0399ee1e 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -26,11 +26,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index b78cf930..e0c020bd 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index 325c7ce2..2e79f43f 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -26,9 +26,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - stig - manual severity: "high" diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index fc2fe655..4d6412a7 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -11,6 +11,8 @@ references: - CCE-85304-4 cci: - CCI-001233 + 800-53r5: + - SI-2(2) 800-53r4: - SI-2(2) srg: @@ -21,9 +23,10 @@ macOS: - "11.0" tags: - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - permanent - + - permanent mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 97f4a889..f7bb3bff 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -26,6 +26,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 50e95d21..adc87263 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index a8abd55b..8c034916 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -30,6 +30,7 @@ references: macOS: - "11.0" tags: + - 800-53r5_high - 800-53r4_high - inherent mobileconfig: false diff --git a/rules/os/os_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml index 338a5b13..39465f5d 100644 --- a/rules/os/os_filevault_user_account.yaml +++ b/rules/os/os_filevault_user_account.yaml @@ -48,9 +48,9 @@ references: cci: - CCI-002143 800-53r5: - - AC-2(11) + - N/A 800-53r4: - - AC-2(11) + - N/A srg: - SRG-OS-000480-GPOS-00227 disa_stig: diff --git a/rules/os/os_guest_account_disable.yaml b/rules/os/os_guest_account_disable.yaml index 0a027bbb..2668d557 100644 --- a/rules/os/os_guest_account_disable.yaml +++ b/rules/os/os_guest_account_disable.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "high" mobileconfig: true diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml index 60c51d22..1bb4ae4b 100644 --- a/rules/os/os_hbss_installed.yaml +++ b/rules/os/os_hbss_installed.yaml @@ -15,7 +15,7 @@ references: cci: - CCI-001233 800-53r5: - - SI-2(2) + - N/A 800-53r4: - SI-2(2) srg: diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 868f0f39..fda1179b 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -28,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 3cf39351..862fdd06 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,9 +5,9 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - macOS Big Sur has been submitted to an accredited laboratory for testing of the cryptographic module for FIPS 140-3 validation. Once complete the test will be submitted to the National Institute of Standards and Technology (NIST) for validation. + macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation. - link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[] link:https://support.apple.com/en-us/HT201159[] check: | @@ -32,11 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index 3728bb73..2a8b8a5d 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -35,11 +35,12 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 0cd4164f..06412e36 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 4b71e94c..b717a847 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -37,11 +37,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 5093aa9c..c0b458f1 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -1,16 +1,29 @@ id: os_malicious_code_prevention -title: "Malicious Code Prevention" +title: "Ensure the System Implements Malicious Code Protection Mechanisms" discussion: | - Apple provides layers of protection to help ensure that apps are free of known malware and haven’t been tampered with. The macOS implements malicious code protection mechasims by quarantining files downloaded from the internet, preventing and blocking excution of known malware, and finally remediating and removing malware that has executed. + The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. + + 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. + The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: + * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. + * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. + * In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: + * an app is first launched, + * an app has been changed (in the file system), and + * XProtect signatures are updated. + * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. + * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer’s signing certificate and prevents unsafe apps from running. + * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. - This first layer of defense is designed to inhibit the distribution of malware, and prevent it from launching even once—this is the goal of the App Store, and Gatekeeper combined with Notarization. macOS includes built-in antivirus technology called XProtect for the signature-based detection of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically—independent from system updates—to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever: - * An app is first launched - * An app has been changed (in the file system) - * XProtect signatures are updated + 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. + The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: + * XProtect (defined above). + * Gatekeeper (defined above). + * Notarization (defined above). - The next layer of defense is to help ensure that if malware appears on any Mac, it’s quickly identified and blocked, both to halt spread and to remediate the Mac systems it’s already gained a foothold on. XProtect adds to this defense, along with Gatekeeper and Notarization. - - Finally, Malware Removal Tool (MRT) acts to remediate malware that has managed to successfully execute. Should malware make its way onto a Mac, macOS also includes technology to remediate infections. MRT is an engine in macOS that remediates infections based on updates automatically delivered from Apple. MRT removes malware upon receiving updated information, and it continues to check for infections on restart and login. MRT doesn’t automatically reboot the Mac. + 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. + The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: + * Apple’s Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login. link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 0c33d74a..904d1a27 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -45,10 +45,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 2207bde5..0fb90646 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "low" mobileconfig: true diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 7cec5351..a16a8dc5 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -32,11 +32,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index fb6b8646..76e4b736 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -36,11 +36,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 81d5310d..2ee25bff 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index f8e47da6..7fbdf575 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -31,11 +31,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index ec2ec4e2..ec75697c 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -30,10 +30,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 0d1f946c..1f18eacf 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -26,10 +26,13 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 7b8f26d6..d41c4d62 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -26,9 +26,11 @@ references: macOS: - "11.0" tags: - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cnssi-1253 - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index a89e1024..11bd6aa4 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -30,6 +30,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_high + - 800-53r5_moderate - 800-53r4_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 45765de3..2779f68e 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 8da1d53c..1e89338f 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -33,11 +33,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index cf70029d..eb574349 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -27,6 +27,8 @@ references: macOS: - "11.0" tags: + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high mobileconfig: false diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index efd63976..9f3693c8 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -29,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index 70fe5696..604cace4 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -28,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index 8634ab80..22046f1e 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -34,10 +34,11 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index fbc1cbe6..f0270a0c 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -28,11 +28,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 1abde1d0..42e83b20 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -31,11 +31,12 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index d7ae9b78..97030c0e 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 36cff988..7ee3df1b 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -45,11 +45,12 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 4119c02c..fb58a0a7 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -43,11 +43,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index 4ac07a63..46de7a8f 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -34,10 +34,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index dfba2743..bc1c046d 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -29,11 +29,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.assistant.support: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 48ed0e7a..8f0bdaf6 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -31,11 +31,12 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253 - stig diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index ed721eb2..691865d0 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -32,11 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 2afa156f..35bc123d 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -32,12 +32,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.AdLib: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index e18ff559..4d088d3b 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -40,10 +40,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 7db85afe..166486cd 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -28,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index a1228bd5..979662d9 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -28,10 +28,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index c65c85ba..258048e9 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -29,10 +29,13 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index b805b168..1a6f66d7 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -34,11 +34,14 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_low - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index 7a9d8486..62301fa3 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -33,10 +33,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index 06901b6e..70e2cd96 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -30,11 +30,12 @@ references: macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - + - 800-171 + - cnssi-1253 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 62e35ea9..86fa770e 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -37,8 +37,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_moderate - - 800-53r5_high - stig severity: "medium" mobileconfig: false From 3ced98db1163e886bfd18accbb6a836a533d5ca3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 2 Jul 2021 13:50:57 -0400 Subject: [PATCH 070/135] fixed baseline tags --- rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_force_password_change.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index cdc6150e..eda7a76c 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -43,7 +43,7 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 7624014e..952c6d14 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -46,7 +46,7 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - inherent mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index ec1de736..b213e639 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -42,7 +42,7 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 821354f3..a64bebe4 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -67,6 +67,6 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 11c22d26..36c289ab 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -43,7 +43,7 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 809c8042..6da78676 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -64,6 +64,6 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index a85c693b..006ed359 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -45,7 +45,7 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - stig severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 902625a7..5403020e 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -67,6 +67,6 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high mobileconfig: false mobileconfig_info: \ No newline at end of file From 436127344980494d0bfdd0a3a0be27f20e0a9db3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 2 Jul 2021 13:56:17 -0400 Subject: [PATCH 071/135] updated reference to auth_ssh_passwordauthentication_disable --- rules/supplemental/supplemental_smartcard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index 53b08b70..da69e65d 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -3,7 +3,7 @@ title: "Smartcard Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - * auth_ssh_smartcard_enforce + * auth_ssh_passwordauthentication_disable * auth_smartcard_enforce * auth_smartcard_certificate_trust_enforce_moderate * auth_smartcard_certificate_trust_enforce_high From 19903d9f24e8582c2f6af5a86c94765bcb6b4b23 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 6 Jul 2021 13:50:49 -0400 Subject: [PATCH 072/135] edits --- CHANGELOG.adoc | 2 ++ README.adoc | 4 ++-- rules/supplemental/supplemental_controls.yaml | 4 ++-- sections/not_applicable.yaml | 2 +- sections/permanent.yaml | 2 +- templates/adoc_authors.adoc | 1 - templates/adoc_foreword.adoc | 6 +++--- 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index deb34bc9..bc5166b6 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,6 +2,8 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. +== [Big Sur, Revision 3] - 2021-07-XX + == [Big Sur, Revision 2] - 2021-03-XX * Rules diff --git a/README.adoc b/README.adoc index 4a06ca24..59fc7890 100644 --- a/README.adoc +++ b/README.adoc @@ -21,9 +21,9 @@ image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.app image:https://badgen.net/badge/icon/11.0?icon=apple&label[link="https://www.apple.com/macos"] endif::[] -The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL). +The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL). -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 4). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. To learn more about the project, please see the {uri-repo}/wiki[wiki]. diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index fed402a1..5849cc2a 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -1,9 +1,9 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 4 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 4) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 4) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 4) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. [cols="15%h, 85%a"] |=== diff --git a/sections/not_applicable.yaml b/sections/not_applicable.yaml index 4ae3407a..0f6c2244 100644 --- a/sections/not_applicable.yaml +++ b/sections/not_applicable.yaml @@ -1,3 +1,3 @@ name: "Not Applicable" description: | - This section contains the controls that are defined in the NIST 800-53 revision 4 but are not applicable when configuring a macOS system. \ No newline at end of file + This section contains the controls that are defined in the NIST 800-53 revision 5 but are not applicable when configuring a macOS system. \ No newline at end of file diff --git a/sections/permanent.yaml b/sections/permanent.yaml index c6748a84..00b3d6b1 100644 --- a/sections/permanent.yaml +++ b/sections/permanent.yaml @@ -1,3 +1,3 @@ name: "Permanent Findings" description: | - This section contains the controls that are defined in NIST 800-53 revision 4 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section. \ No newline at end of file + This section contains the controls that are defined in NIST 800-53 revision 5 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section. \ No newline at end of file diff --git a/templates/adoc_authors.adoc b/templates/adoc_authors.adoc index 89f53d2f..d8ad420e 100644 --- a/templates/adoc_authors.adoc +++ b/templates/adoc_authors.adoc @@ -9,5 +9,4 @@ |Joshua Glemza|National Aeronautics and Space Administration |Elyse Anderson|National Aeronautics and Space Administration |Gary Gapinski|National Aeronautics and Space Administration -|Paige Ramsey|Los Alamos National Laboratory |=== \ No newline at end of file diff --git a/templates/adoc_foreword.adoc b/templates/adoc_foreword.adoc index 707ede9c..ecc552de 100644 --- a/templates/adoc_foreword.adoc +++ b/templates/adoc_foreword.adoc @@ -1,7 +1,7 @@ == Foreword -The macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. +The macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 4). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. -The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. +The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. \ No newline at end of file From 593675ea4ca692217b9f8bb24c92587478a0f98b Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 7 Jul 2021 11:12:42 -0400 Subject: [PATCH 073/135] more rev5 edits --- rules/os/os_certificate_authority_trust.yaml | 2 +- rules/supplemental/supplemental_controls.yaml | 34 +++++++++---------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index 2e79f43f..0a679b76 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -3,7 +3,7 @@ title: "Issue or Obtain Public Key Certificates from an Approved Service Provide discussion: | The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain. check: | - /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/grep labl | awk -F'"' '{ print $4 }' + /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}' result: string: "a list containing approved root certificates" fix: | diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 5849cc2a..141fc9a6 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -12,7 +12,7 @@ discussion: | |Access Control (AC) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AC-1[AC-1], link:https://nvd.nist.gov/800-53/Rev4/control/AC-2[AC-2], link:https://nvd.nist.gov/800-53/Rev4/control/AC-14[AC-14], link:https://nvd.nist.gov/800-53/Rev4/control/AC-17?#enhancement-4[AC-17(4)], link:https://nvd.nist.gov/800-53/Rev4/control/AC-22[AC-22] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] |=== @@ -23,7 +23,7 @@ discussion: | |Awareness and Training (AT) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AT-1[AT-1], link:https://nvd.nist.gov/800-53/Rev4/control/AT-2[AT-2], link:https://nvd.nist.gov/800-53/Rev4/control/AT-3[AT-3], link:https://nvd.nist.gov/800-53/Rev4/control/AT-4[AT-4] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-1[AT-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-2[AT-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-3[AT-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-4[AT-4] |=== [cols="15%h, 85%a"] @@ -33,7 +33,7 @@ discussion: | |Audit and Accountability (AU) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AU-1[AU-1], link:https://nvd.nist.gov/800-53/Rev4/control/AU-6[AU-6] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6] |=== [cols="15%h, 85%a"] @@ -43,7 +43,7 @@ discussion: | |Security Assessment and Authorization (CA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/CA-1[CA-1], link:https://nvd.nist.gov/800-53/Rev4/control/CA-2[CA-2], link:https://nvd.nist.gov/800-53/Rev4/control/CA-3[CA-3], link:https://nvd.nist.gov/800-53/Rev4/control/CA-5[CA-5], link:https://nvd.nist.gov/800-53/Rev4/control/CA-6[CA-6], link:https://nvd.nist.gov/800-53/Rev4/control/CA-7[CA-7], link:https://nvd.nist.gov/800-53/Rev4/control/CA-9[CA-9] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] |=== [cols="15%h, 85%a"] @@ -53,7 +53,7 @@ discussion: | |Configuration Management (CM) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/CM-1[CM-1], link:https://nvd.nist.gov/800-53/Rev4/control/CM-4[CM-4], link:https://nvd.nist.gov/800-53/Rev4/control/CM-8[CM-8], link:https://nvd.nist.gov/800-53/Rev4/control/CM-10[CM-10], link:https://nvd.nist.gov/800-53/Rev4/control/CM-11[CM-11] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1[CM-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4[CM-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8[CM-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10[CM-10], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11[CM-11] |=== [cols="15%h, 85%a"] @@ -63,7 +63,7 @@ discussion: | |Contingency Planning (CP) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/CP-1[CP-1], link:https://nvd.nist.gov/800-53/Rev4/control/CP-2[CP-2], link:https://nvd.nist.gov/800-53/Rev4/control/CP-3[CP-3], link:https://nvd.nist.gov/800-53/Rev4/control/CP-4[CP-4], link:https://nvd.nist.gov/800-53/Rev4/control/CP-9[CP-9], link:https://nvd.nist.gov/800-53/Rev4/control/CP-10[CP-10] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1[CP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2[CP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3[CP-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4[CP-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9[CP-9], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10[CP-10] |=== [cols="15%h, 85%a"] @@ -73,7 +73,7 @@ discussion: | |Identification and Authentication (IA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/IA-1[IA-1], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-1[IA-8(1)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-2[IA-8(2)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-3[IA-8(3)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-4[IA-8(4)] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1[IA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(4)] |=== [cols="15%h, 85%a"] @@ -83,7 +83,7 @@ discussion: | |Incident Response (IR) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/IR-1[IR-1], link:https://nvd.nist.gov/800-53/Rev4/control/IR-2[IR-2], link:https://nvd.nist.gov/800-53/Rev4/control/IR-4[IR-4], link:https://nvd.nist.gov/800-53/Rev4/control/IR-5[IR-5], link:https://nvd.nist.gov/800-53/Rev4/control/IR-6[IR-6], link:https://nvd.nist.gov/800-53/Rev4/control/IR-7[IR-7], link:https://nvd.nist.gov/800-53/Rev4/control/IR-8[IR-8], + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8], |=== [cols="15%h, 85%a"] @@ -93,7 +93,7 @@ discussion: | |Maintenance (MA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/MA-1[MA-1], link:https://nvd.nist.gov/800-53/Rev4/control/MA-2[MA-2], link:https://nvd.nist.gov/800-53/Rev4/control/MA-5[MA-5] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-1[MA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-2[MA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-5[MA-5] |=== [cols="15%h, 85%a"] @@ -103,7 +103,7 @@ discussion: | |Media Protection (MP) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/MP-1[MP-1], link:https://nvd.nist.gov/800-53/Rev4/control/MP-2[MP-2], link:https://nvd.nist.gov/800-53/Rev4/control/MP-6[MP-6], link:https://nvd.nist.gov/800-53/Rev4/control/MP-7[MP-7] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-1[MP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-2[MP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-6[MP-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-7[MP-7] |=== [cols="15%h, 85%a"] @@ -113,7 +113,7 @@ discussion: | |Physical and Environmental Protection (PE) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/PE-1[PE-1], link:https://nvd.nist.gov/800-53/Rev4/control/PE-2[PE-2], link:https://nvd.nist.gov/800-53/Rev4/control/PE-3[PE-3], link:https://nvd.nist.gov/800-53/Rev4/control/PE-6[PE-6], link:https://nvd.nist.gov/800-53/Rev4/control/PE-8[PE-8], link:https://nvd.nist.gov/800-53/Rev4/control/PE-12[PE-12], link:https://nvd.nist.gov/800-53/Rev4/control/PE-13[PE-13], link:https://nvd.nist.gov/800-53/Rev4/control/PE-14[PE-14], link:https://nvd.nist.gov/800-53/Rev4/control/PE-15[PE-15], link:https://nvd.nist.gov/800-53/Rev4/control/PE-16[PE-16] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1[PE-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2[PE-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3[PE-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6[PE-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8[PE-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12[PE-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13[PE-13], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14[PE-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15[PE-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16[PE-16] |=== [cols="15%h, 85%a"] @@ -123,7 +123,7 @@ discussion: | |Planning (PL) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/PL-1[PL-1], link:https://nvd.nist.gov/800-53/Rev4/control/PL-2[PL-2], link:https://nvd.nist.gov/800-53/Rev4/control/PL-4[PL-4] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-1[PL-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-2[PL-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-4[PL-4] |=== [cols="15%h, 85%a"] @@ -134,7 +134,7 @@ discussion: | |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/PS-1[PS-1], link:https://nvd.nist.gov/800-53/Rev4/control/PS-2[PS-2], link:https://nvd.nist.gov/800-53/Rev4/control/PS-3[PS-3], link:https://nvd.nist.gov/800-53/Rev4/control/PS-4[PS-4], link:https://nvd.nist.gov/800-53/Rev4/control/PS-5[PS-5], link:https://nvd.nist.gov/800-53/Rev4/control/PS-6[PS-6], link:https://nvd.nist.gov/800-53/Rev4/control/PS-7[PS-7], link:https://nvd.nist.gov/800-53/Rev4/control/PS-8[PS-8] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1[PS-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2[PS-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3[PS-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4[PS-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5[PS-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6[PS-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7[PS-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8[PS-8] |=== [cols="15%h, 85%a"] @@ -144,7 +144,7 @@ discussion: | |Risk Assessment (RA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/RA-1[RA-1], link:https://nvd.nist.gov/800-53/Rev4/control/RA-2[RA-2], link:https://nvd.nist.gov/800-53/Rev4/control/RA-3[RA-3], link:https://nvd.nist.gov/800-53/Rev4/control/RA-5[RA-5] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-1[RA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-2[RA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-3[RA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-5[RA-5] |=== [cols="15%h, 85%a"] @@ -154,7 +154,7 @@ discussion: | |System and Services Acquisition (SA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/SA-1[SA-1], link:https://nvd.nist.gov/800-53/Rev4/control/SA-2[SA-2], link:https://nvd.nist.gov/800-53/Rev4/control/SA-3[SA-3], link:https://nvd.nist.gov/800-53/Rev4/control/SA-4[SA-4], link:https://controlfreak.risk-redux.io/controls/SA-4%20(10)[SA-4(10)], link:https://nvd.nist.gov/800-53/Rev4/control/SA-5[SA-5], link:https://nvd.nist.gov/800-53/Rev4/control/SA-9[SA-9] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-1[SA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-2[SA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-3[SA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-4[SA-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-4[SA-4(10)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-5[SA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-9[SA-9] |=== [cols="15%h, 85%a"] @@ -164,7 +164,7 @@ discussion: | |System and Communications Protection (SC) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/SC-1[SC-1], link:https://nvd.nist.gov/800-53/Rev4/control/SC-12[SC-12], link:https://nvd.nist.gov/800-53/Rev4/control/SC-15[SC-15], link:https://nvd.nist.gov/800-53/Rev4/control/SC-20[SC-20], link:https://nvd.nist.gov/800-53/Rev4/control/SC-22[SC-22], link:https://nvd.nist.gov/800-53/Rev4/control/SC-39[SC-39] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-1[SC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12[SC-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-15[SC-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-20[SC-20], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-22[SC-22], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-39[SC-39] |=== [cols="15%h, 85%a"] @@ -174,7 +174,7 @@ discussion: | |System and Information Integrity (SI) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/SI-1[SI-1], link:https://nvd.nist.gov/800-53/Rev4/control/SI-4[SI-4], link:https://nvd.nist.gov/800-53/Rev4/control/SI-5[SI-5], link:https://nvd.nist.gov/800-53/Rev4/control/SI-12[SI-12] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-1[SI-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-5[SI-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-12[SI-12] |=== check: | fix: | From 3d1061ac01ce80c7e1c08b32a9924903956449ad Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 8 Jul 2021 11:25:54 -0400 Subject: [PATCH 074/135] rev5 edits --- ..._ssh_password_authentication_disable.yaml} | 2 +- rules/os/os_filevault_authorized_users.yaml | 31 +++++++++ rules/os/os_filevault_user_account.yaml | 64 ------------------- .../supplemental/supplemental_smartcard.yaml | 12 ++-- 4 files changed, 38 insertions(+), 71 deletions(-) rename rules/auth/{auth_ssh_passwordauthentication_disable.yaml => auth_ssh_password_authentication_disable.yaml} (96%) create mode 100644 rules/os/os_filevault_authorized_users.yaml delete mode 100644 rules/os/os_filevault_user_account.yaml diff --git a/rules/auth/auth_ssh_passwordauthentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml similarity index 96% rename from rules/auth/auth_ssh_passwordauthentication_disable.yaml rename to rules/auth/auth_ssh_password_authentication_disable.yaml index fc5ef0b4..815abb8f 100644 --- a/rules/auth/auth_ssh_passwordauthentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -1,4 +1,4 @@ -id: auth_ssh_passwordauthentication_disable +id: auth_ssh_password_authentication_disable title: "Disable Password Authentication for SSH" discussion: | If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login. diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml new file mode 100644 index 00000000..a016f0e5 --- /dev/null +++ b/rules/os/os_filevault_authorized_users.yaml @@ -0,0 +1,31 @@ +id: os_filevault_authorized_users +title: "FileVault Authorized Users" +discussion: | + macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup. +check: | + /usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}' +result: + string: "a list containing usernames that can unlock FileVault" +fix: | + Remove the secure token from any account that is not authorized to unlock FileVault. +references: + cce: + - CCE-85311-9 + cci: + - CCI-002143 + 800-53r5: + - AU-2(11) + 800-53r4: + - N/A + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-11-000032 +macOS: + - "11.0" +tags: + - 800-53r5_high + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml deleted file mode 100644 index 39465f5d..00000000 --- a/rules/os/os_filevault_user_account.yaml +++ /dev/null @@ -1,64 +0,0 @@ -id: os_filevault_user_account -title: "Dedicated User Account to Decrypt the Hard Disk" -discussion: | - The macOS system _MUST_ be configured with a dedicated user account to decrypt the hard disk upon startup. - - When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. -check: | - Ensure that only one FileVault user is defined: - - # sudo fdesetup list - - fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A - - If more than one user is defined, this is a finding. - - Verify that the defined FileVault user has been disabled: - - # sudo dscl . read /Users/ AuthenticationAuthority | grep "DisabledUser" - - AuthenticationAuthority: ;ShadowHash;HASHLIST: ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser - - If the FileVault user is not disabled, this is a finding. - - Verify that password forwarding has been disabled on the system: - - # sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin" - - DisableFDEAutologin = 1; - - If "DisableFDEAutologin" is not set to a value of "1", this is a finding. -fix: | - Create a new user account that will be used to unlock the disk on startup. - - Disable the login ability of the newly created user account: - - # sudo dscl . append /Users/ AuthenticationAuthority DisabledUser - - Disable FileVaults Auto-login feature: - - # sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES - - Remove all FileVault login access from each user account defined on the system that is not the designated FileVault user: - - # sudo fdesetup remove -user -references: - cce: - - CCE-85311-9 - cci: - - CCI-002143 - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-11-000032 -macOS: - - "11.0" -tags: - - stig -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index da69e65d..2d221f91 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -3,14 +3,14 @@ title: "Smartcard Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - * auth_ssh_passwordauthentication_disable + * auth_ssh_password_authentication_disable * auth_smartcard_enforce * auth_smartcard_certificate_trust_enforce_moderate * auth_smartcard_certificate_trust_enforce_high * auth_smartcard_allow * auth_pam_sudo_smartcard_enforce * auth_pam_su_smartcard_enforce - * auth_pam_login_smartcard_enforcelist of Rule IDs + * auth_pam_login_smartcard_enforce macOS supports smartcards, such as U.S. Personal Identity Verification (PIV) cards and U.S. Department of Defense Common Access Cards (CAC). Smartcards can be used on a macOS for the following: @@ -94,6 +94,8 @@ discussion: | |=== + NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. + [discrete] ==== Trusted Authorities The macOS allows users to specify which certificate authorities (CA) can be used for trust evaluation during smartcard authentication. Only CAs listed in the TrustedAuthorities section of the SmartcardLogin.plist will be evaluated as trusted. This setting only works if checkCertificateTrust is set to either 1, 2, or 3 in com.apple.security.smartcard. @@ -125,8 +127,7 @@ discussion: | TrustedAuthorities - SHA256_HASH_OF_CERTDOMAIN_1 - SHA256_HASH_OF_CERTDOMAIN_2 + SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2 @@ -157,8 +158,7 @@ discussion: | TrustedAuthorities - SHA256_HASH_OF_CERTDOMAIN_1 - SHA256_HASH_OF_CERTDOMAIN_2 + SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2 NotEnforcedGroup GROUPGOESHERE From f80d86255e55c2281b23e8036cd3739b383bc94e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:04:38 -0400 Subject: [PATCH 075/135] changed SCAP creation regex to r5 from r4 --- SCAP/html-to-xccdf.xsl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SCAP/html-to-xccdf.xsl b/SCAP/html-to-xccdf.xsl index 4b3020b1..4532697f 100644 --- a/SCAP/html-to-xccdf.xsl +++ b/SCAP/html-to-xccdf.xsl @@ -344,7 +344,7 @@ - + xccdf_{$xccdf-namespace}_profile_{.} From 007589aaeb1e053f2a34693665585839cd5fbfc8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:05:15 -0400 Subject: [PATCH 076/135] all rules to include new rule files --- baselines/all_rules.yaml | 71 ++++++++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 28 deletions(-) diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index cac10501..c9f95f21 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,19 +1,20 @@ -title: "macOS 11.0: Security Configuration - All Rules" +title: "macOS 11.0: Security Configuration - all" description: | - This guide describes the actions to take when securing a macOS 11.0 system using every available rule. + This guide describes the actions to take when securing a macOS 11.0 system against the all baseline. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_smartcard_allow - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_pam_su_smartcard_enforce + - auth_ssh_password_authentication_disable - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -36,68 +37,79 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_sshd_login_grace_time_configure + - os_newsyslog_files_owner_group_configure - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require + - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - os_guest_account_disable - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require + - os_anti_virus_installed - os_screensaver_loginwindow_enforce - os_handoff_disable + - os_sshd_key_exchange_algorithm_configure - os_firewall_log_enable + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable + - os_sshd_client_alive_interval_configure + - os_asl_log_files_permissions_configure - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_sshd_login_grace_time_configure + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_sshd_client_alive_count_max_configure - os_privacy_setup_prompt_disable + - os_filevault_authorized_users - os_secure_boot_verify - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_user_app_installation_prohibit - os_touchid_prompt_disable + - os_hbss_installed - os_filevault_autologin_disable - os_messages_app_disable - os_airdrop_disable - os_parental_controls_enable - os_system_read_only + - os_ssh_server_alive_count_max_configure - os_nfsd_disable + - os_sshd_permit_root_login_configure - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_access_smb_disable - os_policy_banner_ssh_configure - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable - os_appleid_prompt_disable + - os_directory_services_configured + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_camera_disable - os_icloud_storage_prompt_disable - - os_sshd_permit_root_login_configure - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_140_ciphers - - os_sshd_fips_140_macs - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce + - pwpolicy_temporary_or_emergency_accounts_disable - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable - pwpolicy_lower_case_character_enforce @@ -123,15 +135,19 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable - sysprefs_ssh_enable - - sysprefs_ssh_disable + - sysprefs_guest_access_smb_disable - sysprefs_media_sharing_disabled + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_critical_update_install_enforce - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce @@ -140,14 +156,15 @@ profile: - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -157,10 +174,9 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: + - audit_record_reduction_report_generation - os_enforce_access_restrictions - os_limit_gui_sessions - os_prevent_priv_functions @@ -176,14 +192,17 @@ profile: - os_implement_memory_protection - os_implement_cryptography - os_remote_access_methods + - os_separate_functionality - os_obscure_password - os_predictable_behavior - os_reauth_users_change_authenticators - os_map_pki_identity + - os_secure_enclave - os_unique_identification - os_provide_disconnect_remote_access - os_isolate_security_functions - os_required_crypto_module + - os_malicious_code_prevention - os_grant_privs - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure @@ -192,7 +211,6 @@ profile: - os_mfa_network_access - os_peripherals_identify - os_error_message - - os_separate_functionality - os_crypto_audit - os_reauth_privilege - pwpolicy_temporary_accounts_disable @@ -201,12 +219,13 @@ profile: - section: "Permanent" rules: - audit_off_load_records + - audit_records_processing - audit_enforce_dual_auth - audit_alert_processing_fail - - os_secure_name_resolution - os_reauth_devices_change_authenticators - os_notify_account_enable - os_provide_automated_account_management + - os_secure_name_resolution - os_notify_account_created - os_notify_account_modified - os_notify_account_removal @@ -218,20 +237,16 @@ profile: - os_notify_unauthorized_baseline_change - pwpolicy_50_percent - pwpolicy_prevent_dictionary_words - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users + - os_access_control_mobile_devices - os_nonlocal_maintenance - - section: "srg" - rules: - - os_filevault_user_account - - os_anti_virus_installed + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard From 79cc28808960f0240a5a3daa3d1d6f878573f89b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:21:34 -0400 Subject: [PATCH 077/135] Added r5 N/A --- rules/audit/audit_alert_processing_fail.yaml | 2 ++ rules/os/os_error_message.yaml | 2 ++ rules/os/os_limit_auditable_events.yaml | 2 ++ rules/os/os_map_pki_identity.yaml | 2 ++ rules/os/os_mfa_network_access.yaml | 2 ++ rules/os/os_mfa_network_non-priv.yaml | 2 ++ rules/os/os_peripherals_identify.yaml | 2 ++ rules/os/os_remote_access_methods.yaml | 2 ++ rules/os/os_terminate_session.yaml | 2 ++ rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml | 2 ++ rules/sysprefs/sysprefs_ssh_enable.yaml | 2 ++ 11 files changed, 22 insertions(+) diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index 70f7f361..76c1b428 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -11,6 +11,8 @@ references: - CCE-85253-3 cci: - CCI-000139 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index 0569456a..5d5f0eb4 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -11,6 +11,8 @@ references: - CCE-85307-7 cci: - CCI-001312 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index 8c4ed5cb..098cb9f6 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -11,6 +11,8 @@ references: - CCE-85331-7 cci: - CCI-000171 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index 3bc70ae6..614ec045 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -11,6 +11,8 @@ references: - CCE-85337-4 cci: - CCI-000187 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index c991a9f5..2bd008f7 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -12,6 +12,8 @@ references: - CCE-85340-8 cci: - CCI-000765 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index efc841ef..7de824ec 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -12,6 +12,8 @@ references: - CCE-85341-6 cci: - CCI-000766 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 91d02b8f..03515f29 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -13,6 +13,8 @@ references: - CCE-85354-9 cci: - N/A + 800-53r5: + - N/A 800-53r4: - N/A srg: diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index 483d0cd0..573f3ac0 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -11,6 +11,8 @@ references: - CCE-85369-7 cci: - CCI-002314 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 48d82f12..b80e8b5e 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -11,6 +11,8 @@ references: - CCE-85390-3 cci: - CCI-000879 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 6b1e7e48..880dcc8f 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -15,6 +15,8 @@ references: - CCE-85411-7 cci: - CCI-000366 + 800-53r5: + - N/A 800-53r4: - N/A disa_stig: diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index b8307ae5..44fb91f8 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -25,6 +25,8 @@ references: - CCI-001453 - CCI-000068 - CCI-002418 + 800-53r5: + - N/A 800-53r4: - N/A srg: From 931eefabb3ec30633e032c32428860d9ed6dcfd0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:22:04 -0400 Subject: [PATCH 078/135] Added CM-6 but no baselines --- rules/os/os_directory_services_configured.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 6ad2ee38..39fe89e3 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -15,6 +15,8 @@ fix: | references: cci: - CCI-000366 + 800-53r5: + - CM-6 800-53r4: - CM-6(b) srg: From 9f4d654e732e0d517daf4bc30c94b9c3a840b87d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:22:42 -0400 Subject: [PATCH 079/135] Added SI-10(3) r5 --- rules/os/os_predictable_behavior.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index 08019463..3665a4cb 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -11,6 +11,8 @@ references: - CCE-85358-0 cci: - CCI-002754 + 800-53r5: + - SI-10(3) 800-53r4: - SI-10(3) disa_stig: From 79c5a5c548cbcf613551892a96e363fc5b3a7e90 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:23:15 -0400 Subject: [PATCH 080/135] fixed 800-54r5 to 800-53r5 --- rules/pwpolicy/pwpolicy_50_percent.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index e161d4b6..cc31c6c5 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -15,7 +15,7 @@ references: - CCE-85399-4 cci: - CCI-000195 - 800-54r5: + 800-53r5: - N/A 800-53r4: - IA-5 @@ -42,4 +42,4 @@ tags: - 800-53r4_high - permanent mobileconfig: false -mobileconfig_info: +mobileconfig_info: \ No newline at end of file From c3cc501278ab96d9b465c4c21130393e2dbceeb2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 09:25:38 -0400 Subject: [PATCH 081/135] R5 N/A based off changes in R5 text --- rules/os/os_notify_account_created.yaml | 2 ++ rules/os/os_notify_account_disabled.yaml | 2 ++ rules/os/os_notify_account_enable.yaml | 2 ++ rules/os/os_notify_account_modified.yaml | 2 ++ rules/os/os_notify_account_removal.yaml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 42296a78..3f671470 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -15,6 +15,8 @@ references: - CCE-85343-2 cci: - CCI-001683 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 7615d41c..32b2b482 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -15,6 +15,8 @@ references: - CCE-85344-0 cci: - CCI-001685 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index fee25a2c..acea837d 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -15,6 +15,8 @@ references: - CCE-85345-7 cci: - CCI-002132 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index b0b81d65..54e83486 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -15,6 +15,8 @@ references: - CCE-85346-5 cci: - CCI-001684 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index cd19a8fb..b872d510 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -15,6 +15,8 @@ references: - CCE-85347-3 cci: - CCI-001686 + 800-53r5: + - N/A 800-53r4: - AC-2(4) disa_stig: From 2ff6e157701da96870d87e68d330bfc83fd4ac1e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 10:47:02 -0400 Subject: [PATCH 082/135] fixed audit_control path --- rules/audit/audit_failure_halt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index afa0e68a..a8845c6e 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -5,7 +5,7 @@ discussion: | Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/awk -F':' '/^policy/ {print $NF}' audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' + /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | From 61641a5bd636f9a6cf7ad3f6566de98057c90df0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 11:01:31 -0400 Subject: [PATCH 083/135] added more conditions to handle changes with audit file checks --- scripts/yaml-to-oval.py | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index 7aa526f1..e444410e 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -1314,20 +1314,36 @@ def main(): x += 1 continue if "awk" in command[3]: + awk_file = "" + awk_search = "" + field_sep = "" - awk_file = rule_yaml['check'].split("'")[2].strip(" ") - - awk_search = rule_yaml['check'].split("'")[1].split("/")[1] - field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") - - try: - - awk_result = rule_yaml['result']['string'] + if "grep -qE" in rule_yaml['fix']: + awk_file = rule_yaml['fix'].split(" ")[3].strip(" ") + awk_search = rule_yaml['fix'].split(" ")[2].strip("\"") - except: - - awk_result = str(rule_yaml['result']['integer']) + elif "grep" in rule_yaml['check']: + awk_file = rule_yaml['check'].split("|")[0].split(" ")[-2] + awk_search = rule_yaml['check'].split("|")[-1].split(" ")[-2].strip("\'") + + else: + awk_file = rule_yaml['check'].split("'")[2].strip(" ") + awk_search = rule_yaml['check'].split("'")[1].split("/")[1] + field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") + + try: + + awk_result = rule_yaml['result']['string'] + + except: + + awk_result = str(rule_yaml['result']['integer']) + + awk_search = "^" + awk_search + field_sep + awk_result + + + oval_definition = oval_definition + ''' @@ -1351,7 +1367,7 @@ def main(): {} 1 - '''.format(x,rule_yaml['id'],awk_file.rstrip(),"^" + awk_search + field_sep + awk_result) + '''.format(x,rule_yaml['id'],awk_file.rstrip(), awk_search) x += 1 continue if "grep" in command[3]: From 5688c9b38a45f8accbd1d6797c0327f38e6c6949 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 11:21:14 -0400 Subject: [PATCH 084/135] matching to big_sur branch --- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 2 +- rules/os/os_airdrop_disable.