diff --git a/CHANGELOG.md b/CHANGELOG.md index e01f3169..acb9f372 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,161 +2,70 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -## [Sequoia, Revision 2.0] - 2025-07-01 +## [Tahoe, Revision 1.0] - 2025-09-11 + * Rules * Added Rules - * os_mail_smart_reply_disable - * os_notes_transcription_disable - * os_notes_transcription_summary_disable - * os_safari_reader_summary_disable - * os_sshd_per_source_penalties_configure + * os_loginwindow_adminhostinfo_disabled + * os_safari_clear_history_disable + * os_safari_private_browsing_disable + * os_skip_apple_intelligence_enable + * system_settings_download_software_update_enforce + * system_settings_security_update_install * Modified Rules - * os_genmoji_disable.yaml - * os_implement_cryptography.yaml - * os_iphone_mirroring_disable.yaml - * os_mail_summary_disable.yaml - * os_nfsd_disable.yaml - * os_parental_controls_enable.yaml - * os_password_hint_remove.yaml - * os_power_nap_disable.yaml - * os_separate_functionality.yaml - * os_sleep_and_display_sleep_apple_silicon_enable.yaml - * os_sudo_log_enforce.yaml - * os_time_server_enabled.yaml + * audit_auditd_enabled + * os_appleid_prompt_disable + * os_authenticated_root_enable + * os_external_storage_access_defined + * os_httpd_disable + * os_icloud_storage_prompt_disable + * os_network_storage_restriction + * os_privacy_setup_prompt_disable + * os_recovery_lock_enable + * os_screensaver_loginwindow_enforce + * os_secure_boot_verify + * os_siri_prompt_disable + * os_skip_screen_time_prompt_enable + * os_skip_unlock_with_watch_enable + * os_tftpd_disable + * os_time_server_enabled + * os_touchid_prompt_disable * os_unlock_active_user_session_disable - * os_writing_tools_disable.yaml - * pwpolicy_50_percent.yaml - * pwpolicy_history_enforce.yaml - * pwpolicy_upper_case_character_enforce.yaml - * supplemental_cis_manual.yaml - * system_settings_automatic_login_disable.yaml - * system_settings_bluetooth_sharing_disable.yaml - * system_settings_content_caching_disable.yaml - * system_settings_external_intelligence_disable.yaml - * system_settings_external_intelligence_sign_in_disable.yaml - * system_settings_guest_access_smb_disable.yaml - * system_settings_guest_account_disable.yaml - * system_settings_improve_assistive_voice_disable.yaml - * system_settings_improve_search_disable.yaml - * system_settings_internet_sharing_disable.yaml - * system_settings_loginwindow_loginwindowtext_enable.yaml - * system_settings_loginwindow_prompt_username_password_enforce.yaml - * system_settings_media_sharing_disabled.yaml - * system_settings_password_hints_disable.yaml - * system_settings_printer_sharing_disable.yaml - * system_settings_rae_disable.yaml - * system_settings_remote_management_disable.yaml - * system_settings_screen_sharing_disable.yaml - * system_settings_screensaver_ask_for_password_delay_enforce.yaml - * system_settings_screensaver_timeout_enforce.yaml - * system_settings_siri_disable.yaml - * system_settings_siri_listen_disable.yaml - * system_settings_smbd_disable.yaml - * system_settings_software_update_enforce.yaml - * system_settings_ssh_disable.yaml - * system_settings_time_server_configure.yaml - * system_settings_time_server_enforce.yaml - * system_settings_wake_network_access_disable.yaml - * Bug Fixes -* Baselines - * Updated CIS to v1.1.0 - * Updated DISA STIG Ver 1, Rel 3 -* Scripts - * generate_guidance - * bug fixes - * generate_scap.py - * bug fixes - -## [Sequoia, Revision 1.1] - 2024-12-16 - -* Rules - * Added Rules - * os_iphone_mirroring_disable - * os_mail_summary_disable - * os_photos_enhanced_search_disable - * system_settings_external_intelligence_disable - * system_settings_external_intelligence_sign_in_disable - * Modified Rules - * os_sleep_and_display_sleep_apple_silicon_enable - * os_sudo_log_enforce * os_world_writable_library_folder_configure - * os_password_autofill_disable - * pwpolicy_alpha_numeric_enforce - * pwpolicy_custom_regex_enforce - * pwpolicy_lower_case_character_enforce.yaml - * pwpolicy_max_lifetime_enforce - * pwpolicy_minimum_lifetime_enforce - * pwpolicy_history_enforce - * pwpolicy_account_lockout_timeout_enforce + * os_uucp_disable * pwpolicy_account_lockout_enforce - * pwpolicy_prevent_dictionary_words - * pwpolicy_simple_sequence_disable + * pwpolicy_account_lockout_timeout_enforce + * pwpolicy_history_enforce + * pwpolicy_lower_case_character_enforce + * pwpolicy_max_lifetime_enforce + * pwpolicy_minimum_length_enforce + * pwpolicy_minimum_lifetime_enforce * pwpolicy_special_character_enforce - * pwpolicy_upper_case_character_enforce.yaml - * system_settings_improve_assistive_voice_disable + * pwpolicy_upper_case_character_enforce + * system_settings_bluetooth_sharing_disable + * system_settings_hot_corners_secure + * system_settings_location_services_disable + * system_settings_location_services_enable + * system_settings_screen_sharing_disable + * system_settings_ssh_disable + * system_settings_time_machine_encrypted_configure * Removed Rules - * system_settings_cd_dvd_sharing_disable + * os_loginwindow_adminhostinfo_undefined + * os_show_filename_extensions_enable + * system_settings_security_update_install + * system_settings_software_update_enforce * Bug Fixes -* Baselines - * Added DISA STIG v1r1 - * Added CIS Level (Draft -> Final) - * Updated CNSSI-1253 - -## [Sequoia, Revision 1.0] - 2024-09-12 - -* Rules - * Added Rules - * os_genmoji_disable - * os_image_generation_disable - * os_iphone_mirroring_disable - * os_sudo_log_enforce - * os_writing_tools_disable - * Modified Rules - * os_anti_virus_installed - * os_gatekeeper_enable - * os_ssh_fips_compliant - * system_settings_firewall_enable - * system_settings_firewall_stealth_mode_enable - * system_settings_gatekeeper_identified_developers_allowed - * system_settings_media_sharing_disabled - * DDM Support - * auth_pam_login_smartcard_enforce - * auth_pam_su_smartcard_enforce - * auth_pam_sudo_smartcard_enforce - * auth_ssh_password_authentication_disable - * os_external_storage_restriction - * os_network_storage_restriction - * os_policy_banner_ssh_enforce - * os_sshd_channel_timeout_configure - * os_sshd_client_alive_count_max_configure - * os_sshd_client_alive_interval_configure - * os_sshd_fips_compliant - * os_sshd_login_grace_time_configure - * os_sshd_permit_root_login_configure - * os_sshd_unused_connection_timeout_configure - * os_sudo_timeout_configure - * pwpolicy_account_lockout_enforce - * pwpolicy_account_lockout_timeout_enforce - * pwpolicy_alpha_numeric_enforce - * pwpolicy_custom_regex_enforce - * pwpolicy_history_enforce - * pwpolicy_max_lifetime_enforce - * pwpolicy_minimum_length_enforce - * pwpolicy_simple_sequence_disable - * pwpolicy_special_character_enforce - * Removed Rules - * os_firewall_log_enable - * os_gatekeeper_rearm - * os_safari_popups_disabled - * Bug Fixes * Baselines * Modified existing baselines - * Updated 800-171 to Revision 3 * Scripts * generate_guidance - * Support for Declarative Device Management (DDM) - * Added support for severity - * generate_baseline - * generate_mappings + * Added flag for consolidated configuration profile + * Updated DDM logic for nested keys + * Added shell check to compliance script + * Updated current user check in compliance script + * Support for Managed Arguments in compliance script + * Bug Fixes * generate_scap - * Added support for severity + * Support for oval 5.12.1 + * Support for scap 1.4 + * Added shellcommand for all tests \ No newline at end of file diff --git a/README.md b/README.md index 3f0593e5..1ea4ebf0 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ![Alt text](templates/images/mscp_banner_outline.png) ![Alt text](https://badgen.net/badge/icon/apple?icon=apple&label) -![Alt text](https://badgen.net/badge/icon/15.0?icon=apple&label) +![Alt text](https://badgen.net/badge/icon/26.0?icon=apple&label) > [!IMPORTANT] > We recommend working off of one of the OS branches, rather than the `main` branch. @@ -14,7 +14,7 @@ Apple acknowledges the macOS Security Compliance Project with information on the This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. -To learn more about the project, please see the [wiki](https://github.com/usnistgov/macos_security/wiki). +To learn more about the project, [click here](http://pages.nist.gov/macos_security/). If you are interested in supporting the development of the project, refer to the [contributor guidance](CONTRIBUTING.md) for more information. @@ -35,7 +35,7 @@ Civilian agencies are to use the National Checklist Program as required by [NIST |Dan Brodjieski|NASA |John Mahlman IV|Leidos |Aaron Kegerreis|DISA -|Henry Stamerjohann|Zentral Pro Services GmbH +|Henry Stamerjohann|Declarative IT GmbH |Marco A Piñeryo II|State Department |Jason Blake|NIST |Blair Heiserman|NIST diff --git a/VERSION.yaml b/VERSION.yaml index d78096a9..61983ad8 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,5 +1,5 @@ -os: "15.0" +os: "26.0" platform: macOS -version: "Sequoia Guidance, Revision 2.0" -cpe: o:apple:macos:15.0 -date: "2025-07-01" +version: "Tahoe Guidance, Revision 1.0" +cpe: o:apple:macos:26.0 +date: "2025-09-11" diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 21d9f79a..241235e9 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 3" +title: "macOS 26.0: Security Configuration - NIST 800-171 Rev 3" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 3 security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the NIST 800-171 Rev 3 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -78,10 +78,10 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_iphone_mirroring_disable - os_ir_support_disable - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_smart_reply_disable - os_mail_summary_disable - os_mdm_require @@ -104,6 +104,7 @@ profile: - os_screensaver_loginwindow_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index cd0e849d..82c008e5 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact" +title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -85,10 +85,10 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_iphone_mirroring_disable - os_ir_support_disable - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_smart_reply_disable - os_mail_summary_disable - os_mdm_require @@ -114,6 +114,7 @@ profile: - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure @@ -184,6 +185,7 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 49818694..eb76f645 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact" +title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -76,7 +76,7 @@ profile: - os_handoff_disable - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_iphone_mirroring_disable - os_ir_support_disable - os_mail_smart_reply_disable @@ -98,6 +98,7 @@ profile: - os_safari_reader_summary_disable - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant - os_sshd_fips_compliant @@ -151,6 +152,7 @@ profile: - system_settings_remote_management_disable - system_settings_screen_sharing_disable - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index f570ce7b..85f2cfd4 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact" +title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -83,10 +83,10 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_iphone_mirroring_disable - os_ir_support_disable - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_smart_reply_disable - os_mail_summary_disable - os_mdm_require @@ -112,6 +112,7 @@ profile: - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure @@ -181,6 +182,7 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml deleted file mode 100644 index c16417b9..00000000 --- a/baselines/DISA-STIG.yaml +++ /dev/null @@ -1,193 +0,0 @@ -title: "macOS 15.0: Security Configuration - Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3" -description: | - This guide describes the actions to take when securing a macOS 15.0 system against the Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3 security baseline. -authors: | - *macOS Security Compliance Project* - - |=== - |Dan Brodjieski|National Aeronautics and Space Administration - |Allen Golbig|Jamf - |Bob Gendler|National Institute of Standards and Technology - |Aaron Kegerreis|Defense Information Systems Agency - |=== -parent_values: "stig" -profile: - - section: "auditing" - rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_configure_capacity_notify - - audit_control_acls_configure - - audit_control_group_configure - - audit_control_mode_configure - - audit_control_owner_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "authentication" - rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_allow - - auth_smartcard_certificate_trust_enforce_moderate - - auth_smartcard_enforce - - auth_ssh_password_authentication_disable - - section: "icloud" - rules: - - icloud_addressbook_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_freeform_disable - - icloud_game_center_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_private_relay_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macos" - rules: - - os_account_modification_disable - - os_airdrop_disable - - os_appleid_prompt_disable - - os_asl_log_files_owner_group_configure - - os_asl_log_files_permissions_configure - - os_authenticated_root_enable - - os_bonjour_disable - - os_camera_disable - - os_certificate_authority_trust - - os_config_data_install_enforce - - os_dictation_disable - - os_erase_content_and_settings_disable - - os_ess_installed - - os_facetime_app_disable - - os_filevault_autologin_disable - - os_firmware_password_require - - os_gatekeeper_enable - - os_genmoji_disable - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_image_generation_disable - - os_install_log_retention_configure - - os_loginwindow_adminhostinfo_undefined - - os_mdm_require - - os_newsyslog_files_owner_group_configure - - os_newsyslog_files_permissions_configure - - os_nfsd_disable - - os_on_device_dictation_enforce - - os_password_hint_remove - - os_password_proximity_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_privacy_setup_prompt_disable - - os_recovery_lock_enable - - os_root_disable - - os_secure_boot_verify - - os_sip_enable - - os_siri_prompt_disable - - os_skip_screen_time_prompt_enable - - os_skip_unlock_with_watch_enable - - os_ssh_fips_compliant - - os_ssh_server_alive_count_max_configure - - os_ssh_server_alive_interval_configure - - os_sshd_channel_timeout_configure - - os_sshd_client_alive_count_max_configure - - os_sshd_client_alive_interval_configure - - os_sshd_fips_compliant - - os_sshd_login_grace_time_configure - - os_sshd_permit_root_login_configure - - os_sshd_unused_connection_timeout_configure - - os_sudo_log_enforce - - os_sudo_timeout_configure - - os_sudoers_timestamp_type_configure - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_user_app_installation_prohibit - - os_uucp_disable - - os_writing_tools_disable - - section: "passwordpolicy" - rules: - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_custom_regex_enforce - - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_special_character_enforce - - pwpolicy_temporary_or_emergency_accounts_disable - - section: "systemsettings" - rules: - - system_settings_airplay_receiver_disable - - system_settings_apple_watch_unlock_disable - - system_settings_automatic_login_disable - - system_settings_automatic_logout_enforce - - system_settings_bluetooth_disable - - system_settings_bluetooth_settings_disable - - system_settings_bluetooth_sharing_disable - - system_settings_content_caching_disable - - system_settings_diagnostics_reports_disable - - system_settings_filevault_enforce - - system_settings_find_my_disable - - system_settings_firewall_enable - - system_settings_gatekeeper_identified_developers_allowed - - system_settings_guest_account_disable - - system_settings_hot_corners_disable - - system_settings_improve_assistive_voice_disable - - system_settings_improve_search_disable - - system_settings_improve_siri_dictation_disable - - system_settings_internet_sharing_disable - - system_settings_location_services_disable - - system_settings_loginwindow_prompt_username_password_enforce - - system_settings_media_sharing_disabled - - system_settings_password_hints_disable - - system_settings_personalized_advertising_disable - - system_settings_printer_sharing_disable - - system_settings_rae_disable - - system_settings_remote_management_disable - - system_settings_screen_sharing_disable - - system_settings_screensaver_ask_for_password_delay_enforce - - system_settings_screensaver_password_enforce - - system_settings_screensaver_timeout_enforce - - system_settings_siri_disable - - system_settings_siri_settings_disable - - system_settings_smbd_disable - - system_settings_system_wide_preferences_configure - - system_settings_time_server_configure - - system_settings_time_server_enforce - - system_settings_token_removal_enforce - - system_settings_touchid_unlock_disable - - system_settings_usb_restricted_mode - - system_settings_wallet_applepay_settings_disable - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 6e0f52d7..3efa6d7d 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - All Rules" +title: "macOS 26.0: Security Configuration - All Rules" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the All Rules security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the All Rules security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -110,12 +110,12 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_install_log_retention_configure - os_iphone_mirroring_disable - os_ir_support_disable - os_library_validation_enabled - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_app_disable - os_mail_smart_reply_disable - os_mail_summary_disable @@ -147,8 +147,10 @@ profile: - os_removable_media_disable - os_root_disable - os_safari_advertising_privacy_protection_enable + - os_safari_clear_history_disable - os_safari_open_safe_downloads_disable - os_safari_prevent_cross-site_tracking_enable + - os_safari_private_browsing_disable - os_safari_reader_summary_disable - os_safari_show_full_website_address_enable - os_safari_show_status_bar_enabled @@ -157,12 +159,13 @@ profile: - os_screensaver_timeout_loginwindow_enforce - os_secure_boot_verify - os_setup_assistant_filevault_enforce - - os_show_filename_extensions_enable - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_sleep_and_display_sleep_apple_silicon_enable + - os_software_update_app_update_enforce - os_software_update_deferral - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure @@ -220,6 +223,7 @@ profile: - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_download_software_update_enforce - system_settings_external_intelligence_disable - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce @@ -253,13 +257,12 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_listen_disable - system_settings_siri_settings_disable - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 0c405264..ca3c90a9 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1)" +title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1) security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT security baseline. authors: | *macOS Security Compliance Project* @@ -40,7 +40,6 @@ profile: - os_httpd_disable - os_install_log_retention_configure - os_mail_summary_disable - - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable - os_notes_transcription_disable @@ -55,8 +54,8 @@ profile: - os_safari_show_full_website_address_enable - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - - os_show_filename_extensions_enable - os_sip_enable + - os_software_update_app_update_enforce - os_software_update_deferral - os_sudo_log_enforce - os_sudo_timeout_configure @@ -78,7 +77,6 @@ profile: rules: - system_settings_airplay_receiver_disable - system_settings_automatic_login_disable - - system_settings_bluetooth_menu_enable - system_settings_bluetooth_sharing_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable @@ -93,6 +91,7 @@ profile: - system_settings_improve_siri_dictation_disable - system_settings_install_macos_updates_enforce - system_settings_internet_sharing_disable + - system_settings_location_services_menu_enforce - system_settings_loginwindow_loginwindowtext_enable - system_settings_loginwindow_prompt_username_password_enforce - system_settings_password_hints_disable @@ -105,9 +104,7 @@ profile: - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_system_wide_preferences_configure @@ -115,7 +112,6 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_wake_network_access_disable - - system_settings_wifi_menu_enable - section: "Supplemental" rules: - supplemental_cis_manual diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 792a6484..d9aa6558 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2)" +title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2) security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT security baseline. authors: | *macOS Security Compliance Project* @@ -51,7 +51,6 @@ profile: - os_httpd_disable - os_install_log_retention_configure - os_mail_summary_disable - - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable - os_notes_transcription_disable @@ -67,9 +66,9 @@ profile: - os_safari_show_full_website_address_enable - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - - os_show_filename_extensions_enable - os_sip_enable - os_sleep_and_display_sleep_apple_silicon_enable + - os_software_update_app_update_enforce - os_software_update_deferral - os_sudo_log_enforce - os_sudo_timeout_configure @@ -95,7 +94,6 @@ profile: rules: - system_settings_airplay_receiver_disable - system_settings_automatic_login_disable - - system_settings_bluetooth_menu_enable - system_settings_bluetooth_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce @@ -128,9 +126,7 @@ profile: - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_system_wide_preferences_configure @@ -139,7 +135,6 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_wake_network_access_disable - - system_settings_wifi_menu_enable - section: "Supplemental" rules: - supplemental_cis_manual diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 1dd069f5..62b3fa97 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - CIS Controls Version 8" +title: "macOS 26.0: Security Configuration - CIS Controls Version 8" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the CIS Controls Version 8 security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the CIS Controls Version 8 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -101,11 +101,12 @@ profile: - os_safari_show_status_bar_enabled - os_safari_warn_fraudulent_website_enable - os_setup_assistant_filevault_enforce - - os_show_filename_extensions_enable - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_unlock_with_watch_enable - os_sleep_and_display_sleep_apple_silicon_enable + - os_software_update_app_update_enforce - os_sudo_log_enforce - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure @@ -142,6 +143,7 @@ profile: - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_download_software_update_enforce - system_settings_external_intelligence_disable - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce @@ -169,13 +171,12 @@ profile: - system_settings_screen_sharing_disable - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_listen_disable - system_settings_siri_settings_disable - system_settings_smbd_disable - - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce - - system_settings_software_update_enforce - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_system_wide_preferences_configure @@ -207,6 +208,5 @@ profile: - os_access_control_mobile_devices - section: "Supplemental" rules: - - supplemental_cis_manual - supplemental_filevault - supplemental_password_policy diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index a5ee420a..0a634e92 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - US CMMC 2.0 Level 1" +title: "macOS 26.0: Security Configuration - US CMMC 2.0 Level 1" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the US CMMC 2.0 Level 1 security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the US CMMC 2.0 Level 1 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -51,7 +51,7 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_iphone_mirroring_disable - os_mail_smart_reply_disable - os_mail_summary_disable @@ -67,6 +67,7 @@ profile: - os_safari_reader_summary_disable - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_unlock_with_watch_enable - os_tftpd_disable - os_unlock_active_user_session_disable @@ -78,6 +79,8 @@ profile: - system_settings_bluetooth_sharing_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_find_my_disable - system_settings_firewall_enable - system_settings_firewall_stealth_mode_enable @@ -93,6 +96,7 @@ profile: - system_settings_personalized_advertising_disable - system_settings_rae_disable - system_settings_screen_sharing_disable + - system_settings_security_update_install - system_settings_siri_disable - system_settings_smbd_disable - system_settings_ssh_disable diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 1cf57375..1e2e5bc5 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - US CMMC 2.0 Level 2" +title: "macOS 26.0: Security Configuration - US CMMC 2.0 Level 2" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the US CMMC 2.0 Level 2 security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the US CMMC 2.0 Level 2 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -47,6 +47,7 @@ profile: - auth_pam_su_smartcard_enforce - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_ssh_password_authentication_disable @@ -96,7 +97,7 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_install_log_retention_configure - os_iphone_mirroring_disable - os_ir_support_disable @@ -126,6 +127,7 @@ profile: - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant @@ -170,6 +172,8 @@ profile: - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable @@ -197,6 +201,7 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml index 635f0d74..7dfcc4b0 100644 --- a/baselines/cnssi-1253_high.yaml +++ b/baselines/cnssi-1253_high.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)" +title: "macOS 26.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -103,13 +103,14 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_install_log_retention_configure - os_iphone_mirroring_disable - os_ir_support_disable - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_app_disable - os_mail_smart_reply_disable + - os_mail_summary_disable - os_mdm_require - os_messages_app_disable - os_newsyslog_files_owner_group_configure @@ -123,6 +124,7 @@ profile: - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -139,6 +141,7 @@ profile: - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant @@ -219,6 +222,7 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml index 86a2f4c0..f9ca038e 100644 --- a/baselines/cnssi-1253_low.yaml +++ b/baselines/cnssi-1253_low.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)" +title: "macOS 26.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -102,13 +102,14 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_install_log_retention_configure - os_iphone_mirroring_disable - os_ir_support_disable - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_app_disable - os_mail_smart_reply_disable + - os_mail_summary_disable - os_mdm_require - os_messages_app_disable - os_newsyslog_files_owner_group_configure @@ -122,6 +123,7 @@ profile: - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -137,6 +139,7 @@ profile: - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant @@ -215,6 +218,7 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml index d6d30f4f..f8fbfb59 100644 --- a/baselines/cnssi-1253_moderate.yaml +++ b/baselines/cnssi-1253_moderate.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)" +title: "macOS 26.