usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'tahoe'

Browse Source 
macOS Tahoe Guidance Release
This commit is contained in:
Bob Gendler
2025-09-11 15:41:55 -04:00
parent d8584a432a 19b7bfbb21
commit 94afaef2b3
357 changed files with 1962 additions and 4593 deletions
Download Patch File Download Diff File Expand all files Collapse all files

197
CHANGELOG.md
View File

@@ -2,161 +2,70 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
## [Sequoia, Revision 2.0] - 2025-07-01
## [Tahoe, Revision 1.0] - 2025-09-11
* Rules
* Added Rules
* os_mail_smart_reply_disable
* os_notes_transcription_disable
* os_notes_transcription_summary_disable
* os_safari_reader_summary_disable
* os_sshd_per_source_penalties_configure
* os_loginwindow_adminhostinfo_disabled
* os_safari_clear_history_disable
* os_safari_private_browsing_disable
* os_skip_apple_intelligence_enable
* system_settings_download_software_update_enforce
* system_settings_security_update_install
* Modified Rules
* os_genmoji_disable.yaml
* os_implement_cryptography.yaml
* os_iphone_mirroring_disable.yaml
* os_mail_summary_disable.yaml
* os_nfsd_disable.yaml
* os_parental_controls_enable.yaml
* os_password_hint_remove.yaml
* os_power_nap_disable.yaml
* os_separate_functionality.yaml
* os_sleep_and_display_sleep_apple_silicon_enable.yaml
* os_sudo_log_enforce.yaml
* os_time_server_enabled.yaml
* audit_auditd_enabled
* os_appleid_prompt_disable
* os_authenticated_root_enable
* os_external_storage_access_defined
* os_httpd_disable
* os_icloud_storage_prompt_disable
* os_network_storage_restriction
* os_privacy_setup_prompt_disable
* os_recovery_lock_enable
* os_screensaver_loginwindow_enforce
* os_secure_boot_verify
* os_siri_prompt_disable
* os_skip_screen_time_prompt_enable
* os_skip_unlock_with_watch_enable
* os_tftpd_disable
* os_time_server_enabled
* os_touchid_prompt_disable
* os_unlock_active_user_session_disable
* os_writing_tools_disable.yaml
* pwpolicy_50_percent.yaml
* pwpolicy_history_enforce.yaml
* pwpolicy_upper_case_character_enforce.yaml
* supplemental_cis_manual.yaml
* system_settings_automatic_login_disable.yaml
* system_settings_bluetooth_sharing_disable.yaml
* system_settings_content_caching_disable.yaml
* system_settings_external_intelligence_disable.yaml
* system_settings_external_intelligence_sign_in_disable.yaml
* system_settings_guest_access_smb_disable.yaml
* system_settings_guest_account_disable.yaml
* system_settings_improve_assistive_voice_disable.yaml
* system_settings_improve_search_disable.yaml
* system_settings_internet_sharing_disable.yaml
* system_settings_loginwindow_loginwindowtext_enable.yaml
* system_settings_loginwindow_prompt_username_password_enforce.yaml
* system_settings_media_sharing_disabled.yaml
* system_settings_password_hints_disable.yaml
* system_settings_printer_sharing_disable.yaml
* system_settings_rae_disable.yaml
* system_settings_remote_management_disable.yaml
* system_settings_screen_sharing_disable.yaml
* system_settings_screensaver_ask_for_password_delay_enforce.yaml
* system_settings_screensaver_timeout_enforce.yaml
* system_settings_siri_disable.yaml
* system_settings_siri_listen_disable.yaml
* system_settings_smbd_disable.yaml
* system_settings_software_update_enforce.yaml
* system_settings_ssh_disable.yaml
* system_settings_time_server_configure.yaml
* system_settings_time_server_enforce.yaml
* system_settings_wake_network_access_disable.yaml
* Bug Fixes
* Baselines
* Updated CIS to v1.1.0
* Updated DISA STIG Ver 1, Rel 3
* Scripts
* generate_guidance
* bug fixes
* generate_scap.py
* bug fixes
## [Sequoia, Revision 1.1] - 2024-12-16
* Rules
* Added Rules
* os_iphone_mirroring_disable
* os_mail_summary_disable
* os_photos_enhanced_search_disable
* system_settings_external_intelligence_disable
* system_settings_external_intelligence_sign_in_disable
* Modified Rules
* os_sleep_and_display_sleep_apple_silicon_enable
* os_sudo_log_enforce
* os_world_writable_library_folder_configure
* os_password_autofill_disable
* pwpolicy_alpha_numeric_enforce
* pwpolicy_custom_regex_enforce
* pwpolicy_lower_case_character_enforce.yaml
* pwpolicy_max_lifetime_enforce
* pwpolicy_minimum_lifetime_enforce
* pwpolicy_history_enforce
* pwpolicy_account_lockout_timeout_enforce
* os_uucp_disable
* pwpolicy_account_lockout_enforce
* pwpolicy_prevent_dictionary_words
* pwpolicy_simple_sequence_disable
* pwpolicy_account_lockout_timeout_enforce
* pwpolicy_history_enforce
* pwpolicy_lower_case_character_enforce
* pwpolicy_max_lifetime_enforce
* pwpolicy_minimum_length_enforce
* pwpolicy_minimum_lifetime_enforce
* pwpolicy_special_character_enforce
* pwpolicy_upper_case_character_enforce.yaml
* system_settings_improve_assistive_voice_disable
* pwpolicy_upper_case_character_enforce
* system_settings_bluetooth_sharing_disable
* system_settings_hot_corners_secure
* system_settings_location_services_disable
* system_settings_location_services_enable
* system_settings_screen_sharing_disable
* system_settings_ssh_disable
* system_settings_time_machine_encrypted_configure
* Removed Rules
* system_settings_cd_dvd_sharing_disable
* os_loginwindow_adminhostinfo_undefined
* os_show_filename_extensions_enable
* system_settings_security_update_install
* system_settings_software_update_enforce
* Bug Fixes
* Baselines
* Added DISA STIG v1r1
* Added CIS Level (Draft -> Final)
* Updated CNSSI-1253
## [Sequoia, Revision 1.0] - 2024-09-12
* Rules
* Added Rules
* os_genmoji_disable
* os_image_generation_disable
* os_iphone_mirroring_disable
* os_sudo_log_enforce
* os_writing_tools_disable
* Modified Rules
* os_anti_virus_installed
* os_gatekeeper_enable
* os_ssh_fips_compliant
* system_settings_firewall_enable
* system_settings_firewall_stealth_mode_enable
* system_settings_gatekeeper_identified_developers_allowed
* system_settings_media_sharing_disabled
* DDM Support
* auth_pam_login_smartcard_enforce
* auth_pam_su_smartcard_enforce
* auth_pam_sudo_smartcard_enforce
* auth_ssh_password_authentication_disable
* os_external_storage_restriction
* os_network_storage_restriction
* os_policy_banner_ssh_enforce
* os_sshd_channel_timeout_configure
* os_sshd_client_alive_count_max_configure
* os_sshd_client_alive_interval_configure
* os_sshd_fips_compliant
* os_sshd_login_grace_time_configure
* os_sshd_permit_root_login_configure
* os_sshd_unused_connection_timeout_configure
* os_sudo_timeout_configure
* pwpolicy_account_lockout_enforce
* pwpolicy_account_lockout_timeout_enforce
* pwpolicy_alpha_numeric_enforce
* pwpolicy_custom_regex_enforce
* pwpolicy_history_enforce
* pwpolicy_max_lifetime_enforce
* pwpolicy_minimum_length_enforce
* pwpolicy_simple_sequence_disable
* pwpolicy_special_character_enforce
* Removed Rules
* os_firewall_log_enable
* os_gatekeeper_rearm
* os_safari_popups_disabled
* Bug Fixes
* Baselines
* Modified existing baselines
* Updated 800-171 to Revision 3
* Scripts
* generate_guidance
* Support for Declarative Device Management (DDM)
* Added support for severity
* generate_baseline
* generate_mappings
* Added flag for consolidated configuration profile
* Updated DDM logic for nested keys
* Added shell check to compliance script
* Updated current user check in compliance script
* Support for Managed Arguments in compliance script
* Bug Fixes
* generate_scap
* Added support for severity
* Support for oval 5.12.1
* Support for scap 1.4
* Added shellcommand for all tests