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 2 +- ...sshd_key_exchange_algorithm_configure.yaml | 2 +- .../sysprefs_automatic_logout_enforce.yaml | 2 ++ .../sysprefs_guest_account_disable.yaml} | 2 +- .../sysprefs_hot_corners_disable.yaml | 2 +- ...nsaver_ask_for_password_delay_enforce.yaml | 2 +- ...sysprefs_screensaver_password_enforce.yaml | 2 +- .../sysprefs_screensaver_timeout_enforce.yaml | 6 ++-- rules/sysprefs/sysprefs_ssh_enable.yaml | 29 ++----------------- .../sysprefs_token_removal_enforce.yaml | 2 +- 14 files changed, 19 insertions(+), 40 deletions(-) rename rules/{os/os_guest_account_disable.yaml => sysprefs/sysprefs_guest_account_disable.yaml} (96%) diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 66e22114..eeb97d90 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -13,7 +13,7 @@ result: fix: | [source,bash] ---- - /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 960ec60c..24289610 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index bb87af4b..ee75f582 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -13,7 +13,7 @@ result: fix: | [source,bash] ---- - /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') + /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')/* ---- references: cce: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 561e9c42..4a7f00c3 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -5,7 +5,7 @@ discussion: AirDrop allows users to share and receive files from other nearby Apple devices. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableAirDrop = 1' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAirDrop = 0' result: integer: 1 fix: | diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 2cc2aff8..a8db96f5 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -12,7 +12,7 @@ references: cce: - CCE-85375-4 cci: - - CCI-000060* + - CCI-000060 800-53r5: - AC-11(1) 800-53r4: diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index 94a48a01..e5a67935 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -17,7 +17,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config || /bin/echo 'KexAlgorithms diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- references: cce: diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 283f3460..dc802eae 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -11,6 +11,8 @@ discussion: | ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400' +result: + integer: 1 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml similarity index 96% rename from rules/os/os_guest_account_disable.yaml rename to rules/sysprefs/sysprefs_guest_account_disable.yaml index 2668d557..6e91a4c4 100644 --- a/rules/os/os_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -1,4 +1,4 @@ -id: os_guest_account_disable +id: sysprefs_guest_account_disable title: "Disable the Guest Account" discussion: | Guest access _MUST_ be disabled. diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 0279175c..13f509a5 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -14,7 +14,7 @@ references: cce: - CCE-85431-5 cci: - - CCI-000060* + - CCI-000060 800-53r5: - AC-11(1) 800-53r4: diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 166486cd..809dd003 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -14,7 +14,7 @@ references: cce: - CCE-85442-2 cci: - - CCI-000056* + - CCI-000056 800-53r5: - AC-11 800-53r4: diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 979662d9..2fa0dae5 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -14,7 +14,7 @@ references: cce: - CCE-85443-0 cci: - - CCI-000056* + - CCI-000056 800-53r5: - AC-11 800-53r4: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 258048e9..541893d9 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -5,16 +5,16 @@ discussion: | This rule ensures that a full session lock is triggered after 15 minutes of inactivity. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'idleTime = 900' + /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"} else {print "No"}}' result: - integer: 1 + string: "Yes" fix: | This is implemented by a Configuration Profile. references: cce: - CCE-85444-8 cci: - - CCI-000057* + - CCI-000057 800-53r5: - AC-11 - IA-11 diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index 44fb91f8..869a8837 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -15,38 +15,15 @@ references: cce: - CCE-85447-1 cci: - - CCI-001941 - - CCI-001942 - - CCI-002890 - - CCI-002420 - - CCI-002421 - - CCI-002422 - - CCI-003123 - - CCI-001453 - - CCI-000068 - - CCI-002418 + - N/A 800-53r5: - N/A 800-53r4: - N/A srg: - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - - SRG-OS-000112-GPOS-00057 - - SRG-OS-000113-GPOS-00058 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000423-GPOS-00187 - - SRG-OS-000424-GPOS-00188 - - SRG-OS-000425-GPOS-00189 - - SRG-OS-000426-GPOS-00190 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000250-GPOS-00093 + - N/A disa_stig: - - APPL-11-000040 - - APPL-11-004011 - - APPL-11-004010 - - APPL-11-000011 - - APPL-11-000010 + - N/A 800-171r2: - N/A macOS: diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index 62301fa3..83fa14cc 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -19,7 +19,7 @@ references: cce: - CCE-85450-5 cci: - - CCI-000058* + - CCI-000058 800-53r5: - AC-11 800-53r4: From 88868d0ec5936e5eb2b899c67fee71164fbeafe8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 13:34:24 -0400 Subject: [PATCH 085/135] updates for defaults read checks --- scripts/yaml-to-oval.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index e444410e..2755f567 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -843,6 +843,7 @@ def main(): '''.format(rule_yaml['id'],x,x,x) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") + if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: oval_object = oval_object + ''' @@ -890,7 +891,7 @@ def main(): else: - + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split()[check_length-1] @@ -910,6 +911,15 @@ def main(): '''.format(x,plist,x+999) + else: + + plist_key = rule_yaml['check'].split(" ")[3].rstrip() + oval_object = oval_object + ''' + + {} + {} + 1 + '''.format(rule_yaml['id'],x,plist_key,plist) datatype = "" for key in rule_yaml['result']: From abdc8a1716ae5dc94683052075b580727d05502f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 9 Jul 2021 13:34:43 -0400 Subject: [PATCH 086/135] most up to date all rules --- baselines/all_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index c9f95f21..920df119 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -44,7 +44,6 @@ profile: - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - - os_guest_account_disable - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require @@ -148,6 +147,7 @@ profile: - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce From 167e943202793e7ca746cfc8a9d998612f72bbb3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 13 Jul 2021 12:36:45 -0400 Subject: [PATCH 087/135] wording changes, reference update, manual tag added --- rules/os/os_filevault_authorized_users.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index a016f0e5..3e306106 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -5,16 +5,21 @@ discussion: | check: | /usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}' result: - string: "a list containing usernames that can unlock FileVault" + string: "a list containing authorized users that can unlock FileVault" fix: | - Remove the secure token from any account that is not authorized to unlock FileVault. + Remove the user that is not authorized to unlock FileVault using the fdesetup command. + + [source,bash] + ---- + /usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME + ---- references: cce: - CCE-85311-9 cci: - CCI-002143 800-53r5: - - AU-2(11) + - AC-2(11) 800-53r4: - N/A srg: @@ -26,6 +31,7 @@ macOS: tags: - 800-53r5_high - stig + - manual severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From a999ba9830e3ce0b86f35f4589e139553350de95 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 13 Jul 2021 15:35:52 -0400 Subject: [PATCH 088/135] replaced n/a cce with real cce --- rules/audit/audit_record_reduction_report_generation.yaml | 2 +- rules/audit/audit_records_processing.yaml | 2 +- rules/os/os_access_control_mobile_devices.yaml | 2 +- rules/os/os_asl_log_files_owner_group_configure.yaml | 2 +- rules/os/os_asl_log_files_permissions_configure.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 2 +- rules/os/os_hbss_installed.yaml | 2 +- rules/os/os_malicious_code_prevention.yaml | 2 +- rules/os/os_newsyslog_files_owner_group_configure.yaml | 2 +- rules/os/os_newsyslog_files_permissions_configure.yaml | 2 +- rules/os/os_secure_enclave.yaml | 2 +- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 2 +- rules/sysprefs/sysprefs_wifi_disable.yaml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index 8e3a0fde..a5ff6ec9 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-85461-2 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index b69ff929..61d47899 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-85462-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index c5f1c7fb..5c8607f7 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - N/A + - CCE-85464-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index c80c96ed..65befaf3 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-85463-8 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index 5657f4d2..57b3acdc 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-85465-3 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 773437cc..9a1a1f5c 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-85466-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml index 1bb4ae4b..9ac0ba5e 100644 --- a/rules/os/os_hbss_installed.yaml +++ b/rules/os/os_hbss_installed.yaml @@ -11,7 +11,7 @@ fix: | Install the approved HBSS solution onto the system. references: cce: - - N/A + - CCE-85467-9 cci: - CCI-001233 800-53r5: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index c0b458f1..d51aab71 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -34,7 +34,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-85468-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index 30c01dd4..947e8c4f 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-85469-5 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 07004f65..d7053650 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - N/A + - CCE-85470-3 cci: - CCI-001314 800-53r5: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 47d30612..44973413 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -16,7 +16,7 @@ fix: | The hardware does not support the requirement. references: cce: - - N/A + - CCE-85471-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index e5a67935..541aa039 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -21,7 +21,7 @@ fix: | ---- references: cce: - - N/A + - CCE-85472-9 cci: - CCI-000803 - CCI-000068 diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 86fa770e..270280a5 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -14,7 +14,7 @@ fix: | /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off references: cce: - - N/A + - CCE-85473-7 cci: - N/A 800-53r5: From 76765f49ed532c4c42aabd9d639aa2984870f1e6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 09:03:56 -0400 Subject: [PATCH 089/135] added missing result --- rules/os/os_asl_log_files_owner_group_configure.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 65befaf3..2a7b9a6e 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -6,6 +6,8 @@ discussion: | ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 fix: | [source,bash] ---- From e9a2dc0650314846403ad19ef4190ce522ce8e18 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 11:39:52 -0400 Subject: [PATCH 090/135] Added SI-2 to SIP and removed from 800-53 baselines for STIG specific rule --- rules/os/os_anti_virus_installed.yaml | 5 +---- rules/os/os_sip_enable.yaml | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 1d18cd15..cde46e3a 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -15,7 +15,7 @@ references: cci: - CCI-000366 800-53r5: - - SI-2 + - N/A 800-53r4: - SI-2 srg: @@ -25,9 +25,6 @@ references: macOS: - "11.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - manual - stig severity: "high" diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index d094ea48..fd24bd0e 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -40,6 +40,7 @@ references: - CM-5 - CM-5(6) - SC-4 + - SI-2 - SI-7 800-53r4: - AC-3 From f1105d115abc8f939cb072abb6c9759e5365e204 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 13:32:18 -0400 Subject: [PATCH 091/135] removed CM-6 --- rules/os/os_directory_services_configured.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 39fe89e3..a1b16bb7 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -16,7 +16,7 @@ references: cci: - CCI-000366 800-53r5: - - CM-6 + - N/A 800-53r4: - CM-6(b) srg: From f0c8b3f69fe8f1fe58e3e301b4066ed44588fb18 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 13:34:58 -0400 Subject: [PATCH 092/135] Added the note back --- rules/os/os_sshd_fips_140_ciphers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 033bb8be..f87ae85c 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -7,7 +7,7 @@ discussion: | Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. - NOTE: /etc/ssh/sshd_config will be a + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config result: From da901025d27e6e80feee86ff33a8c86f8d5441c6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 13:39:53 -0400 Subject: [PATCH 093/135] removed sudo --- .../pwpolicy_temporary_or_emergency_accounts_disable.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 168095f4..3cf04045 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -25,7 +25,7 @@ check: | To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: - /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 + /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory service, this is a finding. @@ -53,7 +53,7 @@ fix: | After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file". - /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file + /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file references: cce: - CCE-85414-1 From 8ecf1c5da58f89e9f74676524fb2c55113777a40 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 13:48:13 -0400 Subject: [PATCH 094/135] fixed the check/fix for ssh enable --- rules/sysprefs/sysprefs_ssh_enable.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index 869a8837..8bf947ca 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -3,13 +3,13 @@ title: "Enable SSH Server for Remote Access Sessions" discussion: | Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => false' result: integer: 1 fix: | [source,bash] ---- - /bin/launchctl disable system/com.openssh.sshd + /bin/launchctl enable system/com.openssh.sshd ---- references: cce: From e96cdd747b47e7bdce0d473814cd9014c1143170 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 13:59:39 -0400 Subject: [PATCH 095/135] Fixed gramatical error in discussion --- rules/pwpolicy/pwpolicy_force_password_change.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 952c6d14..656802e2 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -5,7 +5,7 @@ discussion: | Temporary passwords are often used for new users when accounts are created. However, once logged in to the system, users must be immediately prompted to change to a permanent password of their creation. - To for a user to change their password at next logon, run the following command: + For a user to change their password at next logon, run the following command: [source,bash] ---- /usr/bin/pwpolicy -u [USER] -setpolicy "newPasswordRequired=1" From 99babbaa6e219367e84de91bb5f00a592e0526ca Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 14 Jul 2021 14:23:52 -0400 Subject: [PATCH 096/135] changes to wifi disable --- rules/sysprefs/sysprefs_wifi_disable.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 270280a5..c691eb6c 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_wifi_disable title: "Disable Wi-Fi Interface" discussion: | - The macOS system must be configured with Wi-Fi support software disabled. + The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. @@ -11,7 +11,11 @@ check: | result: integer: 1 fix: | + To disable Wi-Fi on a macOS system, run the following command. + [source,bash] + ---- /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off + ---- references: cce: - CCE-85473-7 @@ -38,6 +42,14 @@ macOS: - "11.0" tags: - stig + - manual + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From cce6d51c2bdf872dd41681c883d2f8bff97515ed Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 09:20:22 -0400 Subject: [PATCH 097/135] AC-12, AC-2(5) added --- rules/os/os_ssh_server_alive_interval_configure.yaml | 1 + rules/os/os_sshd_client_alive_interval_configure.yaml | 1 + rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index bb67a23e..8ad42aa6 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -22,6 +22,7 @@ references: - N/A 800-53r5: - SC-10 + - AC-12 800-53r4: - SC-10 srg: diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 4f600e9a..1699918d 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -22,6 +22,7 @@ references: - CCI-001133 800-53r5: - SC-10 + - AC-12 800-53r4: - SC-10 srg: diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index dc802eae..65646451 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -22,6 +22,7 @@ references: - CCI-002361 800-53r5: - AC-12 + - AC-2(5) 800-53r4: - AC-12 disa_stig: @@ -39,7 +40,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - mobileconfig: true mobileconfig_info: .GlobalPreferences: From db2c87f4d4bb626167d963bafdd4f0ff9f5bc24a Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 15 Jul 2021 12:53:50 -0400 Subject: [PATCH 098/135] more rev5 edits --- rules/audit/audit_auditd_enabled.yaml | 1 + rules/audit/audit_flags_aa_configure.yaml | 1 + rules/audit/audit_flags_ad_configure.yaml | 1 + rules/audit/audit_flags_ex_configure.yaml | 1 + rules/audit/audit_flags_fd_configure.yaml | 1 + rules/audit/audit_flags_fm_configure.yaml | 1 + rules/audit/audit_flags_fr_configure.yaml | 1 + rules/audit/audit_flags_fw_configure.yaml | 1 + rules/audit/audit_flags_lo_configure.yaml | 1 + rules/os/os_secure_boot_verify.yaml | 1 + rules/os/os_time_server_enabled.yaml | 1 + rules/supplemental/supplemental_controls.yaml | 14 +++++++------- rules/sysprefs/sysprefs_time_server_configure.yaml | 1 + rules/sysprefs/sysprefs_time_server_enforce.yaml | 1 + 14 files changed, 20 insertions(+), 7 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index c14505fb..a74b83fa 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -39,6 +39,7 @@ references: - AU-3(1) - AU-8 - AU-12 + - AU-12(1) - AU-12(3) - AU-14(1) - MA-4(1) diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index e7a82ef6..98a47c0a 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -21,6 +21,7 @@ references: cci: - CCI-000172 800-53r5: + - AC-2(12) - AU-12 - AU-2 - MA-4(1) diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 6996fd18..19beb409 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -31,6 +31,7 @@ references: - CCI-002234 - CCI-002884 800-53r5: + - AC-2(12) - AC-6(9) - AU-12 - AC-2(4) diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 0ceac32d..a67ce6f6 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -22,6 +22,7 @@ references: cci: - N/A 800-53r5: + - AC-2(12) - AU-12 - AU-2 - CM-5(1) diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 5582bdef..947a649f 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -24,6 +24,7 @@ references: - CCI-000172 - CCI-001814 800-53r5: + - AC-2(12) - AU-12 - AU-2 - AU-9 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index e8913f45..5668884a 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -24,6 +24,7 @@ references: - CCI-000172 - CCI-001814 800-53r5: + - AC-2(12) - AU-12 - AU-2 - AU-9 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 0e59cded..754d9cec 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -24,6 +24,7 @@ references: - CCI-000172 - CCI-001814 800-53r5: + - AC-2(12) - AU-12 - AU-2 - AU-9 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index c234b8db..b4a6335f 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -23,6 +23,7 @@ references: cci: - CCI-000162 800-53r5: + - AC-2(12) - AU-12 - AU-2 - AU-9 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 449372ba..6cce40cc 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -22,6 +22,7 @@ references: - CCI-000067 - CCI-000172 800-53r5: + - AC-2(12) - AU-12 - AC-17(1) - AU-2 diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 11bd6aa4..2371e0b1 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -18,6 +18,7 @@ references: 800-53r5: - SI-7 - SI-7(1) + - SI-7(5) - SI-6 800-53r4: - SI-6 diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 2d1ed8f9..a3c8b647 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -18,6 +18,7 @@ references: - CCI-001891 - CCI-002046 800-53r5: + - AU-12(1) - SC-45(1) 800-53r4: - AU-8(1) diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 141fc9a6..e797d7c5 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -3,7 +3,7 @@ title: "Out of Scope Supplemental" discussion: | There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. [cols="15%h, 85%a"] |=== @@ -12,7 +12,7 @@ discussion: | |Access Control (AC) |Controls - |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3[AC-3(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] |=== @@ -33,7 +33,7 @@ discussion: | |Audit and Accountability (AU) |Controls - |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9[AU-9(2)] |=== [cols="15%h, 85%a"] @@ -43,7 +43,7 @@ discussion: | |Security Assessment and Authorization (CA) |Controls - |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3(6)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] |=== [cols="15%h, 85%a"] @@ -83,7 +83,7 @@ discussion: | |Incident Response (IR) |Controls - |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8], + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8] |=== [cols="15%h, 85%a"] @@ -164,7 +164,7 @@ discussion: | |System and Communications Protection (SC) |Controls - |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-1[SC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12[SC-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-15[SC-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-20[SC-20], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-22[SC-22], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-39[SC-39] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-1[SC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(7)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(8)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(18)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7[SC-7(21)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12[SC-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12[SC-12(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-20[SC-20], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-22[SC-22], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-23[SC-23] |=== [cols="15%h, 85%a"] @@ -174,7 +174,7 @@ discussion: | |System and Information Integrity (SI) |Controls - |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-1[SI-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-5[SI-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-12[SI-12] + |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-1[SI-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(5)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(12)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(20)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4[SI-4(22)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-5[SI-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-7[SI-7(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-8[SI-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-12[SI-12] |=== check: | fix: | diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 6b4d2fbf..3f92d9ea 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -17,6 +17,7 @@ references: - CCI-001891 - CCI-002046 800-53r5: + - AU-12(1) - SC-45(1) 800-53r4: - AU-8(1) diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index 76f7ab00..c5bfba76 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -17,6 +17,7 @@ references: - CCI-001891 - CCI-002046 800-53r5: + - AU-12(1) - SC-45(1) 800-53r4: - AU-8(1) From 727af670456d8d85989d2600ee34a85229da3a2e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 15:18:33 -0400 Subject: [PATCH 099/135] CM-7(1) added --- rules/icloud/icloud_addressbook_disable.yaml | 2 ++ rules/icloud/icloud_appleid_prefpane_disable.yaml | 2 ++ rules/icloud/icloud_bookmarks_disable.yaml | 2 ++ rules/icloud/icloud_calendar_disable.yaml | 2 ++ rules/icloud/icloud_drive_disable.yaml | 2 ++ rules/icloud/icloud_keychain_disable.yaml | 2 ++ rules/icloud/icloud_mail_disable.yaml | 2 ++ rules/icloud/icloud_notes_disable.yaml | 2 ++ rules/icloud/icloud_photos_disable.yaml | 2 ++ rules/icloud/icloud_reminders_disable.yaml | 2 ++ rules/icloud/icloud_sync_disable.yaml | 2 ++ rules/os/os_airdrop_disable.yaml | 2 ++ rules/os/os_bonjour_disable.yaml | 2 ++ rules/os/os_calendar_app_disable.yaml | 2 ++ rules/os/os_facetime_app_disable.yaml | 2 ++ rules/os/os_handoff_disable.yaml | 2 ++ rules/os/os_ir_support_disable.yaml | 2 ++ rules/os/os_mail_app_disable.yaml | 2 ++ rules/os/os_messages_app_disable.yaml | 2 ++ rules/os/os_password_autofill_disable.yaml | 2 ++ rules/os/os_privacy_setup_prompt_disable.yaml | 2 ++ rules/os/os_siri_prompt_disable.yaml | 2 ++ rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 2 ++ rules/sysprefs/sysprefs_content_caching_disable.yaml | 2 ++ rules/sysprefs/sysprefs_find_my_disable.yaml | 2 ++ rules/sysprefs/sysprefs_firewall_enable.yaml | 2 ++ rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 2 ++ rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 2 ++ rules/sysprefs/sysprefs_location_services_disable.yaml | 2 ++ rules/sysprefs/sysprefs_personalized_advertising_disable.yaml | 2 ++ rules/sysprefs/sysprefs_power_nap_disable.yaml | 2 ++ rules/sysprefs/sysprefs_siri_disable.yaml | 2 ++ rules/sysprefs/sysprefs_ssh_disable.yaml | 2 ++ 33 files changed, 66 insertions(+) diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 3e61d382..c22e5ef0 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index 2a38ca86..44ce2d72 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -19,8 +19,10 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 491e1bd4..f5cd619c 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 33ae062e..b54b3856 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index d4dee654..3e0ba3a2 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 71f05b1f..927363a5 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index d42aca9b..9a390c31 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index dd95bbb7..b8882128 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 33bd890e..da7853be 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index f905a380..057d5e85 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -20,9 +20,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 4675b690..6a31aef5 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -19,9 +19,11 @@ references: - AC-20 - AC-20(1) - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - AC-20(1) srg: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 4a7f00c3..8330b415 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -19,8 +19,10 @@ references: - AC-3 - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-3 - AC-20 srg: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 0399ee1e..e4bf1437 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -15,8 +15,10 @@ references: - CCI-000381 800-53r5: - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 disa_stig: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index e0c020bd..d2d327bb 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -21,8 +21,10 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index adc87263..df1f9365 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -19,8 +19,10 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index a9fac9cc..87b29050 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -17,10 +17,12 @@ references: - AC-3 - AC-20 - CM-7 + - CM-7(1) 800-53r4: - AC-3 - AC-20 - CM-7 + - CM-7(1) disa_stig: - N/A srg: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 06412e36..9cdbc3af 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -20,8 +20,10 @@ references: 800-53r5: - AC-18 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-18 srg: - SRG-OS-000480-GPOS-00227 diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index b717a847..7aa9c9bd 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -23,8 +23,10 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 0fb90646..5ae7f513 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -19,8 +19,10 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 76e4b736..6b381abd 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -16,6 +16,7 @@ references: 800-53r5: - IA-5(13) - CM-7 + - CM-7(1) - IA-11 - IA-5 800-53r4: @@ -23,6 +24,7 @@ references: - IA-5(13) - IA-11 - CM-7 + - CM-7(1) disa_stig: - N/A srg: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 3e59b121..cbd9496b 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -17,8 +17,10 @@ references: - CCI-000381 800-53r5: - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 disa_stig: diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 2779f68e..0f6fb0df 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -19,8 +19,10 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 4a137dec..d40bf1e7 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -31,9 +31,11 @@ references: - AC-3 - AC-18(4) - CM-7 + - CM-7(1) 800-53r4: - AC-3 - AC-18(4) + - CM-7 - CM-7(1) srg: - SRG-OS-000480-GPOS-00227 diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index f0270a0c..12842163 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -17,8 +17,10 @@ references: - N/A 800-53r5: - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) srg: - N/A disa_stig: diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 97030c0e..3f010c09 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -20,8 +20,10 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 7ee3df1b..b2689de3 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -22,6 +22,7 @@ references: - AC-4 - SC-7(12) - CM-7 + - CM-7(1) - SC-7 800-53r4: - AC-4 @@ -29,6 +30,7 @@ references: - AC-19 - SC-7 - CM-7 + - CM-7(1) - SC-7(12) srg: - SRG-OS-000480-GPOS-00232 diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index fb58a0a7..2ffbbf72 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -23,11 +23,13 @@ references: - CCE-85428-1 800-53r5: - CM-7 + - CM-7(1) - SC-7(16) - SC-7 800-53r4: - SC-7 - CM-7 + - CM-7(1) - SC-7(16) srg: - SRG-OS-000480-GPOS-00232 diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index bc1c046d..b2fa0834 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -18,9 +18,11 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 - SC-7(10) 800-171r2: diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index 691865d0..33c22ceb 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -20,9 +20,11 @@ references: - CCI-000381 800-53r5: - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 disa_stig: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 35bc123d..2d01be7a 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -18,10 +18,12 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - AC-20 - CM-7 + - CM-7(1) srg: - N/A disa_stig: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index 4d088d3b..0ce38d85 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -27,8 +27,10 @@ references: - CCE-85439-8 800-53r5: - CM-7 + - CM-7(1) 800-53r4: - CM-7 + - CM-7(1) disa_stig: - N/A srg: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 1a6f66d7..44f544fc 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -19,9 +19,11 @@ references: 800-53r5: - AC-20 - CM-7 + - CM-7(1) - SC-7(10) 800-53r4: - CM-7 + - CM-7(1) - AC-20 srg: - SRG-OS-000095-GPOS-00049 diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index e0feaad2..8e11e81c 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -22,10 +22,12 @@ references: - IA-2(8) - AC-3 - CM-7 + - CM-7(1) - AC-17 800-53r4: - AC-3 - CM-7 + - CM-7(1) - IA-2(8) - IA-2(9) srg: From 0aafeb75cb4a505a53a1f17def8e70d8ae917fc0 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 15:19:51 -0400 Subject: [PATCH 100/135] new n_a and inherent rule files --- rules/os/os_application_sandboxing.yaml | 32 ++++++++++++++++++ rules/os/os_de_identification.yaml | 32 ++++++++++++++++++ rules/os/os_information_validation.yaml | 33 +++++++++++++++++++ .../os/os_managed_access_control_points.yaml | 33 +++++++++++++++++++ rules/os/os_non_repudiation.yaml | 32 ++++++++++++++++++ ..._identifiable_info_quality_operations.yaml | 32 ++++++++++++++++++ .../os/os_privacy_priciple_minimization.yaml | 32 ++++++++++++++++++ 7 files changed, 226 insertions(+) create mode 100644 rules/os/os_application_sandboxing.yaml create mode 100644 rules/os/os_de_identification.yaml create mode 100644 rules/os/os_information_validation.yaml create mode 100644 rules/os/os_managed_access_control_points.yaml create mode 100644 rules/os/os_non_repudiation.yaml create mode 100644 rules/os/os_personally_identifiable_info_quality_operations.yaml create mode 100644 rules/os/os_privacy_priciple_minimization.yaml diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml new file mode 100644 index 00000000..5c309769 --- /dev/null +++ b/rules/os/os_application_sandboxing.yaml @@ -0,0 +1,32 @@ +de id: os_application_sandboxing +title: "Ensure Seperate Execution Domain for Processes" +discussion: | + The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. + + link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] + + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - N/A + 800-53r5: + - SC-39 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_de_identification.yaml b/rules/os/os_de_identification.yaml new file mode 100644 index 00000000..f3f9f8a9 --- /dev/null +++ b/rules/os/os_de_identification.yaml @@ -0,0 +1,32 @@ +id: os_de_identification +title: "Remove Elements of Personally Identifiable Information from Datasets" +discussion: | + Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. + + De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-18 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_privacy + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml new file mode 100644 index 00000000..06307563 --- /dev/null +++ b/rules/os/os_information_validation.yaml @@ -0,0 +1,33 @@ +id: os_information_validation +title: "Information Input Validation" +discussion: | + Check the validity of the following information inputs: organization-defined information inputs to the systems. + + Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-10 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml new file mode 100644 index 00000000..af17a903 --- /dev/null +++ b/rules/os/os_managed_access_control_points.yaml @@ -0,0 +1,33 @@ +id: os_managed_access_control_points +title: "Managed Access Control Points" +discussion: | + Route remote accesses through authorized and managed network access control points. + + Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-17(3) + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml new file mode 100644 index 00000000..4b4059af --- /dev/null +++ b/rules/os/os_non_repudiation.yaml @@ -0,0 +1,32 @@ +id: os_non_repudiation +title: "Non-Repudiation" +discussion: | + Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions to be covered by non-repudiation. + + Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-10 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_personally_identifiable_info_quality_operations.yaml b/rules/os/os_personally_identifiable_info_quality_operations.yaml new file mode 100644 index 00000000..1097616a --- /dev/null +++ b/rules/os/os_personally_identifiable_info_quality_operations.yaml @@ -0,0 +1,32 @@ +id: os_de_identification +title: "Remove Elements of Personally Identifiable Information from Datasets" +discussion: | + Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. + + De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-19 + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_privacy + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_privacy_priciple_minimization.yaml b/rules/os/os_privacy_priciple_minimization.yaml new file mode 100644 index 00000000..ee3e8e13 --- /dev/null +++ b/rules/os/os_privacy_priciple_minimization.yaml @@ -0,0 +1,32 @@ +id: os_privacy_priciple_minimization +title: "Implement the Privacy Principle of Minimization" +discussion: | + Implement the privacy principle of minimization using organization-defined processes. + + The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SA-8(33) + 800-53r4: + - N/A + 800-171r2: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_privacy + - n_a +mobileconfig: false +mobileconfig_info: From 172319a18d1c60cd6a9d944c77f991d43d189b52 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 15:41:10 -0400 Subject: [PATCH 101/135] SC-15 --- ...ibit_remote_activation_collab_devices.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/os/os_prohibit_remote_activation_collab_devices.yaml diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml new file mode 100644 index 00000000..be9d9c35 --- /dev/null +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -0,0 +1,39 @@ +de id: os_prohibit_remote_activation_collab_devices +title: "Prohibit Remote Activation of Collaborative Computing Devices" +discussion: | + The inherent configuration of the macOS _IS_ in partial compliance as Apple has implemented a green light physically next to your camera that will glow when the camera is activated. + + There are no indicators when the system's microphone is listening or activated. This requires additional software to be installed. + + The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. + + link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] + + link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] + + link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/11.0/mac/11.0[] +check: | + The technology partially supports this requirement and cannot be configured to be in full compliance. +fix: | + The technology paritally inherently meets this requirement. An appropriate mitigation for the system must be implemented. +references: + cce: + - N/A + 800-53r5: + - SC-15 + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - inherent + - permanent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +mobileconfig: false +mobileconfig_info: From c6e2806b6e46f6b86f105f6375a44b9926efd4be Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 15:47:46 -0400 Subject: [PATCH 102/135] fixed spacing issue --- rules/os/os_prohibit_remote_activation_collab_devices.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index be9d9c35..cc9dacc6 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -1,4 +1,4 @@ -de id: os_prohibit_remote_activation_collab_devices +id: os_prohibit_remote_activation_collab_devices title: "Prohibit Remote Activation of Collaborative Computing Devices" discussion: | The inherent configuration of the macOS _IS_ in partial compliance as Apple has implemented a green light physically next to your camera that will glow when the camera is activated. From 4910301f99881d8ac1cdba140152f67951e7ae67 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 15:57:19 -0400 Subject: [PATCH 103/135] fixed spacing issue --- rules/os/os_application_sandboxing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 5c309769..f2c5849f 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -1,4 +1,4 @@ -de id: os_application_sandboxing +id: os_application_sandboxing title: "Ensure Seperate Execution Domain for Processes" discussion: | The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. From 339b337607dde86d4b6b67ddb41c75cc06933708 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 15 Jul 2021 16:03:23 -0400 Subject: [PATCH 104/135] CCEs added --- rules/os/os_application_sandboxing.yaml | 2 +- rules/os/os_de_identification.yaml | 2 +- rules/os/os_information_validation.yaml | 2 +- rules/os/os_managed_access_control_points.yaml | 2 +- rules/os/os_non_repudiation.yaml | 2 +- .../os/os_personally_identifiable_info_quality_operations.yaml | 2 +- rules/os/os_privacy_priciple_minimization.yaml | 2 +- rules/os/os_prohibit_remote_activation_collab_devices.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index f2c5849f..b0986763 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - N/A + - CCE-85474-5 800-53r5: - SC-39 800-53r4: diff --git a/rules/os/os_de_identification.yaml b/rules/os/os_de_identification.yaml index f3f9f8a9..f6731226 100644 --- a/rules/os/os_de_identification.yaml +++ b/rules/os/os_de_identification.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-85475-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index 06307563..223b78fd 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-85476-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index af17a903..28baa051 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-85477-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index 4b4059af..bd0f4de8 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-85481-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_personally_identifiable_info_quality_operations.yaml b/rules/os/os_personally_identifiable_info_quality_operations.yaml index 1097616a..a4fb9a33 100644 --- a/rules/os/os_personally_identifiable_info_quality_operations.yaml +++ b/rules/os/os_personally_identifiable_info_quality_operations.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-85478-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_privacy_priciple_minimization.yaml b/rules/os/os_privacy_priciple_minimization.yaml index ee3e8e13..e2de5447 100644 --- a/rules/os/os_privacy_priciple_minimization.yaml +++ b/rules/os/os_privacy_priciple_minimization.