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -102,12 +102,14 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_image_generation_disable + - os_image_playground_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_ir_support_disable - - os_loginwindow_adminhostinfo_undefined + - os_loginwindow_adminhostinfo_disabled - os_mail_app_disable - os_mail_smart_reply_disable + - os_mail_summary_disable - os_mdm_require - os_messages_app_disable - os_newsyslog_files_owner_group_configure @@ -121,6 +123,7 @@ profile: - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -137,6 +140,7 @@ profile: - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable + - os_skip_apple_intelligence_enable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant @@ -196,6 +200,7 @@ profile: - system_settings_firewall_stealth_mode_enable - system_settings_gatekeeper_identified_developers_allowed - system_settings_gatekeeper_override_disallow + - system_settings_guest_access_smb_disable - system_settings_guest_account_disable - system_settings_hot_corners_disable - system_settings_hot_corners_secure @@ -216,6 +221,7 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce + - system_settings_security_update_install - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable @@ -283,3 +289,6 @@ profile: - os_managed_access_control_points - os_non_repudiation - os_nonlocal_maintenance + - section: "Supplemental" + rules: + - supplemental_password_policy diff --git a/custom/rules/.gitignore b/custom/rules/.gitignore index 86d0cb27..153f9ed7 100644 --- a/custom/rules/.gitignore +++ b/custom/rules/.gitignore @@ -1,4 +1,6 @@ # Ignore everything in this directory * # Except this file -!.gitignore \ No newline at end of file +!.gitignore +!sections +!rules diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 2c763322..59ebeed2 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -83,20 +83,21 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 3 - cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.1.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT + cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low) cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate) cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High) - stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 3 + stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 4 ddm: supported_types: - com.apple.configuration.services.configuration-files - com.apple.configuration.passcode.settings - com.apple.configuration.diskmanagement.settings + - com.apple.configuration.softwareupdate.settings services: com.apple.bash: /etc/ com.apple.pam: /etc/pam.d/ diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index bd452168..93dc3929 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94101-3 + - CCE-95101-2 cci: - CCI-000162 - CCI-000163 @@ -36,7 +36,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-000030 + - APPL-26-000030 800-171r3: - 03.03.08 cis: @@ -47,7 +47,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 240a8eb1..2d7f2b9b 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94102-1 + - CCE-95102-0 cci: - CCI-000162 - CCI-000162 @@ -36,7 +36,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-000031 + - APPL-26-000031 800-171r3: - 03.03.08 cis: @@ -47,7 +47,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index e3b85592..6a84cd04 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94103-9 + - CCE-95103-8 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - permanent mobileconfig: false diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 83d059fb..6bf5451f 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -9,9 +9,9 @@ discussion: | The information system initiates session audits at system start-up. - NOTE: Security auditing is NOT enabled by default on macOS Sequoia. + NOTE: Security auditing is NOT enabled by default on macOS Tahoe. check: | - LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) + LAUNCHD_RUNNING=$(/bin/launchctl print system | /usr/bin/grep -c -E '\tcom.apple.auditd') AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING") if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then echo "pass" @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-94104-7 + - CCE-95104-6 cci: - CCI-000130 - CCI-000131 @@ -104,7 +104,7 @@ references: - SRG-OS-000055-GPOS-00026 - SRG-OS-000755-GPOS-00220 disa_stig: - - APPL-15-001003 + - APPL-26-001003 800-171r3: - 03.03.02 - 03.03.03 @@ -119,7 +119,7 @@ references: - AU.L2-3.3.2 - AU.L2-3.3.6 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index c7d37336..11a6f6a9 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94105-4 + - CCE-95105-3 cci: - CCI-000139 - CCI-001855 @@ -27,9 +27,9 @@ references: - SRG-OS-000046-GPOS-00022 - SRG-OS-000343-GPOS-00134 disa_stig: - - APPL-15-001030 + - APPL-26-001030 macOS: - - '15.0' + - '26.0' odv: hint: Percentage of free space. recommended: 25 diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index 122f0fe2..437fa961 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94106-2 + - CCE-95106-1 cci: - CCI-000162 - CCI-000163 @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001140 + - APPL-26-001140 800-171r3: - 03.03.08 cis: @@ -46,7 +46,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index 3dd4ada9..a5ae0870 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94107-0 + - CCE-95107-9 cci: - CCI-000162 - CCI-000163 @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001110 + - APPL-26-001110 800-171r3: - 03.03.08 cis: @@ -46,7 +46,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index 6215eb59..ea20c069 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94108-8 + - CCE-95108-7 cci: - CCI-000162 - CCI-000163 @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001130 + - APPL-26-001130 800-171r3: - 03.03.08 cis: @@ -46,7 +46,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index 5003bfef..4f7f95c3 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94109-6 + - CCE-95109-5 cci: - CCI-000162 - CCI-000163 @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001120 + - APPL-26-001120 800-171r3: - 03.03.08 cis: @@ -46,7 +46,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index 4d6f7335..5888f331 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94110-4 + - CCE-95110-3 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000360-GPOS-00147 macOS: - - '15.0' + - '26.0' tags: - permanent - cnssi-1253_high diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 45695479..bd1e1d81 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94111-2 + - CCE-95111-1 cci: - CCI-000140 800-53r5: @@ -25,13 +25,13 @@ references: srg: - SRG-OS-000047-GPOS-00023 disa_stig: - - APPL-15-001010 + - APPL-26-001010 800-171r3: - 03.03.04 cmmc: - AU.L2-3.3.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index dc7a224c..ea42c095 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-94112-0 + - CCE-95112-9 cci: - CCI-000162 - CCI-000163 @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001014 + - APPL-26-001014 800-171r3: - 03.03.08 cis: @@ -48,7 +48,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index c4e099dd..e6a67626 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94113-8 + - CCE-95113-7 cci: - CCI-000162 - CCI-000163 @@ -33,7 +33,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001016 + - APPL-26-001016 800-171r3: - 03.03.08 cis: @@ -44,7 +44,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 7b6bd997..825a7932 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-94114-6 + - CCE-95114-5 cci: - CCI-000162 - CCI-000163 @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001012 + - APPL-26-001012 800-171r3: - 03.03.08 cis: @@ -48,7 +48,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index d5cbef85..749587c5 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-94115-3 + - CCE-95115-2 cci: - CCI-000172 - CCI-001814 @@ -47,7 +47,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000468-GPOS-00212 disa_stig: - - APPL-15-001044 + - APPL-26-001044 800-171r3: - 03.03.01 - 03.03.03 @@ -63,7 +63,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 79acf44d..ae796b6b 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -21,7 +21,7 @@ fix: | ---- references: cce: - - CCE-94116-1 + - CCE-95116-0 cci: - CCI-000018 - CCI-000172 @@ -66,7 +66,7 @@ references: - SRG-OS-000303-GPOS-00120 - SRG-OS-000755-GPOS-00220 disa_stig: - - APPL-15-001001 + - APPL-26-001001 800-171r3: - 03.01.07 - 03.03.01 @@ -83,7 +83,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 71051221..7fdd3039 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-94117-9 + - CCE-95117-8 cci: - CCI-000172 - CCI-001814 @@ -38,7 +38,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 disa_stig: - - APPL-15-001024 + - APPL-26-001024 800-171r3: - 03.03.01 - 03.03.03 @@ -54,7 +54,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index ee912d63..4896a03b 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94118-7 + - CCE-95118-6 cci: - CCI-000162 - CCI-000163 @@ -61,7 +61,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001020 + - APPL-26-001020 800-171r3: - 03.03.01 - 03.03.03 @@ -72,7 +72,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r5_low diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index fb422240..0b09f634 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94119-5 + - CCE-95119-4 cci: - CCI-000162 - CCI-000163 @@ -62,7 +62,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001021 + - APPL-26-001021 800-171r3: - 03.03.01 - 03.03.03 @@ -73,7 +73,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index e6c6ec58..0b9eb5a8 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94120-3 + - CCE-95120-2 cci: - N/A 800-53r5: @@ -56,7 +56,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r5_low diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 200951ca..3c7f59b5 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94121-1 + - CCE-95121-0 cci: - CCI-000172 - CCI-001814 @@ -53,7 +53,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001022 + - APPL-26-001022 800-171r3: - 03.03.01 - 03.03.03 @@ -71,7 +71,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 5a5de776..3f411a06 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94122-9 + - CCE-95122-8 cci: - CCI-000172 - CCI-001814 @@ -54,7 +54,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001023 + - APPL-26-001023 800-171r3: - 03.03.01 - 03.03.03 @@ -72,7 +72,7 @@ references: - AU.L2-3.3.8 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index f20c3873..e9900757 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-94123-7 + - CCE-95123-6 cci: - CCI-000067 - CCI-000172 @@ -45,7 +45,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000755-GPOS-00220 disa_stig: - - APPL-15-001002 + - APPL-26-001002 800-171r3: - 03.03.01 - 03.03.03 @@ -62,7 +62,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - 800-53r4_low diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 64ed4fac..29cf804d 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-94124-5 + - CCE-95124-4 cci: - CCI-000162 - CCI-000163 @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001015 + - APPL-26-001015 800-171r3: - 03.03.08 cis: @@ -48,7 +48,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 0d14e2b6..f32a9161 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-94125-2 + - CCE-95125-1 cci: - CCI-000162 - CCI-000163 @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001013 + - APPL-26-001013 800-171r3: - 03.03.08 cis: @@ -48,7 +48,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index ca06b137..269fde33 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94126-0 + - CCE-95126-9 cci: - CCI-000162 - CCI-000163 @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-001017 + - APPL-26-001017 800-171r3: - 03.03.08 cis: @@ -46,7 +46,7 @@ references: cmmc: - AU.L2-3.3.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index f0361611..565ae21c 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94127-8 + - CCE-95127-7 cci: - N/A 800-53r5: @@ -30,7 +30,7 @@ references: controls v8: - 8.9 macOS: - - '15.0' + - '26.0' tags: - permanent - cisv8 diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index c382361b..3daa2c19 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94128-6 + - CCE-95128-5 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: cmmc: - AU.L2-3.3.6 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index a31b1588..8daaca8a 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94129-4 + - CCE-95129-3 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: cmmc: - AU.L2-3.3.6 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 4ffc1a1e..069aa854 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94130-2 + - CCE-95130-1 cci: - CCI-001849 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000341-GPOS-00132 disa_stig: - - APPL-15-001029 + - APPL-26-001029 cis: benchmark: - 3.4 (level 1) @@ -39,7 +39,7 @@ references: 800-171r3: - 03.03.03 macOS: - - '15.0' + - '26.0' odv: hint: See man audit_control for possible values. recommended: 7d diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 6c244d31..37967d5c 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94131-0 + - CCE-95131-9 cci: - CCI-000140 - CCI-001858 @@ -29,13 +29,13 @@ references: - SRG-OS-000047-GPOS-00023 - SRG-OS-000344-GPOS-00135 disa_stig: - - APPL-15-001031 + - APPL-26-001031 800-171r3: - 03.03.04 cmmc: - AU.L2-3.3.