6
README.md
View File

@@ -1,7 +1,7 @@
![Alt text](templates/images/mscp_banner_outline.png)
![Alt text](https://badgen.net/badge/icon/apple?icon=apple&label)
![Alt text](https://badgen.net/badge/icon/15.0?icon=apple&label)
![Alt text](https://badgen.net/badge/icon/26.0?icon=apple&label)
> [!IMPORTANT]
> We recommend working off of one of the OS branches, rather than the `main` branch.
@@ -14,7 +14,7 @@ Apple acknowledges the macOS Security Compliance Project with information on the
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the [wiki](https://github.com/usnistgov/macos_security/wiki).
To learn more about the project, [click here](http://pages.nist.gov/macos_security/).
If you are interested in supporting the development of the project, refer to the [contributor guidance](CONTRIBUTING.md) for more information.
@@ -35,7 +35,7 @@ Civilian agencies are to use the National Checklist Program as required by [NIST
|Dan Brodjieski|NASA
|John Mahlman IV|Leidos
|Aaron Kegerreis|DISA
|Henry Stamerjohann|Zentral Pro Services GmbH
|Henry Stamerjohann|Declarative IT GmbH
|Marco A Piñeryo II|State Department
|Jason Blake|NIST
|Blair Heiserman|NIST

8
VERSION.yaml
View File

@@ -1,5 +1,5 @@
os: "15.0"
os: "26.0"
platform: macOS
version: "Sequoia Guidance, Revision 2.0"
cpe: o:apple:macos:15.0
date: "2025-07-01"
version: "Tahoe Guidance, Revision 1.0"
cpe: o:apple:macos:26.0
date: "2025-09-11"

9
baselines/800-171.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 3"
title: "macOS 26.0: Security Configuration - NIST 800-171 Rev 3"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 3 security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the NIST 800-171 Rev 3 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -78,10 +78,10 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
@@ -104,6 +104,7 @@ profile:
- os_screensaver_loginwindow_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant

10
baselines/800-53r5_high.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -85,10 +85,10 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
@@ -114,6 +114,7 @@ profile:
- os_setup_assistant_filevault_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
@@ -184,6 +185,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable

8
baselines/800-53r5_low.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -76,7 +76,7 @@ profile:
- os_handoff_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_mail_smart_reply_disable
@@ -98,6 +98,7 @@ profile:
- os_safari_reader_summary_disable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_sshd_fips_compliant
@@ -151,6 +152,7 @@ profile:
- system_settings_remote_management_disable
- system_settings_screen_sharing_disable
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable

10
baselines/800-53r5_moderate.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -83,10 +83,10 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
@@ -112,6 +112,7 @@ profile:
- os_setup_assistant_filevault_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
@@ -181,6 +182,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable