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - N/A + - CCE-85479-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index cc9dacc6..54299b56 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -18,7 +18,7 @@ fix: | The technology paritally inherently meets this requirement. An appropriate mitigation for the system must be implemented. references: cce: - - N/A + - CCE-85480-2 800-53r5: - SC-15 800-53r4: From cecda6bba8ab4c8c7effff4022a8eaaac9a75d06 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 15 Jul 2021 17:34:10 -0400 Subject: [PATCH 105/135] pulled Big Sur scripts into Rev5 --- scripts/generate_baseline.py | 62 ++++++++++-- scripts/generate_guidance.py | 190 ++++++++++++++++++++++++++--------- 2 files changed, 193 insertions(+), 59 deletions(-) diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 876d7687..7830fb68 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -46,19 +46,62 @@ class MacSecurityRule(): return rule_adoc -def get_rule_yaml(rule_file): +def get_rule_yaml(rule_file, custom=False): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ - if os.path.basename(rule_file) in glob.glob1('../custom/rules/', '*.yaml'): - #print(f"Custom settings found for rule: {rule_file}") - override_rule = os.path.join( - '../custom/rules', os.path.basename(rule_file)) - with open(override_rule) as r: + resulting_yaml = {} + names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] + file_name = os.path.basename(rule_file) + # if file_name in names: + # print(f"Custom settings found for rule: {rule_file}") + # try: + # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + # except IndexError: + # override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + # with open(override_path) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + # else: + # with open(rule_file) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + if custom: + print(f"Custom settings found for rule: {rule_file}") + try: + override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + with open(override_path) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - return rule_yaml + + try: + og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + #assume this is a completely new rule + og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + + # get original/default rule yaml for comparison + with open(og_rule_path) as og: + og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) + og.close() + + for yaml_field in og_rule_yaml: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + else: + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + + return resulting_yaml def collect_rules(): """Takes a baseline yaml file and parses the rules, returns a list of containing rules @@ -84,8 +127,7 @@ def collect_rules(): for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): - rule_yaml = get_rule_yaml(rule) - + rule_yaml = get_rule_yaml(rule, custom=False) for key in keys: try: rule_yaml[key] @@ -97,7 +139,7 @@ def collect_rules(): try: rule_yaml[key][reference] except: - #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule) + #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index cddbf0fa..4a6fd1ff 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -23,7 +23,7 @@ from collections import namedtuple class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -41,6 +41,7 @@ class MacSecurityRule(): self.rule_tags = tags self.rule_mobileconfig = mobileconfig self.rule_mobileconfig_info = mobileconfig_info + self.rule_customized = customized def create_asciidoc(self, adoc_rule_template): """Pass an AsciiDoc template as file object to return formatted AsciiDOC""" @@ -389,7 +390,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign for sections in baseline_yaml['profile']: for profile_rule in sections['rules']: for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, False) if rule_yaml['mobileconfig']: for payload_type, info in rule_yaml['mobileconfig_info'].items(): @@ -720,13 +721,15 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" logging.debug(f"checking for rule file for {profile_rule}") if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] + custom=True logging.debug(f"{rule}") elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] + custom=False logging.debug(f"{rule}") #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, custom) if rule_yaml['id'].startswith("supplemental"): continue @@ -778,12 +781,15 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" # group the controls - nist_80053r5.sort() - res = [list(i) for j, i in groupby( - nist_80053r5, lambda a: a.split('(')[0])] - nist_controls = '' - for i in res: - nist_controls += group_ulify(i) + if not nist_80053r5 == "N/A": + nist_80053r5.sort() + res = [list(i) for j, i in groupby( + nist_80053r5, lambda a: a.split('(')[0])] + nist_controls = '' + for i in res: + nist_controls += group_ulify(i) + else: + nist_controls = "N/A" # print checks and result try: @@ -964,23 +970,88 @@ fi #fix_script_file.close() compliance_script_file.close() -def get_rule_yaml(rule_file): +def get_rule_yaml(rule_file, custom=False): """ Takes a rule file, checks for a custom version, and returns the yaml for the rule """ + resulting_yaml = {} names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] file_name = os.path.basename(rule_file) - if file_name in names: + # if file_name in names: + # print(f"Custom settings found for rule: {rule_file}") + # try: + # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + # except IndexError: + # override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + # with open(override_path) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + # else: + # with open(rule_file) as r: + # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + # r.close() + if custom: print(f"Custom settings found for rule: {rule_file}") try: - override_path = glob.glob('../custom/rules/**/{}'.format(file_name, recursive=True))[0] + override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] except IndexError: - override_path = glob.glob('../custom/rules/{}'.format(file_name, recursive=True))[0] + override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] with open(override_path) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - return rule_yaml + + try: + og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + except IndexError: + #assume this is a completely new rule + og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + resulting_yaml['customized'] = ["customized rule"] + + # get original/default rule yaml for comparison + with open(og_rule_path) as og: + og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) + + for yaml_field in og_rule_yaml: + #print('processing field {} for rule {}'.format(yaml_field, file_name)) + if yaml_field == "references": + if not 'references' in resulting_yaml: + resulting_yaml['references'] = {} + for ref in og_rule_yaml['references']: + try: + if og_rule_yaml['references'][ref] == rule_yaml['references'][ref]: + resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + else: + resulting_yaml['references'][ref] = rule_yaml['references'][ref] + except KeyError: + # reference not found in original rule yaml, trying to use reference from custom rule + try: + resulting_yaml['references'][ref] = rule_yaml['references'][ref] + except KeyError: + resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + if "custom" in rule_yaml['references']: + resulting_yaml['references']['custom'] = rule_yaml['references']['custom'] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized references") + else: + resulting_yaml['customized'] = ["customized references"] + + else: + try: + if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: + #print("using default data in yaml field {}".format(yaml_field)) + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + else: + #print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) + resulting_yaml[yaml_field] = rule_yaml[yaml_field] + if 'customized' in resulting_yaml: + resulting_yaml['customized'].append("customized {}".format(yaml_field)) + else: + resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + except KeyError: + resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] + + return resulting_yaml def generate_xls(baseline_name, build_path, baseline_yaml): @@ -1004,7 +1075,8 @@ def generate_xls(baseline_name, build_path, baseline_yaml): top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") counter = 1 - column_counter = 13 + column_counter = 14 + custom_ref_column = {} sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) sheet1.write(0, 2, "Title", headers) @@ -1018,6 +1090,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) sheet1.write(0, 12, "CCI", headers) + sheet1.write(0, 13, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1100,14 +1173,23 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 12, cci, topWrap) sheet1.col(12).width = 400 * 15 + customized = (str(rule.rule_customized)).strip('[]\'') + customized = customized.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 13, customized, topWrap) + sheet1.col(13).width = 400 * 15 + if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): - sheet1.write(0, column_counter, title, headers ) - sheet1.col(column_counter).width = 512 * 25 + if title not in custom_ref_column: + custom_ref_column[title] = column_counter + column_counter = column_counter + 1 + sheet1.write(0, custom_ref_column[title], title, headers) + sheet1.col(custom_ref_column[title]).width = 512 * 25 added_ref = (str(ref)).strip('[]\'') added_ref = added_ref.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, column_counter, added_ref, topWrap) - column_counter = column_counter + 1 + sheet1.write(counter, custom_ref_column[title], added_ref, topWrap) + tall_style = xlwt.easyxf('font:height 640;') # 36pt @@ -1132,7 +1214,8 @@ def create_rules(baseline_yaml): 'id', 'references', 'result', - 'discussion'] + 'discussion', + 'customized'] references = ['disa_stig', 'cci', 'cce', @@ -1146,24 +1229,27 @@ def create_rules(baseline_yaml): for profile_rule in sections['rules']: if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] + custom=True elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] + custom=False #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule) + rule_yaml = get_rule_yaml(rule, custom) for key in keys: try: rule_yaml[key] except: - #print "{} key missing ..for {}".format(key, rule) - rule_yaml.update({key: "missing"}) + #print("{} key missing ..for {}".format(key, rule)) + rule_yaml.update({key: ""}) if key == "references": for reference in references: try: rule_yaml[key][reference] + #print("FOUND reference {} for key {} for rule {}".format(reference, key, rule)) except: - #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule) + #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), rule_yaml['id'].replace('|', '\|'), @@ -1181,7 +1267,8 @@ def create_rules(baseline_yaml): rule_yaml['tags'], rule_yaml['result'], rule_yaml['mobileconfig'], - rule_yaml['mobileconfig_info'] + rule_yaml['mobileconfig_info'], + rule_yaml['customized'] )) return all_rules @@ -1223,7 +1310,7 @@ def is_asciidoctor_installed(): output, error = process.communicate() # return path to asciidoctor - return output.decode("utf-8") + return output.decode("utf-8").strip() def is_asciidoctor_pdf_installed(): @@ -1234,7 +1321,7 @@ def is_asciidoctor_pdf_installed(): process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE) output, error = process.communicate() - return output.decode("utf-8") + return output.decode("utf-8").strip() def verify_signing_hash(hash): """Attempts to validate the existence of the certificate provided by the hash @@ -1436,7 +1523,7 @@ def main(): section_yaml_file = sections['section'].lower() + '.yaml' #check for custom section if section_yaml_file in glob.glob1('../custom/sections/', '*.yaml'): - print(f"Custom settings found for section: {sections['section']}") + #print(f"Custom settings found for section: {sections['section']}") override_section = os.path.join( f'../custom/sections/{section_yaml_file}') with open(override_section) as r: @@ -1467,16 +1554,17 @@ def main(): except IndexError: logging.debug(f'defined rule {rule} does not have valid yaml file, check that rule ID and filename match.') - #check for custom rule if glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True): print(f"Custom settings found for rule: {rule_file}") - override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] - with open(override_rule) as r: - rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + #override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + rule_location = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + custom=True else: - with open(rule_path[0]) as r: - rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + rule_location = rule_path[0] + custom=False + + rule_yaml = get_rule_yaml(rule_location, custom) # Determine if the references exist and set accordingly try: @@ -1489,7 +1577,7 @@ def main(): try: rule_yaml['references']['cce'] except KeyError: - cce = 'N/A' + cce = '- N/A' else: cce = ulify(rule_yaml['references']['cce']) @@ -1504,7 +1592,7 @@ def main(): try: rule_yaml['references']['800-171r2'] except KeyError: - nist_800171 = '• N/A' + nist_800171 = '- N/A' else: #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) nist_800171 = ulify(rule_yaml['references']['800-171r2']) @@ -1512,14 +1600,14 @@ def main(): try: rule_yaml['references']['disa_stig'] except KeyError: - disa_stig = 'N/A' + disa_stig = '- N/A' else: disa_stig = ulify(rule_yaml['references']['disa_stig']) try: rule_yaml['references']['srg'] except KeyError: - srg = 'N/A' + srg = '- N/A' else: srg = ulify(rule_yaml['references']['srg']) @@ -1572,12 +1660,16 @@ def main(): rule_yaml['mobileconfig_info']) # process nist controls for grouping - nist_80053r5.sort() - res = [list(i) for j, i in groupby( - nist_80053r5, lambda a: a.split('(')[0])] - nist_controls = '' - for i in res: - nist_controls += group_ulify(i) + if not nist_80053r5 == "N/A": + nist_80053r5.sort() + res = [list(i) for j, i in groupby( + nist_80053r5, lambda a: a.split('(')[0])] + nist_controls = '' + for i in res: + nist_controls += group_ulify(i) + else: + nist_controls = "- N/A" + if 'supplemental' in tags: rule_adoc = adoc_supplemental_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), @@ -1602,7 +1694,7 @@ def main(): rule_adoc = adoc_rule_custom_refs_template.substitute( rule_title=rule_yaml['title'].replace('|', '\|'), rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), + rule_discussion=rule_yaml['discussion'],#.replace('|', '\|'), rule_check=rule_yaml['check'], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, @@ -1658,8 +1750,8 @@ def main(): asciidoctor_path = is_asciidoctor_installed() if asciidoctor_path != "": print('Generating HTML file from AsciiDoc...') - cmd = f"{asciidoctor_path} {adoc_output_file.name}" - process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE) + cmd = f"{asciidoctor_path} \'{adoc_output_file.name}\'" + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) process.communicate() else: print("If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor") @@ -1667,8 +1759,8 @@ def main(): asciidoctorPDF_path = is_asciidoctor_pdf_installed() if asciidoctorPDF_path != "": print('Generating PDF file from AsciiDoc...') - cmd = f"{asciidoctorPDF_path} {adoc_output_file.name}" - process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE) + cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'" + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) process.communicate() else: print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf") From dcfef405a5729af96def3a4114e009c2d27f614c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 16 Jul 2021 10:05:36 -0400 Subject: [PATCH 106/135] rev5 edits --- VERSION.yaml | 4 ++-- sections/authentication.yaml | 2 +- templates/adoc_additional_docs.adoc | 36 ++++++++--------------------- templates/adoc_foreword.adoc | 2 +- 4 files changed, 13 insertions(+), 31 deletions(-) diff --git a/VERSION.yaml b/VERSION.yaml index f38d384f..eed24b1d 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,3 +1,3 @@ os: "11.0" -version: "Big Sur, Revision 2" -date: "2021-02-16" \ No newline at end of file +version: "Big Sur, Revision 3" +date: "2021-07-XX" \ No newline at end of file diff --git a/sections/authentication.yaml b/sections/authentication.yaml index 8dbc7a2d..231871e8 100644 --- a/sections/authentication.yaml +++ b/sections/authentication.yaml @@ -1,5 +1,5 @@ name: "Authentication" description: | - This section contains the configuration and enforcement of smartcard authentication settings. + This section contains the configuration of authentication settings, including the enforcement of smartcard authentication. NOTE: The check/fix commands outlined in this section must be run with elevated privileges. \ No newline at end of file diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index e696e735..2a020a94 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -7,7 +7,7 @@ ASSOCIATED DOCUMENTS Example: [%header, cols=2*a] <-- table format block |==== <-- table opening tag - |Document Number|Document Title <-- header line + |Document Number or Descriptor|Document Title <-- header line <-- empty line for readability (optional) <-- empty line for readability (optional) @@ -16,31 +16,17 @@ ASSOCIATED DOCUMENTS [%header, cols=2*a] .National Institute of Standards and Technology (NIST) |=== -|Document Number +|Document Number or Descriptor |Document Title |link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_ -|=== - -[%header, cols=2*a] -.National Institute of Standards and Technology (NIST) -|=== -|Document Number -|Document Title |link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_ -|=== - -[%header, cols=2*a] -.National Institute of Standards and Technology (NIST) -|=== -|Document Number -|Document Title |link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_ |=== [%header, cols=2*a] .Defense Information Systems Agency (DISA) |=== -|Document Number +|Document Number or Descriptor |Document Title |link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_11_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 11 (Big Sur) STIG_ |=== @@ -48,7 +34,7 @@ ASSOCIATED DOCUMENTS [%header, cols=2*a] .Committee on National Security Systems (CNSS) |=== -|Document Number +|Document Number or Descriptor |Document Title |link:https://www.cnss.gov/CNSS/issuances/Instructions.cfm[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_ |=== @@ -57,15 +43,11 @@ ASSOCIATED DOCUMENTS [%header, cols=2*a] .Apple |=== -|Document Number +|Document Number or Descriptor |Document Title +|link:https://support.apple.com/guide/security/welcome/web[Apple Platform Security Guide]|_Apple Platform Security_ +|link:https://support.apple.com/guide/deployment-reference-macos/welcome/web[Deployment Reference for Mac]|_Deployment Reference_ |link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_ -|=== - -[%header, cols=2*a] -.Apple -|=== -|Document Number -|Document Title -|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Apple Developer]|_Profile-Specific Payload Keys_ +|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[AProfile-Specific Payload Keys]|_Profile-Specific Payload Keys_ +|link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ |=== \ No newline at end of file diff --git a/templates/adoc_foreword.adoc b/templates/adoc_foreword.adoc index ecc552de..1b31428a 100644 --- a/templates/adoc_foreword.adoc +++ b/templates/adoc_foreword.adoc @@ -4,4 +4,4 @@ The macOS Security Compliance Project is an open source effort to provide a prog This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. -The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. \ No newline at end of file +The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. From f5a8a033f91f7c7c3a8d5948f024f7f23a171661 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 19 Jul 2021 13:39:53 -0400 Subject: [PATCH 107/135] note about default values --- rules/audit/audit_auditd_enabled.yaml | 2 ++ rules/os/os_apple_mobile_file_integrity_enforce.yaml | 4 +++- rules/os/os_config_data_install_enforce.yaml | 4 +++- rules/os/os_httpd_disable.yaml | 4 +++- rules/os/os_sip_enable.yaml | 2 ++ rules/os/os_system_read_only.yaml | 2 ++ rules/os/os_tftpd_disable.yaml | 2 ++ rules/os/os_uucp_disable.yaml | 2 ++ 8 files changed, 19 insertions(+), 3 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index a74b83fa..9a58577b 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -8,6 +8,8 @@ discussion: | The content required to be captured in an audit record varies based on the impact level of an organization’s system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. + + NOTE: Security auditing is enabled by default on macOS. check: | /bin/launchctl list | /usr/bin/grep -c com.apple.auditd result: diff --git a/rules/os/os_apple_mobile_file_integrity_enforce.yaml b/rules/os/os_apple_mobile_file_integrity_enforce.yaml index 50dcff09..5dc97f66 100644 --- a/rules/os/os_apple_mobile_file_integrity_enforce.yaml +++ b/rules/os/os_apple_mobile_file_integrity_enforce.yaml @@ -1,7 +1,9 @@ id: os_apple_mobile_file_integrity_enforce title: "Enforce Apple Mobile File Integrity" -discussion: +discussion: | Apple Mobile File Integrity (AMFI) is a macOS kernel module that enforces the code-signing validation within Gatekeeper and library validation. AMFI checks the signatures of every app that is run. + + Note: AMFI is enabled by default on macOS systems. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" result: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 9a1a1f5c..a6f8df37 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -1,11 +1,13 @@ id: os_config_data_install_enforce title: "Enforce Installation of XProtect, MRT, and Gatekeeper Updates Automatically" -discussion: +discussion: | Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. link:https://support.apple.com/en-us/HT207005[] + + Note: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' result: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 5f019e5a..41e571a1 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -1,7 +1,9 @@ id: os_httpd_disable title: "Disable the Built-in Web Server" -discussion: +discussion: | The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. + + Note: The built in web server service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true' result: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index fd24bd0e..bf9fbfe5 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -4,6 +4,8 @@ discussion: | System Integrity Protection (SIP) _MUST_ be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders. + + Note: SIP is enabled by default in macOS. check: | /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' result: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index eb574349..df78569c 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -2,6 +2,8 @@ id: os_system_read_only title: "Ensure System Volume is Read Only" discussion: | The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable. + + Note: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' result: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index f73e78ac..ea1c651b 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -4,6 +4,8 @@ discussion: | If the system does not require Trivial File Tansfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. + + Note: TFTP service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => true' result: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index d5f26232..7e8c6c15 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -4,6 +4,8 @@ discussion: | The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. + + Note: UUCP service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => true' result: From eb741417f23c45957148b8b86aa38248a4561c3d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 19 Jul 2021 13:52:40 -0400 Subject: [PATCH 108/135] default value note added --- rules/os/os_authenticated_root_enable.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 826600d6..59907937 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -1,9 +1,11 @@ id: os_authenticated_root_enable title: "Enable Authenticated Root" -discussion: +discussion: | Authenticated Root _MUST_ be enabled. When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. + + Note: Authenticated Root is enabled by default on macOS systems. check: | /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' result: From 3c94cb30ec3f027f5ba04b73afdcb092258caf6f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 10:42:57 -0400 Subject: [PATCH 109/135] fixed mispelling, updated fix text, removed inherent tag --- rules/os/os_prohibit_remote_activation_collab_devices.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index 54299b56..7dd97294 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -15,7 +15,7 @@ discussion: | check: | The technology partially supports this requirement and cannot be configured to be in full compliance. fix: | - The technology paritally inherently meets this requirement. An appropriate mitigation for the system must be implemented. + The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. references: cce: - CCE-85480-2 @@ -30,7 +30,6 @@ references: macOS: - "11.0" tags: - - inherent - permanent - 800-53r5_low - 800-53r5_moderate From c5941a975563e37289ee473638f466ae35429bb5 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 11:16:15 -0400 Subject: [PATCH 110/135] added note --- rules/os/os_secure_name_resolution.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index b5995096..08a859af 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -2,6 +2,8 @@ id: os_secure_name_resolution title: "Secure Name Address Resolution Service" discussion: | The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. + + Note: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[] check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | From 071f2c726b9715efef24ffc9ee774772dcd29b00 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 11:25:26 -0400 Subject: [PATCH 111/135] Note: to NOTE: so notes show appropriately --- rules/os/os_apple_mobile_file_integrity_enforce.yaml | 2 +- rules/os/os_authenticated_root_enable.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 2 +- rules/os/os_httpd_disable.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 2 +- rules/os/os_secure_boot_verify.yaml | 2 +- rules/os/os_secure_enclave.yaml | 2 +- rules/os/os_secure_name_resolution.yaml | 2 +- rules/os/os_sip_enable.yaml | 2 +- rules/os/os_system_read_only.