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index e65b8e15..6bf3de29 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - CCE-94132-8 + - CCE-95132-7 cci: - CCI-000765 - CCI-000766 @@ -61,7 +61,7 @@ references: - SRG-OS-000105-GPOS-00052 - SRG-OS-000705-GPOS-00150 disa_stig: - - APPL-15-003050 + - APPL-26-003050 800-171r3: - 03.05.03 - 03.05.04 @@ -76,7 +76,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 6b85cac1..4c5adeeb 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-94133-6 + - CCE-95133-5 cci: - CCI-000765 - CCI-000766 @@ -56,7 +56,7 @@ references: - SRG-OS-000105-GPOS-00052 - SRG-OS-000705-GPOS-00150 disa_stig: - - APPL-15-003051 + - APPL-26-003051 800-171r3: - 03.05.03 - 03.05.04 @@ -71,7 +71,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index fb5d8a23..e22e39e2 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-94134-4 + - CCE-95134-3 cci: - CCI-000765 - CCI-000766 @@ -55,7 +55,7 @@ references: - SRG-OS-000105-GPOS-00052 - SRG-OS-000705-GPOS-00150 disa_stig: - - APPL-15-003052 + - APPL-26-003052 800-171r3: - 03.05.03 - 03.05.04 @@ -70,7 +70,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index ac8fec81..53b25b62 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94135-1 + - CCE-95135-0 cci: - CCI-000187 - CCI-000765 @@ -42,7 +42,7 @@ references: - SRG-OS-000105-GPOS-00052 - SRG-OS-000068-GPOS-00036 disa_stig: - - APPL-15-003030 + - APPL-26-003030 cis: benchmark: - N/A @@ -57,7 +57,7 @@ references: 800-171r3: - 03.05.03 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index fc8e8ede..867c9906 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94136-9 + - CCE-95136-8 cci: - N/A 800-53r5: @@ -35,13 +35,14 @@ references: cmmc: - SC.L2-3.13.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_high - 800-53r5_high - cnssi-1253_high - cnssi-1253_moderate - cnssi-1253_low + - cmmc_lvl2 mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index f10fbaeb..112b2156 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94137-7 + - CCE-95137-6 cci: - CCI-000186 - CCI-001953 @@ -39,11 +39,11 @@ references: - SRG-OS-000377-GPOS-00162 - SRG-OS-000066-GPOS-00034 disa_stig: - - APPL-15-001060 + - APPL-26-001060 cmmc: - SC.L2-3.13.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_moderate - 800-53r5_moderate diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 707c6b3f..018a095f 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -21,7 +21,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94138-5 + - CCE-95138-4 cci: - CCI-000186 - CCI-000765 @@ -61,7 +61,7 @@ references: - SRG-OS-000105-GPOS-00052 - SRG-OS-000705-GPOS-00150 disa_stig: - - APPL-15-003020 + - APPL-26-003020 800-171r3: - 03.05.01 - 03.05.03 @@ -79,7 +79,7 @@ references: - IA.L2-3.5.3 - IA.L2-3.5.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index 891be1e2..29c13300 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -32,7 +32,7 @@ fix: | ---- references: cce: - - CCE-94139-3 + - CCE-95139-2 cci: - CCI-000186 - CCI-000765 @@ -72,7 +72,7 @@ references: - SRG-OS-000375-GPOS-00160 - SRG-OS-000105-GPOS-00052 disa_stig: - - APPL-15-001150 + - APPL-26-001150 800-171r3: - 03.05.01 - 03.05.03 @@ -92,7 +92,7 @@ references: - IA.L2-3.5.4 - MA.L2-3.7.5 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index eadbf33d..1dc20783 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94140-1 + - CCE-95140-0 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002014 + - APPL-26-002014 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml index 1da32ca1..efccce25 100644 --- a/rules/icloud/icloud_appleid_system_settings_disable.yaml +++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94141-9 + - CCE-95141-8 cci: - N/A 800-53r5: @@ -43,7 +43,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 53aeb381..0cc05b4a 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94142-7 + - CCE-95142-6 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002042 + - APPL-26-002042 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 4bbdc27d..6bec4304 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94143-5 + - CCE-95143-4 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002012 + - APPL-26-002012 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 9f99b039..cfcfbc77 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94144-3 + - CCE-95144-2 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002041 + - APPL-26-002041 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml index 96ababcb..f236f5a6 100644 --- a/rules/icloud/icloud_freeform_disable.yaml +++ b/rules/icloud/icloud_freeform_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94145-0 + - CCE-95145-9 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002270 + - APPL-26-002270 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 3a4c6050..3a1c6dba 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94146-8 + - CCE-95146-7 cci: - CCI-000381 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002160 + - APPL-26-002160 800-171r3: - 03.01.20 - 03.04.06 @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 5ad4faeb..3120ec26 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94147-6 + - CCE-95147-5 cci: - CCI-001774 - CCI-000381 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002040 + - APPL-26-002040 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 7d1f6d78..533595d6 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94148-4 + - CCE-95148-3 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002015 + - APPL-26-002015 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index c5256e7c..036db2e2 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94149-2 + - CCE-95149-1 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002016 + - APPL-26-002016 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 4b0890e0..69984ef1 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94150-0 + - CCE-95150-9 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002043 + - APPL-26-002043 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 59863f73..1dcaa632 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94151-8 + - CCE-95151-7 cci: - CCI-000381 800-53r5: @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002170 + - APPL-26-002170 800-171r3: - 03.01.20 - 03.04.06 @@ -48,7 +48,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 34530845..a07a3c67 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94152-6 + - CCE-95152-5 cci: - CCI-000381 - CCI-001774 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002013 + - APPL-26-002013 800-171r3: - 03.01.20 - 03.04.06 @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 68d00d7c..4eabfb94 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94153-4 + - CCE-95153-3 cci: - CCI-000381 800-53r5: @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002150 + - APPL-26-002150 800-171r3: - 03.01.20 - 03.04.06 @@ -48,7 +48,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 3c7531a4..58d82799 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94154-2 + - CCE-95154-1 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: 800-171r3: - 03.01.18 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml index b104b50b..b6cc8308 100644 --- a/rules/os/os_account_modification_disable.yaml +++ b/rules/os/os_account_modification_disable.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94155-9 + - CCE-95155-8 cci: - CCI-000381 800-53r5: @@ -39,7 +39,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002120 + - APPL-26-002120 800-171r3: - 03.01.20 - 03.04.06 @@ -54,7 +54,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 299f1bda..7ffc4a41 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94156-7 + - CCE-95156-6 cci: - CCI-000213 - CCI-000381 @@ -34,7 +34,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002009 + - APPL-26-002009 800-171r3: - 03.01.02 - 03.01.20 @@ -52,7 +52,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index d40825e2..ab4bd608 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94157-5 + - CCE-95157-4 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000312-GPOS-00122 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 0ac67cf5..b66b82c4 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -18,7 +18,7 @@ fix: | NOTE: These services cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled. references: cce: - - CCE-94158-3 + - CCE-95158-2 cci: - CCI-000366 800-53r5: @@ -37,7 +37,7 @@ references: - 10.1 - 10.2 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index 6fa1812c..03579e86 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -5,9 +5,9 @@ discussion: | macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipCloudSetup').js + .objectForKey('SkipSetupItems').containsObject("AppleID") EOS result: string: 'true' @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94159-1 + - CCE-95159-0 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002035 + - APPL-26-002035 800-171r3: - 03.01.20 cis: @@ -37,7 +37,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -57,4 +57,5 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipCloudSetup: true + SkipSetupItems: + - AppleID diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index acd59d96..767cfa96 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94160-9 + - CCE-95160-8 800-53r5: - SC-39 800-53r4: @@ -24,7 +24,7 @@ references: cci: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent - 800-53r5_low diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 1798a516..f798d363 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94161-7 + - CCE-95161-6 cci: - CCI-001312 - CCI-001314 @@ -27,11 +27,11 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - APPL-15-004001 + - APPL-26-004001 800-171r3: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index ab9ca237..737d52d7 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94162-5 + - CCE-95162-4 cci: - CCI-001312 - CCI-001314 @@ -25,11 +25,11 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - APPL-15-004002 + - APPL-26-004002 800-171r3: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index b147cfe1..1f0b0633 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - - CCE-94163-3 + - CCE-95163-2 cci: - N/A 800-53r5: @@ -30,7 +30,7 @@ references: cmmc: - IA.L1-3.5.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index d5c496d1..5feae9f0 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -9,7 +9,7 @@ discussion: | WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input. check: | - /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;" + /usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;" result: integer: 1 fix: | @@ -20,7 +20,7 @@ fix: | NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-94164-1 + - CCE-95164-0 cci: - CCI-000213 800-53r5: @@ -39,7 +39,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-005070 + - APPL-26-005070 800-171r3: - 03.01.02 - 03.04.05 @@ -54,7 +54,7 @@ references: - CM.L2-3.4.5 - SC.L2-3.13.11 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index d73f9d3a..b49531b8 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94165-8 + - CCE-95165-7 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 6c1e4d31..b0ac12fc 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94166-6 + - CCE-95166-5 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 14e159f5..ad71f3d8 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94167-4 + - CCE-95167-3 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index a06433fc..535498b3 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94168-2 + - CCE-95168-1 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 32e8aac5..44acd529 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94169-0 + - CCE-95169-9 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002005 + - APPL-26-002005 800-171r3: - 03.04.06 cis: @@ -38,7 +38,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 54df6276..fe6931e8 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94170-8 + - CCE-95170-7 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: 800-171r3: - 03.08.07 macOS: - - '15.0' + - '26.0' tags: - 800-171 - cnssi-1253_low diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 6ea1fe6f..b2f3d20d 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -33,7 +33,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94171-6 + - CCE-95171-5 cci: - N/A 800-53r5: @@ -62,7 +62,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 0dd8f3eb..ffddc2c5 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94172-4 + - CCE-95172-3 cci: - CCI-000381 - CCI-001774 @@ -36,9 +36,9 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002017 + - APPL-26-002017 macOS: - - '15.0' + - '26.0' tags: - stig severity: medium diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 59b7e717..acace580 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94173-2 + - CCE-95173-1 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index d4d96c29..307b23e1 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -10,7 +10,7 @@ fix: | Obtain the approved certificates from the appropriate authority and install them to the System Keychain. references: cce: - - CCE-94174-0 + - CCE-95174-9 cci: - CCI-002470 - CCI-000185 @@ -24,11 +24,11 @@ references: - SRG-OS-000403-GPOS-00182 - SRG-OS-000775-GPOS-00230 disa_stig: - - APPL-15-003001 + - APPL-26-003001 cmmc: - SC.L2-3.13.