193
baselines/DISA-STIG.yaml
View File

@@ -1,193 +0,0 @@
title: "macOS 15.0: Security Configuration - Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3 security baseline.
authors: |
*macOS Security Compliance Project*
|===
|Dan Brodjieski|National Aeronautics and Space Administration
|Allen Golbig|Jamf
|Bob Gendler|National Institute of Standards and Technology
|Aaron Kegerreis|Defense Information Systems Agency
|===
parent_values: "stig"
profile:
- section: "auditing"
rules:
- audit_acls_files_configure
- audit_acls_folders_configure
- audit_auditd_enabled
- audit_configure_capacity_notify
- audit_control_acls_configure
- audit_control_group_configure
- audit_control_mode_configure
- audit_control_owner_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_mode_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_flags_fd_configure
- audit_flags_fm_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_folders_mode_configure
- audit_retention_configure
- audit_settings_failure_notify
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_password_authentication_disable
- section: "icloud"
rules:
- icloud_addressbook_disable
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_photos_disable
- icloud_private_relay_disable
- icloud_reminders_disable
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_authenticated_root_enable
- os_bonjour_disable
- os_camera_disable
- os_certificate_authority_trust
- os_config_data_install_enforce
- os_dictation_disable
- os_erase_content_and_settings_disable
- os_ess_installed
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firmware_password_require
- os_gatekeeper_enable
- os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_install_log_retention_configure
- os_loginwindow_adminhostinfo_undefined
- os_mdm_require
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_password_proximity_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_privacy_setup_prompt_disable
- os_recovery_lock_enable
- os_root_disable
- os_secure_boot_verify
- os_sip_enable
- os_siri_prompt_disable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_user_app_installation_prohibit
- os_uucp_disable
- os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_history_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
- system_settings_apple_watch_unlock_disable
- system_settings_automatic_login_disable
- system_settings_automatic_logout_enforce
- system_settings_bluetooth_disable
- system_settings_bluetooth_settings_disable
- system_settings_bluetooth_sharing_disable
- system_settings_content_caching_disable
- system_settings_diagnostics_reports_disable
- system_settings_filevault_enforce
- system_settings_find_my_disable
- system_settings_firewall_enable
- system_settings_gatekeeper_identified_developers_allowed
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_improve_assistive_voice_disable
- system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_sharing_disable
- system_settings_location_services_disable
- system_settings_loginwindow_prompt_username_password_enforce
- system_settings_media_sharing_disabled
- system_settings_password_hints_disable
- system_settings_personalized_advertising_disable
- system_settings_printer_sharing_disable
- system_settings_rae_disable
- system_settings_remote_management_disable
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_system_wide_preferences_configure
- system_settings_time_server_configure
- system_settings_time_server_enforce
- system_settings_token_removal_enforce
- system_settings_touchid_unlock_disable
- system_settings_usb_restricted_mode
- system_settings_wallet_applepay_settings_disable
- section: "Supplemental"
rules:
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard

17
baselines/all_rules.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - All Rules"
title: "macOS 26.0: Security Configuration - All Rules"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the All Rules security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the All Rules security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -110,12 +110,12 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_library_validation_enabled
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
@@ -147,8 +147,10 @@ profile:
- os_removable_media_disable
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_clear_history_disable
- os_safari_open_safe_downloads_disable
- os_safari_prevent_cross-site_tracking_enable
- os_safari_private_browsing_disable
- os_safari_reader_summary_disable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
@@ -157,12 +159,13 @@ profile:
- os_screensaver_timeout_loginwindow_enforce
- os_secure_boot_verify
- os_setup_assistant_filevault_enforce
- os_show_filename_extensions_enable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_sleep_and_display_sleep_apple_silicon_enable
- os_software_update_app_update_enforce
- os_software_update_deferral
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
@@ -220,6 +223,7 @@ profile:
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
- system_settings_download_software_update_enforce
- system_settings_external_intelligence_disable
- system_settings_external_intelligence_sign_in_disable
- system_settings_filevault_enforce
@@ -253,13 +257,12 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_listen_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
- system_settings_software_update_enforce
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable

12
baselines/cis_lvl1.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1)"
title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1) security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT security baseline.
authors: |
*macOS Security Compliance Project*
@@ -40,7 +40,6 @@ profile:
- os_httpd_disable
- os_install_log_retention_configure
- os_mail_summary_disable
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_notes_transcription_disable
@@ -55,8 +54,8 @@ profile:
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_show_filename_extensions_enable
- os_sip_enable
- os_software_update_app_update_enforce
- os_software_update_deferral
- os_sudo_log_enforce
- os_sudo_timeout_configure
@@ -78,7 +77,6 @@ profile:
rules:
- system_settings_airplay_receiver_disable
- system_settings_automatic_login_disable
- system_settings_bluetooth_menu_enable
- system_settings_bluetooth_sharing_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
@@ -93,6 +91,7 @@ profile:
- system_settings_improve_siri_dictation_disable
- system_settings_install_macos_updates_enforce
- system_settings_internet_sharing_disable
- system_settings_location_services_menu_enforce
- system_settings_loginwindow_loginwindowtext_enable
- system_settings_loginwindow_prompt_username_password_enforce
- system_settings_password_hints_disable
@@ -105,9 +104,7 @@ profile:
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
- system_settings_software_update_enforce
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_system_wide_preferences_configure
@@ -115,7 +112,6 @@ profile:
- system_settings_time_server_configure
- system_settings_time_server_enforce
- system_settings_wake_network_access_disable
- system_settings_wifi_menu_enable
- section: "Supplemental"
rules:
- supplemental_cis_manual

11
baselines/cis_lvl2.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2)"
title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2) security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT security baseline.
authors: |
*macOS Security Compliance Project*
@@ -51,7 +51,6 @@ profile:
- os_httpd_disable
- os_install_log_retention_configure
- os_mail_summary_disable
- os_mdm_require
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_notes_transcription_disable
@@ -67,9 +66,9 @@ profile:
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_show_filename_extensions_enable
- os_sip_enable
- os_sleep_and_display_sleep_apple_silicon_enable
- os_software_update_app_update_enforce
- os_software_update_deferral
- os_sudo_log_enforce
- os_sudo_timeout_configure
@@ -95,7 +94,6 @@ profile:
rules:
- system_settings_airplay_receiver_disable
- system_settings_automatic_login_disable
- system_settings_bluetooth_menu_enable
- system_settings_bluetooth_sharing_disable
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
@@ -128,9 +126,7 @@ profile:
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
- system_settings_software_update_enforce
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_system_wide_preferences_configure
@@ -139,7 +135,6 @@ profile:
- system_settings_time_server_configure
- system_settings_time_server_enforce
- system_settings_wake_network_access_disable
- system_settings_wifi_menu_enable
- section: "Supplemental"
rules:
- supplemental_cis_manual