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_uucp_disable.yaml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/os/os_apple_mobile_file_integrity_enforce.yaml b/rules/os/os_apple_mobile_file_integrity_enforce.yaml index 5dc97f66..83270d18 100644 --- a/rules/os/os_apple_mobile_file_integrity_enforce.yaml +++ b/rules/os/os_apple_mobile_file_integrity_enforce.yaml @@ -3,7 +3,7 @@ title: "Enforce Apple Mobile File Integrity" discussion: | Apple Mobile File Integrity (AMFI) is a macOS kernel module that enforces the code-signing validation within Gatekeeper and library validation. AMFI checks the signatures of every app that is run. - Note: AMFI is enabled by default on macOS systems. + NOTE: AMFI is enabled by default on macOS systems. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" result: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 59907937..86c53dcf 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -5,7 +5,7 @@ discussion: | When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. - Note: Authenticated Root is enabled by default on macOS systems. + NOTE: Authenticated Root is enabled by default on macOS systems. check: | /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' result: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index a6f8df37..d31820ac 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -7,7 +7,7 @@ discussion: | link:https://support.apple.com/en-us/HT207005[] - Note: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. + NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' result: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 41e571a1..c4996435 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -3,7 +3,7 @@ title: "Disable the Built-in Web Server" discussion: | The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. - Note: The built in web server service is disabled at startup by default macOS. + NOTE: The built in web server service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true' result: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 9cdbc3af..c350cb13 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -5,7 +5,7 @@ discussion: | By default, if IR is enabled, the system will accept IR control from any remote device. - Note: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. + NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0' result: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 2371e0b1..aab25097 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -5,7 +5,7 @@ discussion: | Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. - Note: This will only return a proper result on a T2 or Apple Silicon Macs. + NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" result: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 44973413..2c6c751e 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -7,7 +7,7 @@ discussion: | link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] - Note: This will only return a proper result on a T2 or Apple Silicon Macs. + NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $? result: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 08a859af..f0d4e907 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -3,7 +3,7 @@ title: "Secure Name Address Resolution Service" discussion: | The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. - Note: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[] + NOTE: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[] check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index bf9fbfe5..2f6c2c4a 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -5,7 +5,7 @@ discussion: | SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders. - Note: SIP is enabled by default in macOS. + NOTE: SIP is enabled by default in macOS. check: | /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' result: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index df78569c..cbd9a5d0 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -3,7 +3,7 @@ title: "Ensure System Volume is Read Only" discussion: | The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable. - Note: The system volume is read only by default in macOS. + NOTE: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' result: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index ea1c651b..8d8b6582 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -5,7 +5,7 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. - Note: TFTP service is disabled at startup by default macOS. + NOTE: TFTP service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => true' result: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 7e8c6c15..25c8a77e 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -5,7 +5,7 @@ discussion: | UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. - Note: UUCP service is disabled at startup by default macOS. + NOTE: UUCP service is disabled at startup by default macOS. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => true' result: From 6f2630bcf81497d65c1d2cb1a2e5cf03a7a4d0a3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 16:03:56 -0400 Subject: [PATCH 112/135] fixes --- rules/os/os_de_identification.yaml | 2 +- ..._identifiable_info_quality_operations.yaml | 10 +- scripts/generate_mapping.py | 345 ++++++++++++++++++ 3 files changed, 351 insertions(+), 6 deletions(-) create mode 100755 scripts/generate_mapping.py diff --git a/rules/os/os_de_identification.yaml b/rules/os/os_de_identification.yaml index f6731226..1422590a 100644 --- a/rules/os/os_de_identification.yaml +++ b/rules/os/os_de_identification.yaml @@ -14,7 +14,7 @@ references: cci: - N/A 800-53r5: - - SI-18 + - SI-19 800-53r4: - N/A 800-171r2: diff --git a/rules/os/os_personally_identifiable_info_quality_operations.yaml b/rules/os/os_personally_identifiable_info_quality_operations.yaml index a4fb9a33..d3247b22 100644 --- a/rules/os/os_personally_identifiable_info_quality_operations.yaml +++ b/rules/os/os_personally_identifiable_info_quality_operations.yaml @@ -1,9 +1,9 @@ -id: os_de_identification -title: "Remove Elements of Personally Identifiable Information from Datasets" +id: os_personally_identifiable_info_quality_operations +title: "Personally Identifiable Information Quality Operations" discussion: | - Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. + Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle organization-defined frequency; and correct or delete inaccurate or outdated personally identifiable information. - De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. + Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes. check: | This requirement is NA for this technology. fix: | @@ -14,7 +14,7 @@ references: cci: - N/A 800-53r5: - - SI-19 + - SI-18 800-53r4: - N/A 800-171r2: diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py new file mode 100755 index 00000000..95b63a30 --- /dev/null +++ b/scripts/generate_mapping.py @@ -0,0 +1,345 @@ +#!/usr/bin/env python3 + +import sys +import csv +import os +import io +import glob +import yaml +import re +import argparse +from pathlib import Path + +def sort_nicely( l ): +# """ Sort the given list in the way that humans expect. +# """ + convert = lambda text: int(text) if text.isdigit() else text + alphanum_key = lambda key: [ convert(c) for c in re.split('([0-9]+)', key) ] + l.sort( key=alphanum_key ) + + +def main(): + file_dir = os.path.dirname(os.path.abspath(__file__)) + + os.chdir(file_dir) + + nist_header = "" + other_header = "" + sub_directory = "" + def dir_path(string): + if os.path.isdir(string): + return string + else: + raise NotADirectoryError(string) + + home = str(Path.home()) + + parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') + parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) + parser.add_argument("-f", "--framework", default="800-53r5", help="Specificy framework for the source. If no framework is specified, the default is 800-53r5.", action="store") + + try: + results = parser.parse_args() + print("Mapping CSV: " + results.CSV.name) + print("Source compliance framework: " + str(results.framework)) + + + except IOError as msg: + + parser.error(str(msg)) + + for rule in glob.glob('../rules/*/*.yaml'): + sub_directory = rule.split(".yaml")[0].split("/")[2] + + if "supplemental" in rule or "srg" in rule: + continue + + with open(rule) as r: + rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + + + control_array = [] + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: + csv_reader = csv.DictReader(csvfile,dialect='excel') + modded_reader = csv_reader + dict_from_csv = dict(list(modded_reader)[0]) + + + list_of_column_names = list(dict_from_csv.keys()) + + + nist_header = list_of_column_names[1] + other_header = list_of_column_names[0] + + + + + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: + reader = csv.DictReader(csvfile,dialect='excel') + + for row in reader: + + if results.framework != nist_header: + sys.exit(str(results.framework) + " not found in CSV") + + if "N/A" in row[nist_header]: + continue + + controls = row[nist_header].split(',') + + duplicate = "" + csv_duplicate = "" + for control in controls: + + try: + rule_yaml['references'] + + for yaml_control in rule_yaml['references'][results.framework]: + if duplicate == yaml_control.split("(")[0]: + continue + if csv_duplicate == str(row[other_header]): + continue + + if control.replace(" ",'') == yaml_control: + duplicate = yaml_control.split("(")[0] + csv_duplicate = str(row[other_header]) + row_array = str(row[other_header]).split(",") + for item in row_array: + control_array.append(item) + print(rule_yaml['id'] + " - " + str(results.framework) + " " + yaml_control + " maps to " + other_header + " " + item) + + except: + continue + + if len(control_array) == 0: + continue + + custom_rule = '''references: + custom: + {}:'''.format(other_header) + + for control in control_array: + custom_rule = custom_rule + ''' + - {}'''.format(control) + + custom_rule = custom_rule + ''' +tags: + - {}'''.format(other_header) + + if os.path.isdir("../build/" + other_header) == False: + os.mkdir("../build/" + other_header) + if os.path.isdir("../build/" + other_header + "/rules/") == False: + os.mkdir("../build/" + other_header + "/rules/") + if os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) == False: + os.mkdir("../build/" + other_header + "/rules/" + sub_directory) + + try: + with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as r: + custom_yaml = r.read() + + custom_yaml = custom_yaml.replace(other_header + ": ", custom_rule) + with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: + fw.write(custom_yaml) + except: + with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: + fw.write(custom_rule) + + + for rule in glob.glob("../build/" + other_header + "/rules/*/*"): + if "supplemental" in rule or "srg" in rule: + continue + + with open(rule) as r: + custom_rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) + othercontrols = [] + + if other_header in custom_rule_yaml['references']['custom']: + + for control in custom_rule_yaml['references']['custom'][other_header]: + + if str(control) in othercontrols: + continue + else: + + othercontrols.append(str(control)) + + sort_nicely(othercontrols) + + refs = " " + + custom_rule = '''references: + custom: + {}:'''.format(other_header) + + for control in othercontrols: + custom_rule = custom_rule + ''' + - {}'''.format(control) + + custom_rule = custom_rule + ''' +tags: + - {}'''.format(other_header) + + with open(rule, 'w') as rite: + rite.write(custom_rule) + + + audit = [] + auth = [] + icloud = [] + os_section = [] + pwpolicy = [] + sysprefs = [] + inherent = [] + na = [] + perm = [] + + for rule in glob.glob('../build/' + other_header + '/rules/*/*.yaml'): + if "supplemental" in rule or "srg" in rule or "baseline" in rule: + continue + + with open(rule) as r: + custom_rule = yaml.load(r, Loader=yaml.SafeLoader) + rule_id = rule.split(".yaml")[0].split("/")[5] + + + if other_header in custom_rule['tags']: + if "inherent" in rule_yaml['tags']: + inherent.append(rule_id) + continue + if "permanent" in custom_rule['tags']: + perm.append(rule_id) + continue + if "n_a" in custom_rule['tags']: + na.append(rule_id) + continue + + if "/audit/" in rule: + audit.append(rule_id) + + continue + if "/auth/" in rule: + auth.append(rule_id) + continue + if "/icloud/" in rule: + icloud.append(rule_id) + continue + if "/os/" in rule: + os_section.append(rule_id) + continue + if "/pwpolicy/" in rule: + pwpolicy.append(rule_id) + continue + if "/sysprefs/" in rule: + sysprefs.append(rule_id) + continue + + full_baseline = '''title: "macOS 11 (Big Sur): Security Configuration - {}" +description: | + This guide describes the actions to take when securing a macOS 11 system against the {}. +profile:'''.format(other_header,other_header) + + if len(audit) != 0: + + full_baseline = full_baseline + ''' + - section: "Auditing" + rules:''' + audit.sort() + + for rule in audit: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + if len(auth) != 0: + full_baseline = full_baseline + ''' + - section: "Authentication" + rules:''' + auth.sort() + + for rule in auth: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(sysprefs) != 0: + full_baseline = full_baseline + ''' + - section: "SystemPreferences" + rules:''' + sysprefs.sort() + + for rule in sysprefs: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(icloud) != 0: + full_baseline = full_baseline + ''' + - section: "iCloud" + rules:''' + icloud.sort() + for rule in icloud: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(os_section) != 0: + full_baseline = full_baseline + ''' + - section: "macOS" + rules:''' + os_section.sort() + for rule in os_section: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(pwpolicy) != 0: + full_baseline = full_baseline + ''' + - section: "PasswordPolicy" + rules:''' + pwpolicy.sort() + for rule in pwpolicy: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(inherent) != 0: + full_baseline = full_baseline + ''' + - section: "Inherent" + rules:''' + inherent.sort() + for rule in inherent: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(perm) != 0: + full_baseline = full_baseline + ''' + - section: "Permanent" + rules:''' + perm.sort() + for rule in perm: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + if len(na) != 0: + full_baseline = full_baseline + ''' + - section: "not_applicable" + rules:''' + na.sort() + for rule in na: + full_baseline = full_baseline + ''' + - {}'''.format(rule) + + full_baseline = full_baseline + ''' + - section: "Supplemental" + rules: + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard + ''' + + + + + if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: + os.mkdir("../build/" + other_header.lower() + "/baseline") + + with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower() + ".yaml",'w') as fw: + fw.write(full_baseline) + print(other_header.lower() + ".yaml baseline file created in build/" + other_header.lower() + "/baseline/") + + print("Move all of the folders in rules into the custom folder.") +if __name__ == "__main__": + main() \ No newline at end of file From 934ad7677c45a92035916984d8b16469a2b50108 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 16:05:00 -0400 Subject: [PATCH 113/135] mapping fixes --- scripts/generate_mapping.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index 95b63a30..e84a2f1e 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -338,7 +338,7 @@ profile:'''.format(other_header,other_header) with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower() + ".yaml",'w') as fw: fw.write(full_baseline) - print(other_header.lower() + ".yaml baseline file created in build/" + other_header.lower() + "/baseline/") + print(other_header.lower() + ".yaml baseline file created in build/" + other_header + "/baseline/") print("Move all of the folders in rules into the custom folder.") if __name__ == "__main__": From 30ce626fcb38b91dd6e210f6edaa2e10fb87133e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 16:20:46 -0400 Subject: [PATCH 114/135] added baseline tags --- rules/os/os_time_server_enabled.yaml | 5 +++++ rules/sysprefs/sysprefs_time_server_configure.yaml | 3 +++ rules/sysprefs/sysprefs_time_server_enforce.yaml | 3 +++ 3 files changed, 11 insertions(+) diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index a3c8b647..ccca9d64 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -2,6 +2,8 @@ id: os_time_server_enabled title: "Enable Time Synchronization Daemon" discussion: | The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server. + + NOTE: The time synchronization daemon is enabled by default on macOS. check: | /bin/launchctl list | /usr/bin/grep -c com.apple.timed result: @@ -34,6 +36,9 @@ macOS: tags: - 800-171 - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - stig diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 3f92d9ea..5aaae6e6 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -33,6 +33,9 @@ macOS: tags: - 800-171 - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - stig diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index c5bfba76..23f8b588 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -33,6 +33,9 @@ macOS: tags: - 800-171 - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - stig From 3878e81443f793b5e02a72648824e1f53284bffa Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 21 Jul 2021 16:50:19 -0400 Subject: [PATCH 115/135] baseline tags added --- rules/os/os_reauth_devices_change_authenticators.yaml | 3 +++ rules/os/os_reauth_users_change_authenticators.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index dfaf1acf..86a6a998 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -24,6 +24,9 @@ references: macOS: - "11.0" tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - permanent mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index f53f122f..d4d7e99f 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -23,5 +23,8 @@ macOS: - "11.0" tags: - inherent + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high mobileconfig: false mobileconfig_info: From 2cfb5dd27c9808a2f142ca250488d01d8681ad13 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 22 Jul 2021 09:59:49 -0400 Subject: [PATCH 116/135] changelog --- CHANGELOG.adoc | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index bc5166b6..bab95d70 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -4,6 +4,54 @@ This document provides a high-level view of the changes to the macOS Security Co == [Big Sur, Revision 3] - 2021-07-XX +* Rules +** Added Rules +*** audit_record_reduction_report_generation.yaml +*** audit_records_processing.yaml +*** os_access_control_mobile_devices.yaml +*** os_apple_mobile_file_integrity_enforce.yaml +*** os_application_sandboxing.yaml +*** os_asl_log_files_owner_group_configure.yaml +*** os_asl_log_files_permissions_configure.yaml +*** os_config_data_install_enforce.yaml +*** os_de_identification.yaml +*** os_filevault_authorized_users.yaml +*** os_information_validation.yaml +*** os_malicious_code_prevention.yaml +*** os_managed_access_control_points.yaml +*** os_newsyslog_files_owner_group_configure.yaml +*** os_newsyslog_files_permissions_configure.yaml +*** os_non_repudiation.yaml +*** os_personally_identifiable_info_quality_operations.yaml +*** os_privacy_priciple_minimization.yaml +*** os_prohibit_remote_activation_collab_devices.yaml +*** os_secure_enclave.yaml +*** sysprefs_critical_update_install_enforce.yaml +** Renamed Rules +*** auth_ssh_password_authentication_disable.yaml +*** sysprefs_guest_access_smb_disable.yaml +*** sysprefs_guest_account_disable.yaml +*** sysprefs_system_wide_preferences_configure.yaml +** Deleted Rules +*** os_filevault_user_account.yaml +*** os_system_log_files_owner_group_configure.yaml +*** os_system_log_files_permissions_configure.yaml +** Bug Fixes + +* Baselines +** Added NIST 800-53 Rev 5 (Low, Moderate, and High) +** Modified the All Rules + +* Scripts +** generate_guidanace +*** Bug fixes +** generate_baseline +*** Added `-k all` to generate a baseline containing all the rules +*** Bug fixes +** yaml-to-oval +*** Bug fixes +** Added generate_mapping.py + == [Big Sur, Revision 2] - 2021-03-XX * Rules From de8b14fa4650a1314a3b345c61df0dbb6f6fae94 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 22 Jul 2021 10:08:07 -0400 Subject: [PATCH 117/135] Prepping for Rev5 release --- CHANGELOG.adoc | 10 +++++----- VERSION.yaml | 2 +- ...dentification.yaml => os_pii_deidentification.yaml} | 2 +- ...ity_operations.yaml => os_pii_quality_control.yaml} | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) rename rules/os/{os_de_identification.yaml => os_pii_deidentification.yaml} (98%) rename rules/os/{os_personally_identifiable_info_quality_operations.yaml => os_pii_quality_control.yaml} (97%) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index bab95d70..6e017c4c 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,7 +2,7 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Big Sur, Revision 3] - 2021-07-XX +== [Big Sur, Revision 3] - 2021-07-22 * Rules ** Added Rules @@ -14,7 +14,6 @@ This document provides a high-level view of the changes to the macOS Security Co *** os_asl_log_files_owner_group_configure.yaml *** os_asl_log_files_permissions_configure.yaml *** os_config_data_install_enforce.yaml -*** os_de_identification.yaml *** os_filevault_authorized_users.yaml *** os_information_validation.yaml *** os_malicious_code_prevention.yaml @@ -22,7 +21,8 @@ This document provides a high-level view of the changes to the macOS Security Co *** os_newsyslog_files_owner_group_configure.yaml *** os_newsyslog_files_permissions_configure.yaml *** os_non_repudiation.yaml -*** os_personally_identifiable_info_quality_operations.yaml +*** os_pii_deidentification.yaml +*** os_pii_quality_control.yaml *** os_privacy_priciple_minimization.yaml *** os_prohibit_remote_activation_collab_devices.yaml *** os_secure_enclave.yaml @@ -39,7 +39,7 @@ This document provides a high-level view of the changes to the macOS Security Co ** Bug Fixes * Baselines -** Added NIST 800-53 Rev 5 (Low, Moderate, and High) +** Added NIST 800-53 Rev 5 (Low, Moderate, High and Privacy) ** Modified the All Rules * Scripts @@ -52,7 +52,7 @@ This document provides a high-level view of the changes to the macOS Security Co *** Bug fixes ** Added generate_mapping.py -== [Big Sur, Revision 2] - 2021-03-XX +== [Big Sur, Revision 2] - 2021-03-18 * Rules ** Fixed Rules diff --git a/VERSION.yaml b/VERSION.yaml index eed24b1d..92e6e457 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,3 +1,3 @@ os: "11.0" version: "Big Sur, Revision 3" -date: "2021-07-XX" \ No newline at end of file +date: "2021-07-22" \ No newline at end of file diff --git a/rules/os/os_de_identification.yaml b/rules/os/os_pii_deidentification.yaml similarity index 98% rename from rules/os/os_de_identification.yaml rename to rules/os/os_pii_deidentification.yaml index 1422590a..4c6466c5 100644 --- a/rules/os/os_de_identification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -1,4 +1,4 @@ -id: os_de_identification +id: os_pii_deidentification title: "Remove Elements of Personally Identifiable Information from Datasets" discussion: | Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. diff --git a/rules/os/os_personally_identifiable_info_quality_operations.yaml b/rules/os/os_pii_quality_control.yaml similarity index 97% rename from rules/os/os_personally_identifiable_info_quality_operations.yaml rename to rules/os/os_pii_quality_control.yaml index d3247b22..9912f9f8 100644 --- a/rules/os/os_personally_identifiable_info_quality_operations.yaml +++ b/rules/os/os_pii_quality_control.yaml @@ -1,4 +1,4 @@ -id: os_personally_identifiable_info_quality_operations +id: os_pii_quality_control title: "Personally Identifiable Information Quality Operations" discussion: | Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle organization-defined frequency; and correct or delete inaccurate or outdated personally identifiable information. From 9b12d5678ec05582ff248799b4a55ec7cecec0cc Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 22 Jul 2021 10:22:28 -0400 Subject: [PATCH 118/135] Finishing touches Rev5 --- CHANGELOG.adoc | 4 ++-- scripts/generate_baseline.py | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 6e017c4c..235c2722 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -46,11 +46,11 @@ This document provides a high-level view of the changes to the macOS Security Co ** generate_guidanace *** Bug fixes ** generate_baseline -*** Added `-k all` to generate a baseline containing all the rules +*** Added `-k all_rules` to generate a baseline containing all the rules *** Bug fixes ** yaml-to-oval *** Bug fixes -** Added generate_mapping.py +** Added generate_mapping.py to generate custom rules from a mapping between compliance frameworks == [Big Sur, Revision 2] - 2021-03-18 diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 7830fb68..228dac46 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -198,9 +198,6 @@ def get_controls(all_rules): all_controls.append(control) all_controls.sort() - - # for control in all_controls: - # print(control) return all_controls @@ -216,7 +213,7 @@ def available_tags(all_rules): for tag in all_tags: if tag not in available_tags: available_tags.append(tag) - + available_tags.append("all_rules") available_tags.sort() for tag in available_tags: @@ -346,7 +343,7 @@ def main(): found_rules = [] for rule in all_rules: - if args.keyword in rule.rule_tags or args.keyword == "all": + if args.keyword in rule.rule_tags or args.keyword == "all_rules": found_rules.append(rule) # assume all baselines will contain the supplemental rules if "supplemental" in rule.rule_tags: From 287f3eae1d2bb767ab5b70806d4beb8486246717 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 22 Jul 2021 14:21:20 -0400 Subject: [PATCH 119/135] manual tag removed --- rules/os/os_asl_log_files_owner_group_configure.yaml | 1 - rules/os/os_asl_log_files_permissions_configure.yaml | 1 - rules/os/os_newsyslog_files_owner_group_configure.yaml | 1 - rules/os/os_newsyslog_files_permissions_configure.yaml | 1 - 4 files changed, 4 deletions(-) diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 2a7b9a6e..99592693 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -33,7 +33,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - manual - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index 57b3acdc..33fdd066 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -31,7 +31,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - manual - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index 947e8c4f..8fea713d 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -33,7 +33,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - manual - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index d7053650..900f319f 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -32,7 +32,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - manual - stig severity: "medium" mobileconfig: false From b2de9631c36ff58fffcf3330c3b838603038d8f6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 22 Jul 2021 14:21:36 -0400 Subject: [PATCH 120/135] ignoring more rules with no oval --- scripts/yaml-to-oval.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index 2755f567..357ca402 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -91,7 +91,13 @@ def main(): if "manual" in rule_yaml['tags']: print(rule_yaml['id'] + " - Manual Check") continue - + + if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check']: + print(rule_yaml['id'] + " - Manual Check Required") + continue + if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']: + print(rule_yaml['id'] + " - pwpolicy getaccountpolicies - no relevant oval") + continue if "os_home_folders_secure" in rule_file: oval_definition = oval_definition + ''' From 63e318ac6b66066c00918ce6d78c47f0bcff930d Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 22 Jul 2021 14:55:22 -0400 Subject: [PATCH 121/135] implement #64 --- scripts/generate_guidance.py | 61 +++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 14 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 4a6fd1ff..4f657002 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -660,23 +660,41 @@ read_options(){{ esac }} -generate_report(){{ - non_compliant=0 +# Generate the Compliant and Non-Compliant counts. Returns: Array (Compliant, Non-Compliant) +compliance_count(){{ compliant=0 + non_compliant=0 results=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.{baseline_name}.audit.plist) - + while IFS= read -r line; do - if [[ "$line" =~ "finding" ]];then - if [[ "$line" =~ "true" ]]; then - non_compliant=$((non_compliant+1)) - fi - if [[ "$line" =~ "false" ]]; then - compliant=$((compliant+1)) - fi + if [[ "$line" =~ "false" ]]; then + compliant=$((compliant+1)) + fi + if [[ "$line" =~ "true" ]]; then + non_compliant=$((non_compliant+1)) fi - done <<< "$results" + + # Enable output of just the compliant or non-compliant numbers. + if [[ $1 = "compliant" ]] + then + echo $compliant + elif [[ $1 = "non-compliant" ]] + then + echo $non_compliant + else # no matching args output the array + array=($compliant $non_compliant) + echo ${{array[@]}} + fi +}} + + +generate_report(){{ + count=($(compliance_count)) + compliant=${{count[1]}} + non_compliant=${{count[2]}} + total=$((non_compliant + compliant)) percentage=$(printf %.2f $(( compliant * 100. / total )) ) echo @@ -696,6 +714,17 @@ view_report(){{ fi }} +# Designed for use with MDM - single unformatted output of the Compliance Report +generate_stats(){{ + count=($(compliance_count)) + compliant=${{count[1]}} + non_compliant=${{count[2]}} + + total=$((non_compliant + compliant)) + percentage=$(printf %.2f $(( compliant * 100. / total )) ) + echo "PASSED: $compliant FAILED: $non_compliant, $percentage percent compliant!" +}} + run_scan(){{ # append to existing logfile if [[ $(/usr/bin/tail -n 1 "$audit_log" 2>/dev/null) = *"Remediation complete" ]]; then @@ -939,14 +968,18 @@ if (( # >= 2));then exit 1 fi -zparseopts -D -E -check=check -fix=fix -configure=configure +zparseopts -D -E -check=check -fix=fix -stats=stats -compliant=compliant -non_compliant=non_compliant if [[ $check ]];then run_scan elif [[ $fix ]];then run_fix -elif [[ $configure ]];then - run_configure +elif [[ $stats ]];then + generate_stats +elif [[ $compliant ]];then + compliance_count "compliant" +elif [[ $non_compliant ]];then + compliance_count "non-compliant" else while true; do show_menus From cc5e8e2a80b810bc163dbe577e5797085edade27 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 22 Jul 2021 15:45:00 -0400 Subject: [PATCH 122/135] principle --- CHANGELOG.adoc | 2 +- ...minimization.yaml => os_privacy_principle_minimization.yaml} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename rules/os/{os_privacy_priciple_minimization.yaml => os_privacy_principle_minimization.yaml} (96%) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 235c2722..8400145a 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -23,7 +23,7 @@ This document provides a high-level view of the changes to the macOS Security Co *** os_non_repudiation.yaml *** os_pii_deidentification.yaml *** os_pii_quality_control.yaml -*** os_privacy_priciple_minimization.yaml +*** os_privacy_principle_minimization.yaml *** os_prohibit_remote_activation_collab_devices.yaml *** os_secure_enclave.yaml *** sysprefs_critical_update_install_enforce.yaml diff --git a/rules/os/os_privacy_priciple_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml similarity index 96% rename from rules/os/os_privacy_priciple_minimization.yaml rename to rules/os/os_privacy_principle_minimization.yaml index e2de5447..69b1cb78 100644 --- a/rules/os/os_privacy_priciple_minimization.yaml +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -1,4 +1,4 @@ -id: os_privacy_priciple_minimization +id: os_privacy_principle_minimization title: "Implement the Privacy Principle of Minimization" discussion: | Implement the privacy principle of minimization using organization-defined processes. From 89b2a818077282c16bf3c502a94033335c71e83f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 22 Jul 2021 16:51:23 -0400 Subject: [PATCH 123/135] updated from rev5 branch --- scripts/yaml-to-oval.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index 357ca402..f7a6d336 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -918,6 +918,8 @@ def main(): '''.format(x,plist,x+999) else: + if plist[-6:] != ".plist": + plist = plist + ".plist" plist_key = rule_yaml['check'].split(" ")[3].rstrip() oval_object = oval_object + ''' @@ -1119,8 +1121,8 @@ def main(): '''.format(x,rule_yaml['id'],x,x) - - if "-" in fix_command and "R" in fix_command: + + if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": behavior = '' if "audit" in rule_file: filename = 'current' @@ -1242,7 +1244,7 @@ def main(): state_test = state_test + ''' false false - true''' + false''' if perms[2] == "1": state_test = state_test + ''' false From 21422b62371ee5c7dae4bb298c540d708f69c21a Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 23 Jul 2021 11:34:53 -0400 Subject: [PATCH 124/135] Supplementals --- .../supplemental/supplemental_filevault.yaml | 10 +-- .../supplemental_firewall_pf.yaml | 8 +-- .../supplemental_password_policy.yaml | 2 +- .../supplemental/supplemental_smartcard.yaml | 63 ++++++++++++++++--- 4 files changed, 64 insertions(+), 19 deletions(-) diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 2e77defb..65e4304d 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -10,7 +10,7 @@ discussion: | FileVault is described in detail here: link:https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web[]. - FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local OpenDirectory account with a valid SecureToken password. + FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local Open Directory account with a valid SecureToken password. [discrete] ==== Using the fdesetup Command @@ -19,14 +19,14 @@ discussion: | ---- /usr/bin/fdesetup enable ---- - Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for fdesetup. + Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for `fdesetup`. - NOTE: Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. + NOTE: Apple has deprecated `fdesetup` command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. [discrete] ==== Using a Configuration Profile - When managing FileVault with a configuration profile, you must deploy a profile with the payload type com.apple.MCX.FileVault2. When using the Enable key to enable FileVault with a configuration profile, you must include 1 of the following: + When managing FileVault with a configuration profile, you must deploy a profile with the payload type `com.apple.MCX.FileVault2`. When using the Enable key to enable FileVault with a configuration profile, you must include 1 of the following: [source,xml] ---- @@ -45,7 +45,7 @@ discussion: | If using the Defer key it will prompt for the user name and password at logout. - The UserEntersMissingInfo key will only work if installed through manual installation, and it will prompt for the username and password immediately. + The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately. When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple’s Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[]. diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index db2823df..4e6729df 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -5,7 +5,7 @@ discussion: | * os_firewall_default_deny_require - macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. + macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. * The ALF can block incoming traffic on a per-application basis and prevent applications from gaining control of network ports, but it cannot be configured to block outgoing traffic. ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 @@ -13,9 +13,9 @@ discussion: | * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 4). The script will make sure the application layer firewall is enabled, set logging to “detailed”, set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy com.apple.pfctl.plist from /System/Library/LaunchDaemons/ into the /Library/LaunchDaemons folder and name it 800-53.pfctl.plist. This is done to not conflict with the system’s pf ruleset. + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to “detailed”, set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system’s pf ruleset. - The custom pf rules are created at /etc/pf.anchors/800_53_pf_anchors. + The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. The ruleset will block connections on the following ports: @@ -95,7 +95,7 @@ discussion: | |=== - For more on configuring the PF firewall check out the man pages on pf.conf and pfctl. + For more on configuring the PF firewall check out the man pages on `pf.conf` and `pfctl`. [source,bash] ---- diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index f3869e77..31ed8d98 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -8,7 +8,7 @@ discussion: | * pwpolicy_account_inactivity_enforce * pwpolicy_minimum_lifetime_enforce - Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the pwpolicy command: + Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the `pwpolicy` command: * Enforcing at least 1 lowercase character * Enforcing at least 1 uppercase character diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index 2d221f91..bf68f882 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -29,7 +29,7 @@ discussion: | [discrete] ==== Smartcard Attribute Mapping - Smartcards can be used to authenticate against a directory via attribute mapping configured in /private/etc/SmartcardLogin.plist. This file takes precedence over local account pairing. Attribute mapping matches the configured certificate field values from the smart card to the value in a directory. This may be used with network accounts, mobile accounts, or local accounts. + Smartcards can be used to authenticate against a directory via attribute mapping configured in `/private/etc/SmartcardLogin.plist`. This file takes precedence over local account pairing. Attribute mapping matches the configured certificate field values from the smart card to the value in a directory. This may be used with network accounts, mobile accounts, or local accounts. [discrete] ==== Smartcard Management in macOS @@ -80,7 +80,7 @@ discussion: | |=== - A custom configuration profile (com.apple.loginwindow) should be created to disable automatic login when FileVault is enabled. This ensures that authorized users boot their Macs, enter a password at the pre-boot screen (which decrypts the boot volume), and are then presented with a login window where they can authenticate with a smartcard. + A custom configuration profile (`com.apple.loginwindow`) should be created to disable automatic login when FileVault is enabled. This ensures that authorized users boot their Macs, enter a password at the pre-boot screen (which decrypts the boot volume), and are then presented with a login window where they can authenticate with a smartcard. [%header,cols="2,1,7"] |=== @@ -98,7 +98,7 @@ discussion: | [discrete] ==== Trusted Authorities - The macOS allows users to specify which certificate authorities (CA) can be used for trust evaluation during smartcard authentication. Only CAs listed in the TrustedAuthorities section of the SmartcardLogin.plist will be evaluated as trusted. This setting only works if checkCertificateTrust is set to either 1, 2, or 3 in com.apple.security.smartcard. + The macOS allows users to specify which certificate authorities (CA) can be used for trust evaluation during smartcard authentication. Only CAs listed in the TrustedAuthorities section of the SmartcardLogin.plist will be evaluated as trusted. This setting only works if `checkCertificateTrust` is set to either 1, 2, or 3 in `com.apple.security.smartcard`. To get the SHA-256 hash in the correct format, run the following command within terminal: [source,bash] @@ -106,7 +106,7 @@ discussion: | /usr/bin/openssl x509 -noout -fingerprint -sha256 -inform pem -in | /usr/bin/awk -F '=' '{print $2}' | /usr/bin/sed 's/://g' ---- - To configure Trusted Authorities, the SmartcardLogin.plist should be minimally configured as below: + To configure Trusted Authorities, the `SmartcardLogin.plist` should be minimally configured as below: [source,xml] ---- @@ -134,11 +134,14 @@ discussion: | ---- [discrete] - ==== NotEnforcedGroup + ==== Smartcard Enforcement Exemption + + [discrete] + ===== Group Exemption - Starting in macOS 10.15, enforcement on a system can be granularly configured by adding a field to /private/etc/SmartcardLogin.plist. The NotEnforcedGroup can be added to the file to list a Directory group that will not be included in smartcard enforcement. In order to activate this feature, enforceSmartCard and allowUnmappedUsers must be applied via a configuration profile (com.apple.security.smartcard). + Starting in macOS 10.15, enforcement on a system can be granularly configured by adding a field to `/private/etc/SmartcardLogin.plist`. The `NotEnforcedGroup` can be added to the file to list a Directory group that will not be included in smartcard enforcement. In order to activate this feature, `enforceSmartCard` and `allowUnmappedUsers` must be applied via a configuration profile (`com.apple.security.smartcard`). - To configure the NotEnforcedGroup, the SmartcardLogin.plist should be minimally configured as follows: + To configure the `NotEnforcedGroup`, the `SmartcardLogin.plist` should be minimally configured as follows: [source,xml] ---- @@ -161,17 +164,59 @@ discussion: | SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2 NotEnforcedGroup - GROUPGOESHERE + EXEMPTGROUP ---- - Once a system is configured for the NotEnforcedGroup a user can be added to the assigned group by running the following: + Once a system is configured for the `NotEnforcedGroup` a user can be added to the assigned group by running the following: [source,bash] ---- /usr/sbin/dseditgroup -o edit -a -t user ---- + [discrete] + ===== User Exemption + + Alternatively, if a single user needs to be exempt for a period of time, `kDSNativeAttrTypePrefix:SmartCardEnforcement` can be set in the user's Open Directory record. The following values can be set: + + * 0 - The system default is respected. + * 1 - Smartcard enforcement is enabled. + * 2 - Smartcard enforcement is disabled. + + NOTE: In Active Directory environments, the value of the `userAccountControl` attribute is respected. + + Run the following command to set the exemption when booted from macOS: + [source,bash] + ---- + /usr/bin/dscl . -append /Users/ SmartCardEnforcement 2 + ---- + + Run the following command to set the exemption when booted from Recovery: + [source,bash] + ---- + /usr/bin/defaults write /Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/users/ SmartCardEnforcement -array-add 2 + ---- + NOTE: When booted to recovery on an Apple Silicon Mac, run the following after setting the exemption. + `/usr/sbin/diskutil apfs updatePreboot /Volumes/Macintosh\ HD` + + [discrete] + ===== Temporary Exemption + + On an Apple Silicon Mac, if a temporary exemption is needed, `security filevault skip-sc-enforcement` will disable smartcard enforcement on next boot only. + + Run the following command to set the temporary exemption when booted from Recovery: + [source,bash] + ---- + /usr/bin/security filevault skip-sc-enforcement set + ---- + + To obtain the `data volume UUID` run the following: + [source,bash] + ---- + /usr/sbin/diskutil apfs listGroups | /usr/bin/awk -F: '/ Data/ { getline; gsub(/ /,""); print $2}' + ---- + [discrete] ==== Pluggable Authentication Module (PAM) From 753513752d321fb619217d7ec82877c32f5161b7 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 23 Jul 2021 11:56:28 -0400 Subject: [PATCH 125/135] minor edit --- rules/supplemental/supplemental_smartcard.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index bf68f882..abcc7cd0 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -14,7 +14,7 @@ discussion: | macOS supports smartcards, such as U.S. Personal Identity Verification (PIV) cards and U.S. Department of Defense Common Access Cards (CAC). Smartcards can be used on a macOS for the following: - * Authentication (Loginwindow, Screensaver, SSH, PKINIT, Safari, Finder, and PAM Authorization (sudo, login, su) ) + * Authentication (Loginwindow, Screensaver, SSH, PKINIT, Safari, Finder, and PAM Authorization (`sudo`, `login`, and `su`) ) * Digital Encryption * Digital Signing * Remote Access (VPN:L2TP) @@ -220,7 +220,7 @@ discussion: | [discrete] ==== Pluggable Authentication Module (PAM) - Terminal sessions in macOS can be configured for smartcard enforcement by modifying the PAM modules for sudo, su, and login. + Terminal sessions in macOS can be configured for smartcard enforcement by modifying the PAM modules for `sudo`, `su`, and `login`. [source,bash] ---- From 4103131f8fd88ce5b5f321bb57b7fcf2451f4162 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 23 Jul 2021 13:55:55 -0400 Subject: [PATCH 126/135] edits --- SCAP/html-to-xccdf.xsl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SCAP/html-to-xccdf.xsl b/SCAP/html-to-xccdf.xsl index 4532697f..47c2c14c 100644 --- a/SCAP/html-to-xccdf.xsl +++ b/SCAP/html-to-xccdf.xsl @@ -474,7 +474,7 @@ - https://nvd.nist.gov/800-53/Rev4/control/ + https://nvd.nist.gov/800-53/Rev5/control/ @@ -487,7 +487,7 @@ - NIST SP 800-53r4 + NIST SP 800-53r5 From 4ef395048e7abc2ea973d71fcdaefa561f8c26ae Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 23 Jul 2021 14:10:08 -0400 Subject: [PATCH 127/135] space was needed --- SCAP/html-to-xccdf.xsl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SCAP/html-to-xccdf.xsl b/SCAP/html-to-xccdf.xsl index 47c2c14c..3cb2f899 100644 --- a/SCAP/html-to-xccdf.xsl +++ b/SCAP/html-to-xccdf.xsl @@ -487,7 +487,7 @@ - NIST SP 800-53r5 + NIST SP 800-53r5 From ec71a9bc2f5f6596c74bdd4c0b448d98b8804b39 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 23 Jul 2021 14:53:31 -0400 Subject: [PATCH 128/135] fixed caution --- rules/auth/auth_smartcard_enforce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 5dee57dc..591aeb14 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -7,7 +7,7 @@ discussion: | When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver. - CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a member of the NotEnforced group. + CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement. NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work. check: | From 6169f2464837f37a457547e7e385ef53ccb35b6e Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 23 Jul 2021 14:55:44 -0400 Subject: [PATCH 129/135] rev5 release --- CHANGELOG.adoc | 2 +- VERSION.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 8400145a..9f71cc28 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,7 +2,7 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Big Sur, Revision 3] - 2021-07-22 +== [Big Sur, Revision 3] - 2021-07-26 * Rules ** Added Rules diff --git a/VERSION.yaml b/VERSION.yaml index 0fbdb06a..7b1c5402 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,3 +1,3 @@ os: "11.0" version: "Big Sur, Revision 3" -date: "2021-07-22" +date: "2021-07-26" From 9ed469aab84fbc176b4bfcc5fab0683f5cf9935b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 23 Jul 2021 20:24:57 -0400 Subject: [PATCH 130/135] baseline titles updated --- templates/adoc_additional_docs.