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index a425332a..a2b4adc8 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94175-7 + - CCE-95175-6 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000312-GPOS-00123 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 2c45b4e1..4ddce557 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94176-5 + - CCE-95176-4 cci: - CCI-000366 800-53r5: @@ -30,12 +30,12 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-15-005130 + - APPL-26-005130 800-171r3: - 03.14.02 cis: benchmark: - - 1.6 (level 1) + - 1.5 (level 1) controls v8: - 7.3 - 7.4 @@ -45,7 +45,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index 1757afe9..0270f07d 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94177-3 + - CCE-95177-2 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index fe591422..5dd2d303 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94178-1 + - CCE-95178-0 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 538d7c27..56f63d96 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94179-9 + - CCE-95179-8 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000278-GPOS-00108 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_dictation_disable.yaml b/rules/os/os_dictation_disable.yaml index f7f6f69b..0627899c 100644 --- a/rules/os/os_dictation_disable.yaml +++ b/rules/os/os_dictation_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94180-7 + - CCE-95180-6 cci: - CCI-000381 800-53r5: @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002230 + - APPL-26-002230 800-171r3: - 03.01.20 - 03.04.06 @@ -43,7 +43,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - i386 - 800-53r5_low diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 2a18b4ef..4de41f82 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -12,7 +12,7 @@ fix: | Integrate the system into an existing directory services infrastructure. references: cce: - - CCE-94181-5 + - CCE-95181-4 cci: - N/A 800-53r5: @@ -29,7 +29,7 @@ references: controls v8: - 6.7 macOS: - - '15.0' + - '26.0' tags: - cisv8 severity: medium diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index c4099522..f89f6839 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94182-3 + - CCE-95182-2 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index bf78a4f4..7c6674fe 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -23,7 +23,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94183-1 + - CCE-95183-0 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 5e4bacc7..2f0f112a 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94184-9 + - CCE-95184-8 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000364-GPOS-00151 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index b63adc2c..0912ef18 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94185-6 + - CCE-95185-5 cci: - CCI-000366 - CCI-000381 @@ -27,14 +27,14 @@ references: - SRG-OS-000480-GPOS-00227 - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005061 + - APPL-26-005061 cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 800-171r3: - 03.04.06 macOS: - - '15.0' + - '26.0' tags: - 800-171 - cnssi-1253_low diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index 2d1d25cc..74a4df0c 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94186-4 + - CCE-95186-3 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml index dcd4bad2..e7d50881 100644 --- a/rules/os/os_ess_installed.yaml +++ b/rules/os/os_ess_installed.yaml @@ -11,7 +11,7 @@ fix: | Install the approved ESS solution onto the system. references: cce: - - CCE-94187-2 + - CCE-95187-1 cci: - CCI-001233 800-53r5: @@ -23,11 +23,10 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - manual - cisv8 - - stig severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_external_storage_access_defined.yaml b/rules/os/os_external_storage_access_defined.yaml index eec76c03..975b34bc 100644 --- a/rules/os/os_external_storage_access_defined.yaml +++ b/rules/os/os_external_storage_access_defined.yaml @@ -5,14 +5,14 @@ discussion: |- NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed. check: | - /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage' + /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.ExternalStorage' result: string: $ODV fix: | - This is implemented by a Declarative Device Management. + This is implemented by Declarative Device Management (DDM). references: cce: - - CCE-94188-0 + - CCE-95188-9 cci: - N/A 800-53r5: @@ -30,7 +30,7 @@ odv: hint: Allowed, ReadOnly, or Disallowed recommended: Allowed macOS: - - '15.0' + - '26.0' tags: - cmmc_lvl2 - 800-53r5_low diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index c437113b..2900b221 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94189-8 + - CCE-95189-7 cci: - CCI-000381 800-53r5: @@ -44,7 +44,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002010 + - APPL-26-002010 800-171r3: - 03.01.20 - 03.04.06 @@ -59,7 +59,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 090032a2..b8599da0 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94190-6 + - CCE-95190-5 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: - SRG-OS-000269-GPOS-00103 - SRG-OS-000184-GPOS-00078 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index a4ad1525..ef5ab939 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94191-4 + - CCE-95191-3 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - manual diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 4b3eac65..2967f34d 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94192-2 + - CCE-95192-1 cci: - CCI-000213 - CCI-000366 @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-000033 + - APPL-26-000033 800-171r3: - 03.01.02 cis: @@ -44,7 +44,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 5e1c75b2..cd670598 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -21,7 +21,7 @@ fix: | NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule. references: cce: - - CCE-94193-0 + - CCE-95193-9 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: - AC.L2-3.1.3 - SC.L2-3.13.6 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index a7c6687f..d40758c8 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -23,7 +23,7 @@ fix: | NOTE: See discussion on remediation and how to enable firmware password. references: cce: - - CCE-94194-8 + - CCE-95194-7 cci: - CCI-000366 800-53r5: @@ -33,14 +33,14 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-15-003013 + - APPL-26-003013 800-171r3: - 03.01.05 cmmc: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index b8dc0976..a84e3d0b 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94195-5 + - CCE-95195-4 cci: - CCI-001749 - CCI-003992 @@ -36,7 +36,7 @@ references: - SRG-OS-000366-GPOS-00153 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002064 + - APPL-26-002064 800-171r3: - 03.14.02 cis: @@ -52,7 +52,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_genmoji_disable.yaml b/rules/os/os_genmoji_disable.yaml index da1351e3..02e13d90 100644 --- a/rules/os/os_genmoji_disable.yaml +++ b/rules/os/os_genmoji_disable.yaml @@ -1,7 +1,7 @@ id: os_genmoji_disable title: Disable Genmoji AI Creation discussion: |- - Apple Intelligence features such as Genmoji that use off device AI _MUST_ be disabled. + Apple Intelligence features such as Genmoji _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -13,29 +13,24 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94196-3 + - CCE-95196-2 cci: - CCI-000381 - CCI-001774 srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005140 + - APPL-26-005140 800-53r5: - - AC-20 - - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) 800-171r3: - - 03.01.20 - 03.04.06 cmmc: - - AC.L1-3.1.20 - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 9d6c8e37..eddaa120 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94197-1 + - CCE-95197-0 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000312-GPOS-00124 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index a75924c6..b20a1fcc 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94198-9 + - CCE-95198-8 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - 4.1 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 00c907f3..937837b8 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94199-7 + - CCE-95199-6 cci: - CCI-000213 - CCI-000381 @@ -35,7 +35,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005058 + - APPL-26-005058 800-171r3: - 03.01.02 - 03.01.20 @@ -52,7 +52,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 93fcc670..f777cdfc 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94201-1 + - CCE-95200-2 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - N/A macOS: - - '15.0' + - '26.0' tags: - none mobileconfig: true diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index 0e1e8256..595b46ce 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -38,7 +38,7 @@ fix: | ---- references: cce: - - CCE-94202-9 + - CCE-95201-0 cci: - N/A 800-53r5: @@ -57,7 +57,7 @@ references: controls v8: - N/A macOS: - - '15.0' + - '26.0' tags: - none mobileconfig: false diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 7ca64f56..fbe2137b 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -33,7 +33,7 @@ fix: |- NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected. references: cce: - - CCE-94203-7 + - CCE-95202-8 cci: - N/A 800-53r5: @@ -52,7 +52,7 @@ references: controls v8: - N/A macOS: - - '15.0' + - '26.0' tags: - manual - cnssi-1253_moderate diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index f5656b85..fa9d51b6 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94204-5 + - CCE-95203-6 cci: - CCI-000366 800-53r5: @@ -30,7 +30,7 @@ references: - SRG-OS-000480-GPOS-00230 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002068 + - APPL-26-002068 800-171r3: - 03.01.05 cis: @@ -40,9 +40,11 @@ references: - 3.3 cmmc: - AC.L1-3.1.1 + - AC.L1-3.1.2 - AC.L2-3.1.5 + - AC.L2-3.1.6 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index dce75fc3..b6e8ef7e 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -1,21 +1,33 @@ id: os_httpd_disable title: Disable the Built-in Web Server discussion: | - The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. + The built-in web server which is managed by launchd is a non-essential service built into macOS and _MUST_ be disabled and not running. NOTE: The built in web server service is disabled at startup by default macOS. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => disabled' + result="FAIL" + enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"org.apache.httpd" => enabled') + running=$(/bin/launchctl print system/org.apache.httpd 2>/dev/null) + + if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then + result="PASS" + elif [[ -n "$running" ]]; then + result=result+" RUNNING" + elif [[ -n "$enabled" ]]; then + result=result+" ENABLED" + fi + echo $result result: - integer: 1 + string: PASS fix: | [source,bash] ---- + /usr/sbin/apachectl stop 2>/dev/null /bin/launchctl disable system/org.apache.httpd ---- references: cce: - - CCE-94205-2 + - CCE-95204-4 cci: - CCI-000213 800-53r5: @@ -26,7 +38,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-002008 + - APPL-26-002008 800-171r3: - 03.01.02 - 03.04.06 @@ -39,7 +51,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index d988a2a3..23933471 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -5,9 +5,9 @@ discussion: | The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipiCloudStorageSetup').js + .objectForKey('SkipSetupItems').containsObject("iCloudStorage") EOS result: string: 'true' @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94206-0 + - CCE-95205-1 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002037 + - APPL-26-002037 800-171r3: - 03.01.20 - 03.04.06 @@ -38,7 +38,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -58,4 +58,5 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipiCloudStorageSetup: true + SkipSetupItems: + - iCloudStorage diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index abc51d3b..80bb97f5 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94207-8 + - CCE-95206-9 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_image_generation_disable.yaml b/rules/os/os_image_playground_disable.yaml similarity index 74% rename from rules/os/os_image_generation_disable.yaml rename to rules/os/os_image_playground_disable.yaml index baff77db..5b6f61be 100644 --- a/rules/os/os_image_generation_disable.yaml +++ b/rules/os/os_image_playground_disable.yaml @@ -1,7 +1,7 @@ -id: os_image_generation_disable -title: Disable AI Image Generation +id: os_image_playground_disable +title: Disable Apple Intelligence Image Playground discussion: |- - Apple Intelligence features that use off device AI _MUST_ be disabled. + Apple Intelligence features such as Image Playground _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -13,29 +13,24 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94208-6 + - CCE-95207-7 cci: - CCI-000381 - CCI-001774 srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005150 + - APPL-26-005150 800-53r5: - - AC-20 - - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) 800-171r3: - - 03.01.20 - 03.04.06 cmmc: - - AC.L1-3.1.20 - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 64fcf9a8..15d5a45b 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,18 +5,18 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sequoia will be submitted for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicion will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - link:https://support.apple.com/en-us/HT201159[] + link:https://support.apple.com/guide/sccc/welcome/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94209-4 + - CCE-95208-5 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: - MP.L2-3.8.6 - SC.L2-3.13.11 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 2b4af6b5..7ed781a5 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -18,7 +18,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94210-2 + - CCE-95209-3 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: - SRG-OS-000433-GPOS-00193 - SRG-OS-000433-GPOS-00192 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index 0b6abc9b..ee57481d 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94211-0 + - CCE-95210-1 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 278ea478..d022ab54 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: cce: - - CCE-94212-8 + - CCE-95211-9 cci: - CCI-001849 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000341-GPOS-00132 disa_stig: - - APPL-15-004050 + - APPL-26-004050 800-171r3: - 03.03.03 cis: @@ -39,7 +39,7 @@ references: cmmc: - AU.L2-3.3.1 macOS: - - '15.0' + - '26.0' odv: hint: Number of days. recommended: 365 diff --git a/rules/os/os_iphone_mirroring_disable.yaml b/rules/os/os_iphone_mirroring_disable.yaml index a5ee66cd..dad216e6 100644 --- a/rules/os/os_iphone_mirroring_disable.yaml +++ b/rules/os/os_iphone_mirroring_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile references: cce: - - CCE-94213-6 + - CCE-95212-7 cci: - CCI-000213 - CCI-000381 @@ -33,7 +33,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002271 + - APPL-26-002271 800-171r3: - 03.01.02 - 03.01.20 @@ -51,7 +51,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -65,6 +65,8 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index eca18a80..43c9f154 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94214-4 + - CCE-95213-5 cci: - N/A 800-53r5: @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 9661be9f..fa2480d6 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94215-1 + - CCE-95214-3 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 8f126f03..04c7b7a7 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94216-9 + - CCE-95215-0 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: - 2.3 - 2.6 macOS: - - '15.0' + - '26.0' tags: - cisv8 mobileconfig: true diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index 0db9e04f..b7243e42 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94217-7 + - CCE-95216-8 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index b65e6644..67e8f7fc 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94218-5 + - CCE-95217-6 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000142-GPOS-00071 macOS: - - '15.0' + - '26.0' tags: - permanent - cnssi-1253_high diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index b0b3fb9f..f519a102 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94219-3 + - CCE-95218-4 cci: - N/A 800-53r5: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000027-GPOS-00008 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 98cd5513..0e92e427 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94220-1 + - CCE-95219-2 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_loginwindow_adminhostinfo_disabled.yaml b/rules/os/os_loginwindow_adminhostinfo_disabled.yaml new file mode 100644 index 00000000..c9f5f12b --- /dev/null +++ b/rules/os/os_loginwindow_adminhostinfo_disabled.yaml @@ -0,0 +1,50 @@ +id: os_loginwindow_adminhostinfo_disabled +title: Prevent AdminHostInfo from Being Available at Login Window +discussion: | + The system _MUST_ be configured to not display sensitive information at the login window. If the key `AdminHostInfo` is configured with a string value, it will allow the HostName, IP Address, and operating system version and build to be displayed when clicking on the clock area of the login window. + + Configuring this key to be an integer value, since it expects a string value, will effectively disable the behavior. + + NOTE: This configuration requires it to be deployed via Managed Preferences rather than directly to com.apple.loginwindow. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .integerForKey('AdminHostInfo') + EOS +result: + integer: -1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-95600-3 + cci: + - CCI-000060 + 800-53r5: + - AC-11(1) + 800-53r4: + - AC-11(1) + srg: + - SRG-OS-000031-GPOS-00012 + disa_stig: + - APPL-26-000009 + 800-171r3: + - 03.01.10 + macOS: + - '26.0' +tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253_low + - cnssi-1253_high + - stig + - cnssi-1253_moderate +severity: medium +mobileconfig: true +mobileconfig_info: + com.apple.ManagedClient.preferences: + com.apple.loginwindow: + AdminHostInfo: -1 diff --git a/rules/os/os_loginwindow_adminhostinfo_undefined.yaml b/rules/os/os_loginwindow_adminhostinfo_undefined.yaml deleted file mode 100644 index 958c9b02..00000000 --- a/rules/os/os_loginwindow_adminhostinfo_undefined.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: os_loginwindow_adminhostinfo_undefined -title: Prevent AdminHostInfo from Being Available at LoginWindow -discussion: | - The system _MUST_ be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed. -check: | - /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ - .objectIsForcedForKey('AdminHostInfo') - EOS -result: - string: "false" -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-94221-9 - cci: - - CCI-000060 - 800-53r5: - - AC-11(1) - 800-53r4: - - AC-11(1) - srg: - - SRG-OS-000031-GPOS-00012 - disa_stig: - - APPL-15-000009 - 800-171r3: - - 03.01.10 - macOS: - - '15.0' -tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cnssi-1253_low - - cnssi-1253_high - - stig - - cnssi-1253_moderate -severity: medium -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index bfd94aaf..39c535fe 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94222-7 + - CCE-95220-0 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: - SRG-OS-000280-GPOS-00110 - SRG-OS-000281-GPOS-00111 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 40f9d742..655b0d49 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -35,7 +35,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94223-5 + - CCE-95221-8 cci: - N/A 800-53r5: @@ -64,7 +64,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_mail_smart_reply_disable.yaml b/rules/os/os_mail_smart_reply_disable.yaml index 4068d956..2f72c31e 100644 --- a/rules/os/os_mail_smart_reply_disable.yaml +++ b/rules/os/os_mail_smart_reply_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94567-5 + - CCE-95222-6 cci: - CCI-000381 - CCI-001774 @@ -35,7 +35,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.4' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_mail_summary_disable.yaml b/rules/os/os_mail_summary_disable.yaml index 1ba2fccd..dc158a8c 100644 --- a/rules/os/os_mail_summary_disable.yaml +++ b/rules/os/os_mail_summary_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94521-2 + - CCE-95223-4 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -45,6 +45,9 @@ tags: - cmmc_lvl1 - cis_lvl1 - cis_lvl2 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index ac22d745..0c10275c 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -34,7 +34,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94224-3 + - CCE-95224-2 cci: - N/A 800-53r5: @@ -59,7 +59,7 @@ references: 800-171r3: - 03.14.02 macOS: - - '15.0' + - '26.0' tags: - 800-171 - inherent diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index 34a786ea..94db22c4 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94225-0 + - CCE-95225-9 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: cmmc: - AC.L2-3.1.14 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index cc92c2ea..adabc349 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -8,7 +8,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94226-8 + - CCE-95226-7 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 7e48c9e7..be96cbba 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -25,7 +25,7 @@ fix: | Ensure that system is enrolled via UAMDM. references: cce: - - CCE-94227-6 + - CCE-95227-5 cci: - CCI-000366 800-53r5: @@ -35,7 +35,7 @@ references: - CM-2 - CM-6 disa_stig: - - APPL-15-005110 + - APPL-26-005110 srg: - SRG-OS-000480-GPOS-00227 800-171r3: @@ -43,14 +43,14 @@ references: - 03.04.02 cis: benchmark: - - 1.8 (level 1) + - N/A controls v8: - 4.1 - 5.1 cmmc: - CM.L2-3.4.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -59,8 +59,6 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cis_lvl1 - - cis_lvl2 - cisv8 - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 0b0a654a..78c8ae3e 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94228-4 + - CCE-95228-3 cci: - N/A 800-53r5: @@ -59,7 +59,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 4da33456..17f086a7 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94229-2 + - CCE-95229-1 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: controls v8: - 5.6 macOS: - - '15.0' + - '26.0' tags: - inherent - cisv8 diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index ede16ce3..4e11d9f5 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94230-0 + - CCE-95230-9 cci: - N/A 800-53r5: @@ -21,7 +21,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index 4f795778..b1c7dd40 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -12,7 +12,7 @@ fix: | ---- references: cce: - - CCE-94231-8 + - CCE-95231-7 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: - 2.3 - 2.6 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_network_storage_restriction.yaml b/rules/os/os_network_storage_restriction.yaml index 864b5465..ec8d3103 100644 --- a/rules/os/os_network_storage_restriction.yaml +++ b/rules/os/os_network_storage_restriction.yaml @@ -5,14 +5,14 @@ discussion: |- NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed. check: | - /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage' + /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.NetworkStorage' result: string: $ODV fix: | - This is implemented by a Declarative Device Management. + This is implemented by Declarative Device Management (DDM). references: cce: - - CCE-94232-6 + - CCE-95232-5 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - none odv: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index 5a90e16d..78418354 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94233-4 + - CCE-95233-3 cci: - CCI-001312 - CCI-001314 @@ -27,11 +27,11 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - APPL-15-004030 + - APPL-26-004030 800-171r3: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 363e407e..80e0e128 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94234-2 + - CCE-95234-1 cci: - CCI-001312 - CCI-001314 @@ -25,11 +25,11 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - APPL-15-004040 + - APPL-26-004040 800-171r3: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 4359808a..36cfd92c 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -20,7 +20,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-94235-9 + - CCE-95235-8 cci: - CCI-000213 800-53r5: @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-002003 + - APPL-26-002003 800-171r3: - 03.01.02 - 03.04.06 @@ -44,7 +44,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index f6aed3fe..0c35261a 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94236-7 + - CCE-95236-6 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - n_a diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 1db52205..aa027425 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94237-5 + - CCE-95237-4 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: cmmc: - MA.L2-3.7.5 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_notes_transcription_disable.yaml b/rules/os/os_notes_transcription_disable.yaml index 3fc6df9e..317a5d0f 100644 --- a/rules/os/os_notes_transcription_disable.yaml +++ b/rules/os/os_notes_transcription_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94568-3 + - CCE-95238-2 cci: - CCI-000381 - CCI-001774 @@ -40,7 +40,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.4' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_notes_transcription_summary_disable.yaml b/rules/os/os_notes_transcription_summary_disable.yaml index 69dcc3ba..b420d8a4 100644 --- a/rules/os/os_notes_transcription_summary_disable.yaml +++ b/rules/os/os_notes_transcription_summary_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94569-1 + - CCE-95239-0 cci: - CCI-000381 - CCI-001774 @@ -40,7 +40,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.3' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 6ce57903..47c340ba 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94238-3 + - CCE-95240-8 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: - SRG-OS-000277-GPOS-00107 - SRG-OS-000303-GPOS-00120 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 9423d13e..bb425056 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94239-1 + - CCE-95241-6 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: - SRG-OS-000276-GPOS-00106 - SRG-OS-000277-GPOS-00107 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index c2857275..094a8bf0 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94240-9 + - CCE-95242-4 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: - SRG-OS-000277-GPOS-00107 - SRG-OS-000303-GPOS-00120 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index d7e2121c..57b79018 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94241-7 + - CCE-95243-2 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: - SRG-OS-000276-GPOS-00106 - SRG-OS-000277-GPOS-00107 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 7eef2136..2181140a 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94242-5 + - CCE-95244-0 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: - SRG-OS-000276-GPOS-00106 - SRG-OS-000277-GPOS-00107 macOS: - - '15.0' + - '26.0' tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index e577251f..7f4a821d 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94243-3 + - CCE-95245-7 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - permanent - cnssi-1253_high diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 80fb6a0e..b0ad477e 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94244-1 + - CCE-95246-5 cci: - N/A 800-53r5: @@ -37,7 +37,7 @@ references: - IA.L2-3.5.9 - IA.L2-3.5.11 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index 3820e0ad..717c2d90 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94245-8 + - CCE-95247-3 cci: - CCI-000381 800-53r5: @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002220 + - APPL-26-002220 800-171r3: - 03.01.20 - 03.04.06 @@ -45,7 +45,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - arm64 - 800-53r5_low diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 3f077476..031021d2 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94246-6 + - CCE-95248-1 cci: - N/A 800-53r5: @@ -36,7 +36,7 @@ references: controls v8: - 4.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 80a90f47..beeee980 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94247-4 + - CCE-95249-9 cci: - N/A 800-53r5: @@ -36,7 +36,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - none - cnssi-1253_moderate diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index b6822791..af1fe112 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -21,7 +21,7 @@ fix: | ---- references: cce: - - CCE-94248-2 + - CCE-95250-7 cci: - CCI-000206 800-53r5: @@ -40,9 +40,9 @@ references: srg: - SRG-OS-000079-GPOS-00047 disa_stig: - - APPL-15-003014 + - APPL-26-003014 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index e4e6cd53..e566ece1 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94249-0 + - CCE-95251-5 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005060 + - APPL-26-005060 800-171r3: - 03.05.12 cis: @@ -38,7 +38,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index e5de68a7..4df5f7eb 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94250-8 + - CCE-95252-3 800-53r5: - IA-5 800-53r4: @@ -38,7 +38,7 @@ references: cci: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 4da79c3c..0f6fc3ad 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94251-6 + - CCE-95253-1 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: 800-171r3: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_photos_enhanced_search_disable.yaml b/rules/os/os_photos_enhanced_search_disable.yaml index 7de33ea8..cf92f80f 100644 --- a/rules/os/os_photos_enhanced_search_disable.yaml +++ b/rules/os/os_photos_enhanced_search_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94522-0 + - CCE-95254-9 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -40,6 +40,9 @@ tags: - 800-171 - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high mobileconfig: true mobileconfig_info: com.apple.photos.shareddefaults: diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml index a78b1317..30e94075 100644 --- a/rules/os/os_pii_deidentification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94252-4 + - CCE-95255-6 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml index f92ec9d1..ae5e002a 100644 --- a/rules/os/os_pii_quality_control.yaml +++ b/rules/os/os_pii_quality_control.