12
baselines/cisv8.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - CIS Controls Version 8"
title: "macOS 26.0: Security Configuration - CIS Controls Version 8"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the CIS Controls Version 8 security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Controls Version 8 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -101,11 +101,12 @@ profile:
- os_safari_show_status_bar_enabled
- os_safari_warn_fraudulent_website_enable
- os_setup_assistant_filevault_enforce
- os_show_filename_extensions_enable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_unlock_with_watch_enable
- os_sleep_and_display_sleep_apple_silicon_enable
- os_software_update_app_update_enforce
- os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
@@ -142,6 +143,7 @@ profile:
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
- system_settings_download_software_update_enforce
- system_settings_external_intelligence_disable
- system_settings_external_intelligence_sign_in_disable
- system_settings_filevault_enforce
@@ -169,13 +171,12 @@ profile:
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_listen_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
- system_settings_software_update_enforce
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_system_wide_preferences_configure
@@ -207,6 +208,5 @@ profile:
- os_access_control_mobile_devices
- section: "Supplemental"
rules:
- supplemental_cis_manual
- supplemental_filevault
- supplemental_password_policy

10
baselines/cmmc_lvl1.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - US CMMC 2.0 Level 1"
title: "macOS 26.0: Security Configuration - US CMMC 2.0 Level 1"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the US CMMC 2.0 Level 1 security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the US CMMC 2.0 Level 1 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -51,7 +51,7 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_iphone_mirroring_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
@@ -67,6 +67,7 @@ profile:
- os_safari_reader_summary_disable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_unlock_with_watch_enable
- os_tftpd_disable
- os_unlock_active_user_session_disable
@@ -78,6 +79,8 @@ profile:
- system_settings_bluetooth_sharing_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
- system_settings_external_intelligence_disable
- system_settings_external_intelligence_sign_in_disable
- system_settings_find_my_disable
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
@@ -93,6 +96,7 @@ profile:
- system_settings_personalized_advertising_disable
- system_settings_rae_disable
- system_settings_screen_sharing_disable
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_ssh_disable

11
baselines/cmmc_lvl2.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - US CMMC 2.0 Level 2"
title: "macOS 26.0: Security Configuration - US CMMC 2.0 Level 2"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the US CMMC 2.0 Level 2 security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the US CMMC 2.0 Level 2 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -47,6 +47,7 @@ profile:
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_password_authentication_disable
@@ -96,7 +97,7 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
@@ -126,6 +127,7 @@ profile:
- os_setup_assistant_filevault_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
@@ -170,6 +172,8 @@ profile:
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
- system_settings_external_intelligence_disable
- system_settings_external_intelligence_sign_in_disable
- system_settings_filevault_enforce
- system_settings_find_my_disable
- system_settings_firewall_enable
@@ -197,6 +201,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable

12
baselines/cnssi-1253_high.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)"
title: "macOS 26.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -103,13 +103,14 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_messages_app_disable
- os_newsyslog_files_owner_group_configure
@@ -123,6 +124,7 @@ profile:
- os_password_hint_remove
- os_password_proximity_disable
- os_password_sharing_disable
- os_photos_enhanced_search_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
@@ -139,6 +141,7 @@ profile:
- os_setup_assistant_filevault_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
@@ -219,6 +222,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable

12
baselines/cnssi-1253_low.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)"
title: "macOS 26.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -102,13 +102,14 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_messages_app_disable
- os_newsyslog_files_owner_group_configure
@@ -122,6 +123,7 @@ profile:
- os_password_hint_remove
- os_password_proximity_disable
- os_password_sharing_disable
- os_photos_enhanced_search_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
@@ -137,6 +139,7 @@ profile:
- os_setup_assistant_filevault_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
@@ -215,6 +218,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable

17
baselines/cnssi-1253_moderate.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)"
title: "macOS 26.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -102,12 +102,14 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_generation_disable
- os_image_playground_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_loginwindow_adminhostinfo_disabled
- os_mail_app_disable
- os_mail_smart_reply_disable
- os_mail_summary_disable
- os_mdm_require
- os_messages_app_disable
- os_newsyslog_files_owner_group_configure
@@ -121,6 +123,7 @@ profile:
- os_password_hint_remove
- os_password_proximity_disable
- os_password_sharing_disable
- os_photos_enhanced_search_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
@@ -137,6 +140,7 @@ profile:
- os_setup_assistant_filevault_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
@@ -196,6 +200,7 @@ profile:
- system_settings_firewall_stealth_mode_enable
- system_settings_gatekeeper_identified_developers_allowed
- system_settings_gatekeeper_override_disallow
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
@@ -216,6 +221,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
@@ -283,3 +289,6 @@ profile:
- os_managed_access_control_points
- os_non_repudiation
- os_nonlocal_maintenance
- section: "Supplemental"
rules:
- supplemental_password_policy

4
custom/rules/.gitignore vendored
View File

@@ -1,4 +1,6 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore
!.gitignore
!sections
!rules

7
includes/mscp-data.yaml
View File

@@ -83,20 +83,21 @@ titles:
800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
800-171: NIST 800-171 Rev 3
cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1)
cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2)
cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT
cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT
cmmc_lvl1: US CMMC 2.0 Level 1
cmmc_lvl2: US CMMC 2.0 Level 2
cisv8: CIS Controls Version 8
cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low)
cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3
stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 4
ddm:
supported_types:
- com.apple.configuration.services.configuration-files
- com.apple.configuration.passcode.settings
- com.apple.configuration.diskmanagement.settings
- com.apple.configuration.softwareupdate.settings
services:
com.apple.bash: /etc/
com.apple.pam: /etc/pam.d/

6
rules/audit/audit_acls_files_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94101-3
- CCE-95101-2
cci:
- CCI-000162
- CCI-000163
@@ -36,7 +36,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-000030
- APPL-26-000030
800-171r3:
- 03.03.08
cis:
@@ -47,7 +47,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r4_low

6
rules/audit/audit_acls_folders_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94102-1
- CCE-95102-0
cci:
- CCI-000162
- CCI-000162
@@ -36,7 +36,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-000031
- APPL-26-000031
800-171r3:
- 03.03.08
cis:
@@ -47,7 +47,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/audit/audit_alert_processing_fail.yaml
View File

@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-94103-9
- CCE-95103-8
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- '15.0'
- '26.0'
tags:
- permanent
mobileconfig: false