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 2a020a94..ba642505 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -48,6 +48,6 @@ ASSOCIATED DOCUMENTS |link:https://support.apple.com/guide/security/welcome/web[Apple Platform Security Guide]|_Apple Platform Security_ |link:https://support.apple.com/guide/deployment-reference-macos/welcome/web[Deployment Reference for Mac]|_Deployment Reference_ |link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_ -|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[AProfile-Specific Payload Keys]|_Profile-Specific Payload Keys_ +|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_ |link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ |=== \ No newline at end of file From 9defec74968edeb6973eb41d8fbde8f2f0372a65 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 23 Jul 2021 21:44:33 -0400 Subject: [PATCH 131/135] new 800-53r5 baselines and updated baseline files --- baselines/800-171.yaml | 33 +++++----- .../{800-53_high.yaml => 800-53r5_high.yaml} | 64 ++++++++++++------- .../{800-53_low.yaml => 800-53r5_low.yaml} | 51 ++++++++++----- ...3_moderate.yaml => 800-53r5_moderate.yaml} | 64 ++++++++++++------- baselines/DISA-STIG.yaml | 17 +++-- baselines/all_rules.yaml | 12 +++- baselines/cnssi-1253.yaml | 34 +++++----- 7 files changed, 172 insertions(+), 103 deletions(-) rename baselines/{800-53_high.yaml => 800-53r5_high.yaml} (82%) rename baselines/{800-53_low.yaml => 800-53r5_low.yaml} (78%) rename baselines/{800-53_moderate.yaml => 800-53r5_moderate.yaml} (80%) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index dbb78f8a..5ba76126 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,6 +1,7 @@ -title: "macOS 11.0: Security Configuration - 800-171" +title: "macOS 11: Security Configuration - NIST 800-171 Rev 2" description: | - This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-171. + This guide describes the actions to take when securing a macOS 11 system against the 800-171 Rev 2 baseline. +profile: profile: - section: "authentication" rules: @@ -31,20 +32,20 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable - - os_guest_account_disable - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -52,13 +53,12 @@ profile: - os_messages_app_disable - os_airdrop_disable - os_parental_controls_enable + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -70,7 +70,6 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -102,14 +101,18 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable - - sysprefs_ssh_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable - sysprefs_media_sharing_disabled + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce @@ -118,10 +121,10 @@ profile: - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce @@ -135,13 +138,12 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_prevent_priv_functions - os_logical_access - os_implement_cryptography + - os_separate_functionality - os_obscure_password - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure @@ -149,15 +151,14 @@ profile: - section: "Permanent" rules: - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" - rules: + rules: - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/800-53_high.yaml b/baselines/800-53r5_high.yaml similarity index 82% rename from baselines/800-53_high.yaml rename to baselines/800-53r5_high.yaml index 9be601fd..2f6c51c0 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - 800-53 High" +title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 High Impact Security Baseline" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 HIGH baseline. + This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline. profile: - section: "authentication" rules: @@ -12,6 +12,7 @@ profile: - auth_pam_su_smartcard_enforce - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -34,22 +35,28 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_newsyslog_files_owner_group_configure - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require + - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - - os_guest_account_disable - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable + - os_asl_log_files_permissions_configure - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_filevault_authorized_users - os_secure_boot_verify + - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -58,32 +65,33 @@ profile: - os_airdrop_disable - os_parental_controls_enable - os_system_read_only + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable - os_appleid_prompt_disable - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce + - pwpolicy_temporary_or_emergency_accounts_disable - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable - pwpolicy_lower_case_character_enforce @@ -109,14 +117,19 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable + - sysprefs_media_sharing_disabled - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce @@ -125,14 +138,15 @@ profile: - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -142,20 +156,24 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: + - audit_record_reduction_report_generation - os_enforce_access_restrictions - os_limit_gui_sessions - os_prevent_priv_functions - os_logical_access - os_fail_secure_state + - os_application_sandboxing - os_implement_memory_protection - os_implement_cryptography + - os_separate_functionality - os_obscure_password + - os_reauth_users_change_authenticators + - os_unique_identification - os_isolate_security_functions - os_required_crypto_module + - os_malicious_code_prevention - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure - os_crypto_audit @@ -164,27 +182,27 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_secure_name_resolution - - os_notify_account_enable + - audit_records_processing + - os_reauth_devices_change_authenticators - os_provide_automated_account_management - - os_notify_account_created - - os_notify_account_modified - - os_notify_account_removal + - os_secure_name_resolution + - os_prohibit_remote_activation_collab_devices - os_auth_peripherals - os_continuous_monitoring - - os_notify_account_disabled - os_protect_dos_attacks - - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users + - os_information_validation + - os_access_control_mobile_devices + - os_managed_access_control_points - os_nonlocal_maintenance + - os_identify_non-org_users + - os_non_repudiation - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/800-53_low.yaml b/baselines/800-53r5_low.yaml similarity index 78% rename from baselines/800-53_low.yaml rename to baselines/800-53r5_low.yaml index c4283aee..5c4ee4d8 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - 800-53 Low" +title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 Low Impact Security Baseline" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 LOW baseline. + This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline. profile: - section: "authentication" rules: @@ -11,6 +11,7 @@ profile: - auth_pam_su_smartcard_enforce - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -23,6 +24,7 @@ profile: - audit_files_owner_configure - audit_retention_configure - audit_flags_fr_configure + - audit_settings_failure_notify - audit_folder_owner_configure - audit_flags_lo_configure - audit_flags_fw_configure @@ -31,6 +33,8 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_apple_mobile_file_integrity_enforce + - os_gatekeeper_rearm - os_root_disable - os_password_proximity_disable - os_mdm_require @@ -40,6 +44,9 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -48,10 +55,10 @@ profile: - os_airdrop_disable - os_nfsd_disable - os_httpd_disable + - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - - os_guest_account_disable - - os_guest_access_smb_disable + - os_removable_media_disable + - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable @@ -65,7 +72,6 @@ profile: - os_calendar_app_disable - section: "passwordpolicy" rules: - - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable @@ -92,48 +98,63 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable + - sysprefs_media_sharing_disabled + - sysprefs_ssh_disable + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce - sysprefs_firewall_enable - sysprefs_find_my_disable - sysprefs_content_caching_disable - sysprefs_location_services_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_time_server_configure - sysprefs_power_nap_disable + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce - sysprefs_automatic_login_disable + - sysprefs_wifi_disable + - sysprefs_time_server_enforce - sysprefs_screen_sharing_disable - sysprefs_siri_disable - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_ssh_disable - section: "Inherent" rules: - os_logical_access + - os_application_sandboxing - os_implement_cryptography - os_obscure_password + - os_reauth_users_change_authenticators + - os_unique_identification - os_required_crypto_module + - os_malicious_code_prevention - os_store_encrypted_passwords - pwpolicy_force_password_change - section: "Permanent" rules: + - os_reauth_devices_change_authenticators - os_secure_name_resolution + - os_prohibit_remote_activation_collab_devices - os_protect_dos_attacks - - pwpolicy_50_percent - section: "not_applicable" rules: - - os_identify_non-org_users + - os_access_control_mobile_devices - os_nonlocal_maintenance + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53r5_moderate.yaml similarity index 80% rename from baselines/800-53_moderate.yaml rename to baselines/800-53r5_moderate.yaml index 2de19761..5f7fcd23 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - 800-53 Moderate" +title: "macOS 11 Security Configuration:NIST SP 800-53 Rev 5 Moderate Impact Security Baseline" description: | - This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-53 MODERATE baseline. + This guide describes the actions to take when securing a macOS 11 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline. profile: - section: "authentication" rules: @@ -12,6 +12,7 @@ profile: - auth_pam_su_smartcard_enforce - section: "auditing" rules: + - audit_flags_fd_configure - audit_folder_group_configure - audit_failure_halt - audit_acls_folders_configure @@ -24,6 +25,7 @@ profile: - audit_files_owner_configure - audit_retention_configure - audit_flags_fr_configure + - audit_settings_failure_notify - audit_folder_owner_configure - audit_flags_lo_configure - audit_flags_fw_configure @@ -32,9 +34,10 @@ profile: - audit_acls_files_configure - section: "macos" rules: + - os_newsyslog_files_owner_group_configure - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require + - os_apple_mobile_file_integrity_enforce - os_gatekeeper_rearm - os_root_disable - os_password_proximity_disable @@ -42,10 +45,16 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable + - os_asl_log_files_permissions_configure - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_secure_boot_verify + - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -54,33 +63,33 @@ profile: - os_airdrop_disable - os_parental_controls_enable - os_system_read_only + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_account_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable - os_appleid_prompt_disable - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce - pwpolicy_history_enforce + - pwpolicy_temporary_or_emergency_accounts_disable - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable - pwpolicy_lower_case_character_enforce @@ -106,14 +115,19 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable + - sysprefs_media_sharing_disabled - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_critical_update_install_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce @@ -122,14 +136,15 @@ profile: - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -139,16 +154,20 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: + - audit_record_reduction_report_generation - os_prevent_priv_functions - os_logical_access + - os_application_sandboxing - os_implement_memory_protection - os_implement_cryptography + - os_separate_functionality - os_obscure_password + - os_reauth_users_change_authenticators + - os_unique_identification - os_required_crypto_module + - os_malicious_code_prevention - os_store_encrypted_passwords - os_prevent_unauthorized_disclosure - pwpolicy_temporary_accounts_disable @@ -156,27 +175,26 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_secure_name_resolution - - os_notify_account_enable + - audit_records_processing + - os_reauth_devices_change_authenticators - os_provide_automated_account_management - - os_notify_account_created - - os_notify_account_modified - - os_notify_account_removal + - os_secure_name_resolution + - os_prohibit_remote_activation_collab_devices - os_auth_peripherals - os_continuous_monitoring - - os_notify_account_disabled - os_protect_dos_attacks - - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users + - os_information_validation + - os_access_control_mobile_devices + - os_managed_access_control_points - os_nonlocal_maintenance + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - \ No newline at end of file + - supplemental_smartcard diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml index ed2c65c3..1fb11849 100644 --- a/baselines/DISA-STIG.yaml +++ b/baselines/DISA-STIG.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - DISA STIG" +title: "macOS 11: Security Configuration - DISA STIG" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the DISA STIG. + This guide describes the actions to take when securing a macOS 11 system against the DISA STIG baseline. profile: - section: "authentication" rules: @@ -34,23 +34,22 @@ profile: - section: "macos" rules: - os_sshd_login_grace_time_configure + - os_newsyslog_files_owner_group_configure - os_firmware_password_require - - os_filevault_user_account - - os_guest_account_disable - os_policy_banner_ssh_enforce - os_anti_virus_installed - os_screensaver_loginwindow_enforce - os_sshd_key_exchange_algorithm_configure - os_tftpd_disable - os_sshd_client_alive_interval_configure - - os_system_log_files_owner_group_configure + - os_asl_log_files_permissions_configure - os_sshd_client_alive_count_max_configure - os_privacy_setup_prompt_disable + - os_filevault_authorized_users - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_user_app_installation_prohibit - - os_system_log_files_permissions_configure - os_hbss_installed - os_filevault_autologin_disable - os_messages_app_disable @@ -58,6 +57,7 @@ profile: - os_nfsd_disable - os_sshd_permit_root_login_configure - os_httpd_disable + - os_asl_log_files_owner_group_configure - os_gatekeeper_enable - os_sip_enable - os_policy_banner_ssh_configure @@ -69,6 +69,8 @@ profile: - os_sshd_fips_140_ciphers - os_sshd_fips_140_macs - os_certificate_authority_trust + - os_newsyslog_files_permissions_configure + - os_ssh_fips_140_macs - os_home_folders_secure - os_facetime_app_disable - os_camera_disable @@ -103,9 +105,11 @@ profile: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce @@ -125,7 +129,6 @@ profile: - sysprefs_siri_disable - sysprefs_filevault_enforce - sysprefs_password_hints_disable - - sysprefs_system_wide_preferences_configure - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 920df119..011d94a8 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - all" +title: "macOS 11: Security Configuration - All Rules" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the all baseline. + This guide describes the actions to take when securing a macOS 11 system against the all_rules baseline. profile: - section: "authentication" rules: @@ -184,6 +184,7 @@ profile: - os_verify_remote_disconnection - os_logoff_capability_and_message - os_fail_secure_state + - os_application_sandboxing - os_limit_auditable_events - os_prevent_priv_execution - os_allow_info_passed @@ -229,6 +230,7 @@ profile: - os_notify_account_created - os_notify_account_modified - os_notify_account_removal + - os_prohibit_remote_activation_collab_devices - os_auth_peripherals - os_limit_dos_attacks - os_continuous_monitoring @@ -240,9 +242,15 @@ profile: - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: + - os_information_validation + - os_privacy_principle_minimization - os_access_control_mobile_devices + - os_managed_access_control_points + - os_pii_deidentification - os_nonlocal_maintenance - os_identify_non-org_users + - os_pii_quality_control + - os_non_repudiation - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index d246113d..8cdf23f1 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -1,6 +1,6 @@ -title: "macOS 11.0: Security Configuration - CNSSI-1253" +title: "macOS 11: Security Configuration - CNSSI-1253" description: | - This guide describes the actions to take when securing a macOS 11.0 system against the CNSSI-1253 baseline. + This guide describes the actions to take when securing a macOS 11 system against the CNSSI-1253 baseline. profile: - section: "authentication" rules: @@ -33,7 +33,6 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -42,10 +41,12 @@ profile: - os_screensaver_loginwindow_enforce - os_handoff_disable - os_firewall_log_enable + - os_ssh_server_alive_interval_configure - os_tftpd_disable - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers + - os_authenticated_root_enable - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce @@ -54,14 +55,12 @@ profile: - os_messages_app_disable - os_airdrop_disable - os_parental_controls_enable + - os_ssh_server_alive_count_max_configure - os_nfsd_disable - os_httpd_disable - os_gatekeeper_enable - os_sip_enable - - os_authenticated_root_enable - os_removable_media_disable - - os_guest_account_disable - - os_guest_access_smb_disable - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -74,7 +73,6 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -106,14 +104,17 @@ profile: - icloud_addressbook_disable - section: "systempreferences" rules: - - sysprefs_media_sharing_disabled + - sysprefs_automatic_logout_enforce - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable + - sysprefs_system_wide_preferences_configure - sysprefs_rae_disable + - sysprefs_personalized_advertising_disable + - sysprefs_guest_access_smb_disable - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce + - sysprefs_guest_account_disable - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow - sysprefs_screensaver_timeout_enforce @@ -122,14 +123,15 @@ profile: - sysprefs_content_caching_disable - sysprefs_location_services_disable - sysprefs_time_server_configure + - sysprefs_power_nap_disable - sysprefs_diagnostics_reports_disable - sysprefs_bluetooth_disable - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_power_nap_disable - sysprefs_automatic_login_disable - sysprefs_apple_watch_unlock_disable - sysprefs_token_removal_enforce - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_wifi_disable - sysprefs_time_server_enforce - sysprefs_touchid_unlock_disable - sysprefs_screen_sharing_disable @@ -139,14 +141,13 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable - - sysprefs_automatic_logout_enforce - - sysprefs_system_wide_preferences_configure - section: "Inherent" rules: - os_prevent_priv_functions - os_logical_access - os_implement_memory_protection - os_implement_cryptography + - os_separate_functionality - os_obscure_password - os_map_pki_identity - os_required_crypto_module @@ -157,9 +158,9 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_secure_name_resolution - os_notify_account_enable - os_provide_automated_account_management + - os_secure_name_resolution - os_notify_account_created - os_notify_account_modified - os_notify_account_removal @@ -168,16 +169,15 @@ profile: - os_notify_account_disabled - os_protect_dos_attacks - pwpolicy_50_percent - - sysprefs_wifi_disable + - sysprefs_wifi_disable_when_connected_to_ethernet - section: "not_applicable" rules: - - os_identify_non-org_users - os_nonlocal_maintenance + - os_identify_non-org_users - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_filevault - supplemental_password_policy - - supplemental_smartcard - supplemental_controls - + - supplemental_smartcard From a912890a4de0f5a604dc1f4dffacb18ac9fcca23 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 26 Jul 2021 09:34:39 -0400 Subject: [PATCH 132/135] updated changelog --- CHANGELOG.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 9f71cc28..914d5f6b 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -44,7 +44,7 @@ This document provides a high-level view of the changes to the macOS Security Co * Scripts ** generate_guidanace -*** Bug fixes +*** Added additional flags to the compliance scipt generated (--stats, --compliant, --non_compliant) link:https://github.com/usnistgov/macos_security/pull/64[#64] ** generate_baseline *** Added `-k all_rules` to generate a baseline containing all the rules *** Bug fixes From 9e3c8fcaf822b3e6225ff748d7434512d76b69ac Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 26 Jul 2021 09:40:47 -0400 Subject: [PATCH 133/135] changelog --- CHANGELOG.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 914d5f6b..8db5b234 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -40,7 +40,7 @@ This document provides a high-level view of the changes to the macOS Security Co * Baselines ** Added NIST 800-53 Rev 5 (Low, Moderate, High and Privacy) -** Modified the All Rules +** Modified existing baselines * Scripts ** generate_guidanace @@ -52,6 +52,10 @@ This document provides a high-level view of the changes to the macOS Security Co *** Bug fixes ** Added generate_mapping.py to generate custom rules from a mapping between compliance frameworks +* SCAP +** Included SCAP 1.3 datastream file only +** Removed macos-cpe-dictionary.xml, macos-cpe-oval.xml, ocil.xml, oval.xml, xccdf.html, and xccdf.xml + == [Big Sur, Revision 2] - 2021-03-18 * Rules From cd9de2dd8f80935cb33ee52044d6a01848cacaef Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 26 Jul 2021 09:48:33 -0400 Subject: [PATCH 134/135] minor edit --- CHANGELOG.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 8db5b234..f31fd3e8 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -39,12 +39,12 @@ This document provides a high-level view of the changes to the macOS Security Co ** Bug Fixes * Baselines -** Added NIST 800-53 Rev 5 (Low, Moderate, High and Privacy) +** Added NIST 800-53 Rev 5 (Low, Moderate, High, and Privacy) ** Modified existing baselines * Scripts ** generate_guidanace -*** Added additional flags to the compliance scipt generated (--stats, --compliant, --non_compliant) link:https://github.com/usnistgov/macos_security/pull/64[#64] +*** Added additional flags to the compliance scipt generated (--stats, --compliant, and --non_compliant) link:https://github.com/usnistgov/macos_security/pull/64[#64] ** generate_baseline *** Added `-k all_rules` to generate a baseline containing all the rules *** Bug fixes From 184efffcf6825231a4b79c16535f8cd7fb2fe088 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 26 Jul 2021 10:32:05 -0400 Subject: [PATCH 135/135] edit changelog --- CHANGELOG.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index f31fd3e8..4368700e 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -40,6 +40,7 @@ This document provides a high-level view of the changes to the macOS Security Co * Baselines ** Added NIST 800-53 Rev 5 (Low, Moderate, High, and Privacy) +** Removed NIST 800-53 Rev 5 (Low, Moderate, and High) ** Modified existing baselines * Scripts