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94253-2 + - CCE-95256-4 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 13c183fa..3d20844b 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -28,7 +28,7 @@ fix: | ---- references: cce: - - CCE-94254-0 + - CCE-95257-2 cci: - CCI-000048 - CCI-000050 @@ -46,7 +46,7 @@ references: - SRG-OS-000228-GPOS-00088 - SRG-OS-000023-GPOS-00006 disa_stig: - - APPL-15-000025 + - APPL-26-000025 800-171r3: - 03.01.09 cis: @@ -57,7 +57,7 @@ references: cmmc: - AC.L2-3.1.9 macOS: - - '15.0' + - '26.0' odv: hint: Organization's Policy Text recommended: 'You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning.' diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index a94047c6..6202a81d 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-94255-7 + - CCE-95258-0 cci: - CCI-000048 - CCI-000050 @@ -31,13 +31,13 @@ references: - SRG-OS-000024-GPOS-00007 - SRG-OS-000023-GPOS-00006 disa_stig: - - APPL-15-000023 + - APPL-26-000023 800-171r3: - 03.01.09 cmmc: - AC.L2-3.1.9 macOS: - - '15.0' + - '26.0' odv: hint: Organization's Policy Text recommended: |- diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index abf104e1..6b8446db 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-94256-5 + - CCE-95259-8 cci: - CCI-000048 - CCI-000050 @@ -47,13 +47,13 @@ references: - SRG-OS-000024-GPOS-00007 - SRG-OS-000023-GPOS-00006 disa_stig: - - APPL-15-000024 + - APPL-26-000024 800-171r3: - 03.01.09 cmmc: - AC.L2-3.1.9 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index aa323ab1..56fce26b 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-94257-3 + - CCE-95260-6 cci: - N/A 800-53r5: @@ -49,7 +49,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index 972d9076..f9b7cb30 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-94258-1 + - CCE-95261-4 cci: - N/A 800-53r5: @@ -43,7 +43,7 @@ references: controls v8: - N/A macOS: - - '15.0' + - '26.0' tags: - none mobileconfig: false diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index 284c0830..09496d81 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94259-9 + - CCE-95262-2 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000432-GPOS-00191 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 7014eed8..07ae4ebe 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94260-7 + - CCE-95263-0 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: 800-171r3: - 03.01.07 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 5e370201..6c5d5667 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94261-5 + - CCE-95264-8 cci: - N/A 800-53r5: @@ -30,7 +30,7 @@ references: cmmc: - AC.L2-3.1.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 3365dfde..3251209b 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94262-3 + - CCE-95265-5 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: cmmc: - SC.L2-3.13.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml index 26f36c1c..fc5cefc5 100644 --- a/rules/os/os_privacy_principle_minimization.yaml +++ b/rules/os/os_privacy_principle_minimization.yaml @@ -10,7 +10,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-94263-1 + - CCE-95266-3 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_privacy - n_a diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index f88a0dd1..69635e18 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -5,9 +5,9 @@ discussion: | Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipPrivacySetup').js + .objectForKey('SkipSetupItems').containsObject("Privacy") EOS result: string: 'true' @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94264-9 + - CCE-95267-1 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002036 + - APPL-26-002036 cis: benchmark: - N/A @@ -40,7 +40,7 @@ references: 800-171r3: - 03.04.06 macOS: - - '15.0' + - '26.0' tags: - 800-171 - cisv8 @@ -53,4 +53,5 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipPrivacySetup: true + SkipSetupItems: + - Privacy diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index aa0f2213..d99d27a3 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -18,7 +18,7 @@ fix: | The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. references: cce: - - CCE-94265-6 + - CCE-95268-9 800-53r5: - SC-15 800-53r4: @@ -34,7 +34,7 @@ references: 800-171r3: - 03.13.12 macOS: - - '15.0' + - '26.0' tags: - 800-171 - inherent diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 2d7f93a8..c7a4d3d2 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94266-4 + - CCE-95269-7 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000420-GPOS-00186 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index ef13da6d..5cc39d7b 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94267-2 + - CCE-95270-5 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000001-GPOS-00001 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index 57bcd8be..3315e2ad 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94268-0 + - CCE-95271-3 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000298-GPOS-00116 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index 1fc63226..cc35c969 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94269-8 + - CCE-95272-1 cci: - N/A 800-53r5: @@ -37,7 +37,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index a9881bfd..119d4fb1 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94270-6 + - CCE-95273-9 cci: - N/A 800-53r5: @@ -37,7 +37,7 @@ references: - SI.L1-3.14.2 - SI.L1-3.14.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index 9caa0a67..093b0a31 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94271-4 + - CCE-95274-7 cci: - N/A 800-53r5: @@ -24,7 +24,7 @@ references: 800-171r3: - 03.05.01 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index a9057d76..c3cfab2f 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94272-2 + - CCE-95275-4 cci: - N/A 800-53r5: @@ -23,7 +23,7 @@ references: 800-171r3: - 03.05.01 macOS: - - '15.0' + - '26.0' tags: - 800-171 - inherent diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index d8efa816..3389beb5 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94273-0 + - CCE-95276-2 cci: - N/A 800-53r5: @@ -22,7 +22,7 @@ references: 800-171r3: - 03.05.01 macOS: - - '15.0' + - '26.0' tags: - 800-171 - inherent diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index e6de0719..674e75fa 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -7,14 +7,14 @@ discussion: | IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices. check: | - /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" + /usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" result: integer: 1 fix: | NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. references: cce: - - CCE-94274-8 + - CCE-95277-0 cci: - CCI-000366 800-53r5: @@ -24,14 +24,14 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-15-005120 + - APPL-26-005120 800-171r3: - 03.01.05 cmmc: - AC.L1-3.1.1 - AC.L2-3.1.5 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index 719dc895..0bf51be7 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94275-5 + - CCE-95278-8 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 4b4d53d3..2e8d6cbd 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94276-3 + - CCE-95279-6 cci: - N/A 800-53r5: @@ -42,7 +42,7 @@ references: - MP.L2-3.8.7 - MP.L2-3.8.8 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index b9a231c5..a18dd46a 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94277-1 + - CCE-95280-4 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000437-GPOS-00194 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 38e579b4..9e021115 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -5,18 +5,18 @@ discussion: | macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. - Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sequoia will be submitted for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicion will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - link:https://support.apple.com/en-us/HT201159[] + link:https://support.apple.com/guide/sccc/welcome/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94278-9 + - CCE-95281-2 cci: - N/A 800-53r5: @@ -29,7 +29,7 @@ references: - SRG-OS-000033-GPOS-00014 - SRG-OS-000120-GPOS-00061 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 6667e1a7..f178e431 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94279-7 + - CCE-95282-0 cci: - CCI-000764 - CCI-000770 @@ -42,9 +42,9 @@ references: - SRG-OS-000109-GPOS-00056 - SRG-OS-000104-GPOS-00051 disa_stig: - - APPL-15-000100 + - APPL-26-000100 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index 7c1012d3..71ba3dc6 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94280-5 + - CCE-95283-8 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_clear_history_disable.yaml b/rules/os/os_safari_clear_history_disable.yaml new file mode 100644 index 00000000..9fcd1513 --- /dev/null +++ b/rules/os/os_safari_clear_history_disable.yaml @@ -0,0 +1,39 @@ +id: os_safari_clear_history_disable +title: Ensure Clearning of Browsing History in Safari Is Disabled +discussion: | + Clearing of browser history _MUST_ be disabled in Safari. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowSafariHistoryClearing').js + EOS +result: + string: 'false' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-95601-1 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - N/A + controls v8: + - N/A +macOS: + - '26.0' +tags: + - none +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowSafariHistoryClearing: false \ No newline at end of file diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index bf9391c5..2429a5bb 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94281-3 + - CCE-95284-6 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 9.1 - 9.6 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml index 64944e8a..1e522b6b 100644 --- a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml +++ b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94282-1 + - CCE-95285-3 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 9.1 - 9.3 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_private_browsing_disable.yaml b/rules/os/os_safari_private_browsing_disable.yaml new file mode 100644 index 00000000..67fb92e0 --- /dev/null +++ b/rules/os/os_safari_private_browsing_disable.yaml @@ -0,0 +1,39 @@ +id: os_safari_private_browsing_disable +title: Ensure Private Browsing in Safari Is Disabled +discussion: | + Private browsing _MUST_ be disabled in Safari. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowSafariPrivateBrowsing').js + EOS +result: + string: 'false' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-95599-7 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - N/A + controls v8: + - N/A +macOS: + - '26.0' +tags: + - none +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowSafariPrivateBrowsing: false diff --git a/rules/os/os_safari_reader_summary_disable.yaml b/rules/os/os_safari_reader_summary_disable.yaml index 7a1734c8..ecc6e5d5 100644 --- a/rules/os/os_safari_reader_summary_disable.yaml +++ b/rules/os/os_safari_reader_summary_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94570-9 + - CCE-95286-1 cci: - CCI-000381 - CCI-001774 @@ -35,7 +35,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.4' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index 7a97e7b2..0ef8bd70 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94283-9 + - CCE-95287-9 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml index 693f79e6..74cfeaf1 100644 --- a/rules/os/os_safari_show_status_bar_enabled.yaml +++ b/rules/os/os_safari_show_status_bar_enabled.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94284-7 + - CCE-95288-7 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 9.1 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index b3b14d85..9e42e859 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94285-4 + - CCE-95289-5 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 9.1 - 9.3 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 4fb36deb..b78fab25 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -8,12 +8,12 @@ check: | .objectForKey('moduleName').js EOS result: - string: Sequoia + string: Tahoe fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94286-2 + - CCE-95290-3 cci: - CCI-000060 800-53r5: @@ -29,7 +29,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high @@ -44,4 +44,4 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.screensaver: - moduleName: Sequoia + moduleName: Tahoe diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 675dfd65..0ce8fe5e 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94287-0 + - CCE-95291-1 cci: - CCI-000057 800-53r5: @@ -38,10 +38,8 @@ references: - N/A controls v8: - 4.3 - cmmc: - - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 1200 diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index d041dad2..f382dab9 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -7,14 +7,14 @@ discussion: | NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | - /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" + /usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null | /usr/bin/grep -c "SecureBootLevel = full" result: integer: 1 fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot references: cce: - - CCE-94288-8 + - CCE-95292-9 cci: - CCI-002696 - CCI-002699 @@ -31,9 +31,9 @@ references: - SRG-OS-000445-GPOS-00199 - SRG-OS-000446-GPOS-00200 disa_stig: - - APPL-15-005100 + - APPL-26-005100 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r5_moderate diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 0cc3757f..a043469b 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -16,7 +16,7 @@ fix: | The hardware does not support the requirement. references: cce: - - CCE-94289-6 + - CCE-95293-7 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: cmmc: - SC.L2-3.13.10 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 2ebeeb61..1d20d6f6 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94290-4 + - CCE-95294-5 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: controls v8: - 4.9 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 82ea11cc..b3a796a9 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94291-2 + - CCE-95295-2 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: cmmc: - SC.L2-3.13.