10
rules/audit/audit_auditd_enabled.yaml
View File

@@ -9,9 +9,9 @@ discussion: |
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sequoia.
NOTE: Security auditing is NOT enabled by default on macOS Tahoe.
check: |
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
LAUNCHD_RUNNING=$(/bin/launchctl print system | /usr/bin/grep -c -E '\tcom.apple.auditd')
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
@@ -33,7 +33,7 @@ fix: |
----
references:
cce:
- CCE-94104-7
- CCE-95104-6
cci:
- CCI-000130
- CCI-000131
@@ -104,7 +104,7 @@ references:
- SRG-OS-000055-GPOS-00026
- SRG-OS-000755-GPOS-00220
disa_stig:
- APPL-15-001003
- APPL-26-001003
800-171r3:
- 03.03.02
- 03.03.03
@@ -119,7 +119,7 @@ references:
- AU.L2-3.3.2
- AU.L2-3.3.6
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_configure_capacity_notify.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94105-4
- CCE-95105-3
cci:
- CCI-000139
- CCI-001855
@@ -27,9 +27,9 @@ references:
- SRG-OS-000046-GPOS-00022
- SRG-OS-000343-GPOS-00134
disa_stig:
- APPL-15-001030
- APPL-26-001030
macOS:
- '15.0'
- '26.0'
odv:
hint: Percentage of free space.
recommended: 25

6
rules/audit/audit_control_acls_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-94106-2
- CCE-95106-1
cci:
- CCI-000162
- CCI-000163
@@ -35,7 +35,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001140
- APPL-26-001140
800-171r3:
- 03.03.08
cis:
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- cis_lvl1
- cis_lvl2

6
rules/audit/audit_control_group_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-94107-0
- CCE-95107-9
cci:
- CCI-000162
- CCI-000163
@@ -35,7 +35,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001110
- APPL-26-001110
800-171r3:
- 03.03.08
cis:
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- cis_lvl1
- cis_lvl2

6
rules/audit/audit_control_mode_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-94108-8
- CCE-95108-7
cci:
- CCI-000162
- CCI-000163
@@ -35,7 +35,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001130
- APPL-26-001130
800-171r3:
- 03.03.08
cis:
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- cis_lvl1
- cis_lvl2

6
rules/audit/audit_control_owner_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-94109-6
- CCE-95109-5
cci:
- CCI-000162
- CCI-000163
@@ -35,7 +35,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001120
- APPL-26-001120
800-171r3:
- 03.03.08
cis:
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- cis_lvl1
- cis_lvl2

4
rules/audit/audit_enforce_dual_auth.yaml
View File

@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-94110-4
- CCE-95110-3
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000360-GPOS-00147
macOS:
- '15.0'
- '26.0'
tags:
- permanent
- cnssi-1253_high

6
rules/audit/audit_failure_halt.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94111-2
- CCE-95111-1
cci:
- CCI-000140
800-53r5:
@@ -25,13 +25,13 @@ references:
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- APPL-15-001010
- APPL-26-001010
800-171r3:
- 03.03.04
cmmc:
- AU.L2-3.3.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_files_group_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-94112-0
- CCE-95112-9
cci:
- CCI-000162
- CCI-000163
@@ -37,7 +37,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001014
- APPL-26-001014
800-171r3:
- 03.03.08
cis:
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_files_mode_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-94113-8
- CCE-95113-7
cci:
- CCI-000162
- CCI-000163
@@ -33,7 +33,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001016
- APPL-26-001016
800-171r3:
- 03.03.08
cis:
@@ -44,7 +44,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_files_owner_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-94114-6
- CCE-95114-5
cci:
- CCI-000162
- CCI-000163
@@ -37,7 +37,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001012
- APPL-26-001012
800-171r3:
- 03.03.08
cis:
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_flags_aa_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-94115-3
- CCE-95115-2
cci:
- CCI-000172
- CCI-001814
@@ -47,7 +47,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000468-GPOS-00212
disa_stig:
- APPL-15-001044
- APPL-26-001044
800-171r3:
- 03.03.01
- 03.03.03
@@ -63,7 +63,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low

6
rules/audit/audit_flags_ad_configure.yaml
View File

@@ -21,7 +21,7 @@ fix: |
----
references:
cce:
- CCE-94116-1
- CCE-95116-0
cci:
- CCI-000018
- CCI-000172
@@ -66,7 +66,7 @@ references:
- SRG-OS-000303-GPOS-00120
- SRG-OS-000755-GPOS-00220
disa_stig:
- APPL-15-001001
- APPL-26-001001
800-171r3:
- 03.01.07
- 03.03.01
@@ -83,7 +83,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low

6
rules/audit/audit_flags_ex_configure.yaml
View File

@@ -18,7 +18,7 @@ fix: |
----
references:
cce:
- CCE-94117-9
- CCE-95117-8
cci:
- CCI-000172
- CCI-001814
@@ -38,7 +38,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000463-GPOS-00207
disa_stig:
- APPL-15-001024
- APPL-26-001024
800-171r3:
- 03.03.01
- 03.03.03
@@ -54,7 +54,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low

6
rules/audit/audit_flags_fd_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-94118-7
- CCE-95118-6
cci:
- CCI-000162
- CCI-000163
@@ -61,7 +61,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001020
- APPL-26-001020
800-171r3:
- 03.03.01
- 03.03.03
@@ -72,7 +72,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r5_low

6
rules/audit/audit_flags_fm_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-94119-5
- CCE-95119-4
cci:
- CCI-000162
- CCI-000163
@@ -62,7 +62,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001021
- APPL-26-001021
800-171r3:
- 03.03.01
- 03.03.03
@@ -73,7 +73,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

4
rules/audit/audit_flags_fm_failed_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-94120-3
- CCE-95120-2
cci:
- N/A
800-53r5:
@@ -56,7 +56,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r5_low

6
rules/audit/audit_flags_fr_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-94121-1
- CCE-95121-0
cci:
- CCI-000172
- CCI-001814
@@ -53,7 +53,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001022
- APPL-26-001022
800-171r3:
- 03.03.01
- 03.03.03
@@ -71,7 +71,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low

6
rules/audit/audit_flags_fw_configure.yaml
View File

@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- CCE-94122-9
- CCE-95122-8
cci:
- CCI-000172
- CCI-001814
@@ -54,7 +54,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001023
- APPL-26-001023
800-171r3:
- 03.03.01
- 03.03.03
@@ -72,7 +72,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low

6
rules/audit/audit_flags_lo_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-94123-7
- CCE-95123-6
cci:
- CCI-000067
- CCI-000172
@@ -45,7 +45,7 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000755-GPOS-00220
disa_stig:
- APPL-15-001002
- APPL-26-001002
800-171r3:
- 03.03.01
- 03.03.03
@@ -62,7 +62,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low

6
rules/audit/audit_folder_group_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-94124-5
- CCE-95124-4
cci:
- CCI-000162
- CCI-000163
@@ -37,7 +37,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001015
- APPL-26-001015
800-171r3:
- 03.03.08
cis:
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_folder_owner_configure.yaml
View File

@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- CCE-94125-2
- CCE-95125-1
cci:
- CCI-000162
- CCI-000163
@@ -37,7 +37,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001013
- APPL-26-001013
800-171r3:
- 03.03.08
cis:
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/audit/audit_folders_mode_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94126-0
- CCE-95126-9
cci:
- CCI-000162
- CCI-000163
@@ -35,7 +35,7 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- APPL-15-001017
- APPL-26-001017
800-171r3:
- 03.03.08
cis:
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/audit/audit_off_load_records.yaml
View File

@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-94127-8
- CCE-95127-7
cci:
- N/A
800-53r5:
@@ -30,7 +30,7 @@ references:
controls v8:
- 8.9
macOS:
- '15.0'
- '26.0'
tags:
- permanent
- cisv8

4
rules/audit/audit_record_reduction_report_generation.yaml
View File

@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-94128-6
- CCE-95128-5
cci:
- N/A
800-53r5:
@@ -34,7 +34,7 @@ references:
cmmc:
- AU.L2-3.3.6
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_high
- 800-53r4_high

4
rules/audit/audit_records_processing.yaml
View File

@@ -10,7 +10,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-94129-4
- CCE-95129-3
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
cmmc:
- AU.L2-3.3.6
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_high
- 800-53r4_high

6
rules/audit/audit_retention_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94130-2
- CCE-95130-1
cci:
- CCI-001849
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- APPL-15-001029
- APPL-26-001029
cis:
benchmark:
- 3.4 (level 1)
@@ -39,7 +39,7 @@ references:
800-171r3:
- 03.03.03
macOS:
- '15.0'
- '26.0'
odv:
hint: See man audit_control for possible values.
recommended: 7d

6
rules/audit/audit_settings_failure_notify.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94131-0
- CCE-95131-9
cci:
- CCI-000140
- CCI-001858
@@ -29,13 +29,13 @@ references:
- SRG-OS-000047-GPOS-00023
- SRG-OS-000344-GPOS-00135
disa_stig:
- APPL-15-001031
- APPL-26-001031
800-171r3:
- 03.03.04
cmmc:
- AU.L2-3.3.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/auth/auth_pam_login_smartcard_enforce.yaml
View File

@@ -37,7 +37,7 @@ fix: |
----
references:
cce:
- CCE-94132-8
- CCE-95132-7
cci:
- CCI-000765
- CCI-000766
@@ -61,7 +61,7 @@ references:
- SRG-OS-000105-GPOS-00052
- SRG-OS-000705-GPOS-00150
disa_stig:
- APPL-15-003050
- APPL-26-003050
800-171r3:
- 03.05.03
- 03.05.04
@@ -76,7 +76,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/auth/auth_pam_su_smartcard_enforce.yaml
View File

@@ -32,7 +32,7 @@ fix: |
----
references:
cce:
- CCE-94133-6
- CCE-95133-5
cci:
- CCI-000765
- CCI-000766
@@ -56,7 +56,7 @@ references:
- SRG-OS-000105-GPOS-00052
- SRG-OS-000705-GPOS-00150
disa_stig:
- APPL-15-003051
- APPL-26-003051
800-171r3:
- 03.05.03
- 03.05.04
@@ -71,7 +71,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/auth/auth_pam_sudo_smartcard_enforce.yaml
View File

@@ -31,7 +31,7 @@ fix: |
----
references:
cce:
- CCE-94134-4
- CCE-95134-3
cci:
- CCI-000765
- CCI-000766
@@ -55,7 +55,7 @@ references:
- SRG-OS-000105-GPOS-00052
- SRG-OS-000705-GPOS-00150
disa_stig:
- APPL-15-003052
- APPL-26-003052
800-171r3:
- 03.05.03
- 03.05.04
@@ -70,7 +70,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/auth/auth_smartcard_allow.yaml
View File

@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94135-1
- CCE-95135-0
cci:
- CCI-000187
- CCI-000765
@@ -42,7 +42,7 @@ references:
- SRG-OS-000105-GPOS-00052
- SRG-OS-000068-GPOS-00036
disa_stig:
- APPL-15-003030
- APPL-26-003030
cis:
benchmark:
- N/A
@@ -57,7 +57,7 @@ references:
800-171r3:
- 03.05.03
macOS:
- '15.0'
- '26.0'
tags:
- 800-171
- 800-53r5_low

5
rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
View File

@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94136-9
- CCE-95136-8
cci:
- N/A
800-53r5:
@@ -35,13 +35,14 @@ references:
cmmc:
- SC.L2-3.13.10
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r4_high
- 800-53r5_high
- cnssi-1253_high
- cnssi-1253_moderate
- cnssi-1253_low
- cmmc_lvl2
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

6
rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
View File

@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94137-7
- CCE-95137-6
cci:
- CCI-000186
- CCI-001953
@@ -39,11 +39,11 @@ references:
- SRG-OS-000377-GPOS-00162
- SRG-OS-000066-GPOS-00034
disa_stig:
- APPL-15-001060
- APPL-26-001060
cmmc:
- SC.L2-3.13.10
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r4_moderate
- 800-53r5_moderate

6
rules/auth/auth_smartcard_enforce.yaml
View File

@@ -21,7 +21,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94138-5
- CCE-95138-4
cci:
- CCI-000186
- CCI-000765
@@ -61,7 +61,7 @@ references:
- SRG-OS-000105-GPOS-00052
- SRG-OS-000705-GPOS-00150
disa_stig:
- APPL-15-003020
- APPL-26-003020
800-171r3:
- 03.05.01
- 03.05.03
@@ -79,7 +79,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/auth/auth_ssh_password_authentication_disable.yaml
View File

@@ -32,7 +32,7 @@ fix: |
----
references:
cce:
- CCE-94139-3
- CCE-95139-2
cci:
- CCI-000186
- CCI-000765
@@ -72,7 +72,7 @@ references:
- SRG-OS-000375-GPOS-00160
- SRG-OS-000105-GPOS-00052
disa_stig:
- APPL-15-001150
- APPL-26-001150
800-171r3:
- 03.05.01
- 03.05.03
@@ -92,7 +92,7 @@ references:
- IA.L2-3.5.4
- MA.L2-3.7.5
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_addressbook_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94140-1
- CCE-95140-0
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002014
- APPL-26-002014
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/icloud/icloud_appleid_system_settings_disable.yaml
View File

@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94141-9
- CCE-95141-8
cci:
- N/A
800-53r5:
@@ -43,7 +43,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_bookmarks_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94142-7
- CCE-95142-6
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002042
- APPL-26-002042
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_calendar_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94143-5
- CCE-95143-4
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002012
- APPL-26-002012
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_drive_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94144-3
- CCE-95144-2
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002041
- APPL-26-002041
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_freeform_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94145-0
- CCE-95145-9
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002270
- APPL-26-002270
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_game_center_disable.yaml
View File

@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94146-8
- CCE-95146-7
cci:
- CCI-000381
800-53r5:
@@ -31,7 +31,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002160
- APPL-26-002160
800-171r3:
- 03.01.20
- 03.04.06
@@ -47,7 +47,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_keychain_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94147-6
- CCE-95147-5
cci:
- CCI-001774
- CCI-000381
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002040
- APPL-26-002040
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_mail_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94148-4
- CCE-95148-3
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002015
- APPL-26-002015
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_notes_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94149-2
- CCE-95149-1
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002016
- APPL-26-002016
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_photos_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94150-0
- CCE-95150-9
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002043
- APPL-26-002043
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_private_relay_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94151-8
- CCE-95151-7
cci:
- CCI-000381
800-53r5:
@@ -32,7 +32,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002170
- APPL-26-002170
800-171r3:
- 03.01.20
- 03.04.06
@@ -48,7 +48,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_reminders_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94152-6
- CCE-95152-5
cci:
- CCI-000381
- CCI-001774
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002013
- APPL-26-002013
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/icloud/icloud_sync_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94153-4
- CCE-95153-3
cci:
- CCI-000381
800-53r5:
@@ -32,7 +32,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002150
- APPL-26-002150
800-171r3:
- 03.01.20
- 03.04.06
@@ -48,7 +48,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_access_control_mobile_devices.yaml
View File

@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-94154-2
- CCE-95154-1
cci:
- N/A
800-53r5:
@@ -33,7 +33,7 @@ references:
800-171r3:
- 03.01.18
macOS:
- '15.0'
- '26.0'
tags:
- 800-171
- 800-53r5_low

6
rules/os/os_account_modification_disable.yaml
View File

@@ -22,7 +22,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94155-9
- CCE-95155-8
cci:
- CCI-000381
800-53r5:
@@ -39,7 +39,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002120
- APPL-26-002120
800-171r3:
- 03.01.20
- 03.04.06
@@ -54,7 +54,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

6
rules/os/os_airdrop_disable.yaml
View File

@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94156-7
- CCE-95156-6
cci:
- CCI-000213
- CCI-000381
@@ -34,7 +34,7 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002009
- APPL-26-002009
800-171r3:
- 03.01.02
- 03.01.20
@@ -52,7 +52,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_allow_info_passed.yaml
View File

@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-94157-5
- CCE-95157-4
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000312-GPOS-00122
macOS:
- '15.0'
- '26.0'
tags:
- inherent
- cnssi-1253_low

4
rules/os/os_anti_virus_installed.yaml
View File

@@ -18,7 +18,7 @@ fix: |
NOTE: These services cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.
references:
cce:
- CCE-94158-3
- CCE-95158-2
cci:
- CCI-000366
800-53r5:
@@ -37,7 +37,7 @@ references:
- 10.1
- 10.2
macOS:
- '15.0'
- '26.0'
tags:
- cis_lvl1
- cis_lvl2

13
rules/os/os_appleid_prompt_disable.yaml
View File

@@ -5,9 +5,9 @@ discussion: |
macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.
check: |
/usr/bin/osascript -l JavaScript << EOS
/usr/bin/osascript -l JavaScript 2>/dev/null << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipCloudSetup').js
.objectForKey('SkipSetupItems').containsObject("AppleID")
EOS
result:
string: 'true'
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94159-1
- CCE-95159-0
cci:
- CCI-000381
800-53r5:
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002035
- APPL-26-002035
800-171r3:
- 03.01.20
cis:
@@ -37,7 +37,7 @@ references:
cmmc:
- AC.L1-3.1.20
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -57,4 +57,5 @@ severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:
SkipCloudSetup: true
SkipSetupItems:
- AppleID

4
rules/os/os_application_sandboxing.yaml
View File

@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-94160-9
- CCE-95160-8
800-53r5:
- SC-39
800-53r4:
@@ -24,7 +24,7 @@ references:
cci:
- N/A
macOS:
- '15.0'
- '26.0'
tags:
- inherent
- 800-53r5_low

6
rules/os/os_asl_log_files_owner_group_configure.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- CCE-94161-7
- CCE-95161-6
cci:
- CCI-001312
- CCI-001314
@@ -27,11 +27,11 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- APPL-15-004001
- APPL-26-004001
800-171r3:
- N/A
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_moderate
- 800-53r5_high

6
rules/os/os_asl_log_files_permissions_configure.yaml
View File

@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- CCE-94162-5
- CCE-95162-4
cci:
- CCI-001312
- CCI-001314
@@ -25,11 +25,11 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- APPL-15-004002
- APPL-26-004002
800-171r3:
- N/A
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_moderate
- 800-53r5_high

4
rules/os/os_auth_peripherals.yaml
View File

@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and can be fixed by implementing a third party solution.
references:
cce:
- CCE-94163-3
- CCE-95163-2
cci:
- N/A
800-53r5:
@@ -30,7 +30,7 @@ references:
cmmc:
- IA.L1-3.5.2
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_moderate
- 800-53r5_high

8
rules/os/os_authenticated_root_enable.yaml
View File

@@ -9,7 +9,7 @@ discussion: |
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
check: |
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;"
/usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;"
result:
integer: 1
fix: |
@@ -20,7 +20,7 @@ fix: |
NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
cce:
- CCE-94164-1
- CCE-95164-0
cci:
- CCI-000213
800-53r5:
@@ -39,7 +39,7 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- APPL-15-005070
- APPL-26-005070
800-171r3:
- 03.01.02
- 03.04.05
@@ -54,7 +54,7 @@ references:
- CM.L2-3.4.5
- SC.L2-3.13.11
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_blank_bluray_disable.yaml
View File

@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94165-8
- CCE-95165-7
cci:
- N/A
800-53r5:
@@ -40,7 +40,7 @@ references:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

4
rules/os/os_blank_cd_disable.yaml
View File

@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94166-6
- CCE-95166-5
cci:
- N/A
800-53r5:
@@ -40,7 +40,7 @@ references:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

4
rules/os/os_blank_dvd_disable.yaml
View File

@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94167-4
- CCE-95167-3
cci:
- N/A
800-53r5:
@@ -40,7 +40,7 @@ references:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

4
rules/os/os_bluray_read_only_enforce.yaml
View File

@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94168-2
- CCE-95168-1
cci:
- N/A
800-53r5:
@@ -40,7 +40,7 @@ references:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

6
rules/os/os_bonjour_disable.yaml
View File

@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94169-0
- CCE-95169-9
cci:
- CCI-000381
800-53r5:
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002005
- APPL-26-002005
800-171r3:
- 03.04.06
cis:
@@ -38,7 +38,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_burn_support_disable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94170-8
- CCE-95170-7
cci:
- N/A
800-53r5:
@@ -32,7 +32,7 @@ references:
800-171r3:
- 03.08.07
macOS:
- '15.0'
- '26.0'
tags:
- 800-171
- cnssi-1253_low

4
rules/os/os_calendar_app_disable.yaml
View File

@@ -33,7 +33,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94171-6
- CCE-95171-5
cci:
- N/A
800-53r5:
@@ -62,7 +62,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

6
rules/os/os_camera_disable.yaml
View File

@@ -25,7 +25,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94172-4
- CCE-95172-3
cci:
- CCI-000381
- CCI-001774
@@ -36,9 +36,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002017
- APPL-26-002017
macOS:
- '15.0'
- '26.0'
tags:
- stig
severity: medium

4
rules/os/os_cd_read_only_enforce.yaml
View File

@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94173-2
- CCE-95173-1
cci:
- N/A
800-53r5:
@@ -40,7 +40,7 @@ references:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- '15.0'
- '26.0'
tags:
- cnssi-1253_low
- cnssi-1253_high

6
rules/os/os_certificate_authority_trust.yaml
View File

@@ -10,7 +10,7 @@ fix: |
Obtain the approved certificates from the appropriate authority and install them to the System Keychain.
references:
cce:
- CCE-94174-0
- CCE-95174-9
cci:
- CCI-002470
- CCI-000185
@@ -24,11 +24,11 @@ references:
- SRG-OS-000403-GPOS-00182
- SRG-OS-000775-GPOS-00230
disa_stig:
- APPL-15-003001
- APPL-26-003001
cmmc:
- SC.L2-3.13.10
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_moderate
- 800-53r5_high

4
rules/os/os_change_security_attributes.yaml
View File

@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-94175-7
- CCE-95175-6
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000312-GPOS-00123
macOS:
- '15.0'
- '26.0'
tags:
- inherent
- cnssi-1253_low

8
rules/os/os_config_data_install_enforce.yaml
View File

@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94176-5
- CCE-95176-4
cci:
- CCI-000366
800-53r5:
@@ -30,12 +30,12 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-15-005130
- APPL-26-005130
800-171r3:
- 03.14.02
cis:
benchmark:
- 1.6 (level 1)
- 1.5 (level 1)
controls v8:
- 7.3
- 7.4
@@ -45,7 +45,7 @@ references:
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_config_profile_ui_install_disable.yaml
View File

@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94177-3
- CCE-95177-2
cci:
- N/A
800-53r5:
@@ -32,7 +32,7 @@ references:
disa_stig:
- N/A
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_low
- 800-53r5_moderate

4
rules/os/os_continuous_monitoring.yaml
View File

@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-94178-1
- CCE-95178-0
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
disa_stig:
- N/A
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_moderate
- 800-53r5_high

4
rules/os/os_crypto_audit.yaml
View File

@@ -14,7 +14,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-94179-9
- CCE-95179-8
cci:
- N/A
800-53r5:
@@ -26,7 +26,7 @@ references:
srg:
- SRG-OS-000278-GPOS-00108
macOS:
- '15.0'
- '26.0'
tags:
- 800-53r5_high
- 800-53r4_high

6
rules/os/os_dictation_disable.yaml
View File

@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94180-7
- CCE-95180-6
cci:
- CCI-000381
800-53r5:
@@ -28,7 +28,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- APPL-15-002230
- APPL-26-002230
800-171r3:
- 03.01.20
- 03.04.06
@@ -43,7 +43,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- '15.0'
- '26.0'
tags:
- i386
- 800-53r5_low

4
rules/os/os_directory_services_configured.yaml
View File

@@ -12,7 +12,7 @@ fix: |
Integrate the system into an existing directory services infrastructure.
references:
cce:
- CCE-94181-5
- CCE-95181-4
cci:
- N/A
800-53r5:
@@ -29,7 +29,7 @@ references:
controls v8:
- 6.7
macOS:
- '15.0'
- '26.0'
tags:
- cisv8
severity: medium

Some files were not shown because too many files have changed in this diff Show More