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml index 472ec364..e7be2cf4 100644 --- a/rules/os/os_setup_assistant_filevault_enforce.yaml +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -15,7 +15,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - CCE-94292-0 + - CCE-95296-0 cci: - N/A 800-53r5: @@ -39,7 +39,7 @@ references: cmmc: - SC.L2-3.13.16 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml deleted file mode 100644 index 8a74b030..00000000 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: os_show_filename_extensions_enable -title: Enable Show All Filename Extensions -discussion: | - Show all filename extensions _MUST_ be enabled in the Finder. - - [NOTE] - ==== - The check and fix are for the currently logged in user. To get the currently logged in user, run the following. - [source,bash] - ---- - CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' ) - ---- - ==== -check: | - /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null -result: - boolean: 1 -fix: | - [source,bash] - ---- - /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true - ---- -references: - cce: - - CCE-94293-8 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r3: - - N/A - cis: - benchmark: - - 6.1.1 (level 1) - controls v8: - - 2.3 -macOS: - - '15.0' -tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 7f8fe88d..4461a7a2 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -18,7 +18,7 @@ fix: | NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-94294-6 + - CCE-95298-6 cci: - CCI-000154 - CCI-000158 @@ -72,7 +72,7 @@ references: - SRG-OS-000122-GPOS-00063 - SRG-OS-000058-GPOS-00028 disa_stig: - - APPL-15-005001 + - APPL-26-005001 800-171r3: - 03.01.02 - 03.03.08 @@ -93,7 +93,7 @@ references: - SI.L1-3.14.1 - SI.L1-3.14.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 5135cdb6..2cb26f6d 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -5,9 +5,9 @@ discussion: | Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipSiriSetup').js + .objectForKey('SkipSetupItems').containsObject("Siri") EOS result: string: 'true' @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94295-3 + - CCE-95299-4 cci: - CCI-000381 - CCI-001774 @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002039 + - APPL-26-002039 800-171r3: - 03.01.20 - 03.04.06 @@ -45,7 +45,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -65,4 +65,5 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipSiriSetup: true + SkipSetupItems: + - Siri diff --git a/rules/os/os_skip_apple_intelligence_enable.yaml b/rules/os/os_skip_apple_intelligence_enable.yaml new file mode 100644 index 00000000..f1488904 --- /dev/null +++ b/rules/os/os_skip_apple_intelligence_enable.yaml @@ -0,0 +1,57 @@ +id: os_skip_apple_intelligence_enable +title: Disable Apple Intelligence During Setup Assistant +discussion: | + The prompt for setting up Apple Intelligence during Setup Assistant _MUST_ be disabled. +check: | + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipSetupItems').containsObject("Intelligence") + EOS +result: + string: 'true' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-95603-7 + cci: + - N/A + 800-53r5: + - AC-4 + - AC-20 + - CM-7 + 800-53r4: + - AC-20 + srg: + - N/A + disa_stig: + - N/A + 800-171r3: + - 03.01.20 + - 03.04.06 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + cmmc: + - AC.L1-3.1.20 +macOS: + - '26.0' +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cisv8 + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 + - cnssi-1253_moderate +severity: medium +mobileconfig: true +mobileconfig_info: + com.apple.SetupAssistant.managed: + SkipSetupItems: + - Intelligence diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index 281dca3a..ded55e8e 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -2,9 +2,9 @@ id: os_skip_screen_time_prompt_enable title: Disable Screen Time Prompt During Setup Assistant discussion: The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipScreenTime').js + .objectForKey('SkipSetupItems').containsObject("ScreenTime") EOS result: string: 'true' @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94296-1 + - CCE-95300-0 cci: - CCI-000381 800-53r5: @@ -24,14 +24,14 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005055 + - APPL-26-005055 cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 800-171r3: - 03.04.06 macOS: - - '15.0' + - '26.0' tags: - 800-171 - cnssi-1253_low @@ -43,4 +43,5 @@ severity: low mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipScreenTime: true + SkipSetupItems: + - ScreenTime diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index a38ed5d6..480bc680 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -5,9 +5,9 @@ discussion: | Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipUnlockWithWatch').js + .objectForKey('SkipSetupItems').containsObject("WatchMigration") EOS result: string: 'true' @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94297-9 + - CCE-95301-8 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005056 + - APPL-26-005056 800-171r3: - 03.01.20 - 03.04.06 @@ -37,7 +37,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -57,4 +57,5 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipUnlockWithWatch: true + SkipSetupItems: + - WatchMigration diff --git a/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml index 1184ddcc..9751dd16 100644 --- a/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml +++ b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml @@ -26,7 +26,7 @@ fix: | ---- references: cce: - - CCE-94200-3 + - CCE-95302-6 cci: - N/A 800-53r5: @@ -41,11 +41,11 @@ references: - N/A cis: benchmark: - - 2.10.1.1 (level 2) + - 2.10.1.2 (level 2) controls v8: - 4.1 macOS: - - '15.0' + - '26.0' tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/os/os_software_update_app_update_enforce.yaml similarity index 90% rename from rules/system_settings/system_settings_software_update_app_update_enforce.yaml rename to rules/os/os_software_update_app_update_enforce.yaml index 8eb241a8..d514c34a 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/os/os_software_update_app_update_enforce.yaml @@ -1,4 +1,4 @@ -id: system_settings_software_update_app_update_enforce +id: os_software_update_app_update_enforce title: Enforce Software Update App Update Updates Automatically discussion: | Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled. @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94395-1 + - CCE-95402-4 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: - 7.3 - 7.4 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index c4b12ee6..85497caa 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94298-7 + - CCE-95303-4 cci: - N/A 800-53r5: @@ -35,12 +35,12 @@ references: - N/A cis: benchmark: - - 1.7 (level 1) + - 1.6 (level 1) controls v8: - 7.3 - 7.4 macOS: - - '15.0' + - '26.0' odv: hint: Number of days. recommended: 30 diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index a01d508c..ddde11e7 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -66,7 +66,7 @@ fix: | ---- references: cce: - - CCE-94299-5 + - CCE-95304-2 cci: - CCI-000068 - CCI-000803 @@ -91,7 +91,7 @@ references: - SRG-OS-000033-GPOS-00014 - SRG-OS-000396-GPOS-00176 disa_stig: - - APPL-15-000057 + - APPL-26-000057 800-171r3: - 03.13.08 - 03.13.11 @@ -101,7 +101,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index c2fdfd96..761cd67a 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -52,7 +52,7 @@ fix: | ---- references: cce: - - CCE-94300-1 + - CCE-95305-9 cci: - CCI-001133 800-53r5: @@ -62,13 +62,13 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-15-000140 + - APPL-26-000140 800-171r3: - 03.13.09 cmmc: - SC.L2-3.13.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 0 diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index c33ae3b9..988ac83b 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -54,7 +54,7 @@ fix: | ---- references: cce: - - CCE-94301-9 + - CCE-95306-7 cci: - CCI-001133 800-53r5: @@ -65,7 +65,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-15-000110 + - APPL-26-000110 800-171r3: - 03.01.11 - 03.13.09 @@ -73,7 +73,7 @@ references: - AC.L2-3.1.11 - SC.L2-3.13.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 900 diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml index a120972b..39e96ecc 100644 --- a/rules/os/os_sshd_channel_timeout_configure.yaml +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-94302-7 + - CCE-95307-5 cci: - CCI-001133 - CCI-002361 @@ -48,7 +48,7 @@ references: - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 disa_stig: - - APPL-15-000120 + - APPL-26-000120 800-171r3: - 03.01.11 - 03.13.09 @@ -60,7 +60,7 @@ odv: recommended: session:*=900 stig: session:*=900 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 601c17fe..02bb1f54 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-94303-5 + - CCE-95308-3 cci: - CCI-001133 800-53r5: @@ -45,13 +45,13 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-15-000052 + - APPL-26-000052 800-171r3: - 03.13.09 cmmc: - SC.L2-3.13.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 0 diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 8377fc09..245e6f49 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -37,7 +37,7 @@ fix: | ---- references: cce: - - CCE-94304-3 + - CCE-95309-1 cci: - CCI-001133 800-53r5: @@ -48,7 +48,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-15-000051 + - APPL-26-000051 800-171r3: - 03.01.11 - 03.13.09 @@ -56,7 +56,7 @@ references: - AC.L2-3.1.11 - SC.L2-3.13.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 900 diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index ee8bddd9..9d507609 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -53,7 +53,7 @@ fix: | ---- references: cce: - - CCE-94305-0 + - CCE-95310-9 cci: - CCI-000068 - CCI-000803 @@ -83,7 +83,7 @@ references: - SRG-OS-000393-GPOS-00173 - SRG-OS-000396-GPOS-00176 disa_stig: - - APPL-15-000054 + - APPL-26-000054 800-171r3: - 03.13.08 - 03.13.11 @@ -93,7 +93,7 @@ references: - SC.L2-3.13.8 - SC.L2-3.13.11 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index de90f60d..c8595265 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -31,7 +31,7 @@ fix: | ---- references: cce: - - CCE-94306-8 + - CCE-95311-7 cci: - CCI-001133 800-53r5: @@ -41,13 +41,13 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - APPL-15-000053 + - APPL-26-000053 800-171r3: - 03.13.09 cmmc: - SC.L2-3.13.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 30 diff --git a/rules/os/os_sshd_per_source_penalties_configure.yaml b/rules/os/os_sshd_per_source_penalties_configure.yaml index 4bded9cd..bc617ffc 100644 --- a/rules/os/os_sshd_per_source_penalties_configure.yaml +++ b/rules/os/os_sshd_per_source_penalties_configure.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-94589-9 + - CCE-95312-5 cci: - N/A 800-53r5: @@ -49,7 +49,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index d083934a..db4b658a 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-94307-6 + - CCE-95313-3 cci: - CCI-000770 - CCI-001813 @@ -46,9 +46,9 @@ references: - SRG-OS-000364-GPOS-00151 - SRG-OS-000109-GPOS-00056 disa_stig: - - APPL-15-001100 + - APPL-26-001100 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_high - 800-53r4_high diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml index 1956bbb1..453f3711 100644 --- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -33,7 +33,7 @@ fix: | ---- references: cce: - - CCE-94308-4 + - CCE-95314-1 cci: - CCI-001133 - CCI-002361 @@ -46,7 +46,7 @@ references: - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 disa_stig: - - APPL-15-000130 + - APPL-26-000130 800-171r3: - 03.01.11 - 03.13.09 @@ -58,7 +58,7 @@ odv: recommended: 900 stig: 900 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 097dec64..34482b35 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94309-2 + - CCE-95315-8 cci: - N/A 800-53r5: @@ -37,7 +37,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_sudo_log_enforce.yaml b/rules/os/os_sudo_log_enforce.yaml index 0757469a..f8fa767e 100644 --- a/rules/os/os_sudo_log_enforce.yaml +++ b/rules/os/os_sudo_log_enforce.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-94310-0 + - CCE-95316-6 cci: - CCI-000172 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000064-GPOS-00033 disa_stig: - - APPL-15-000190 + - APPL-26-000190 cis: benchmark: - 5.11 (level 1) @@ -37,7 +37,7 @@ references: - AU.L2-3.3.6 - SI.L2-3.14.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index f9f20fbc..026174d3 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-94311-8 + - CCE-95317-4 cci: - CCI-002038 800-53r5: @@ -24,14 +24,14 @@ references: srg: - SRG-OS-000373-GPOS-00156 disa_stig: - - APPL-15-004022 + - APPL-26-004022 cis: benchmark: - 5.4 (level 1) controls v8: - 4.3 macOS: - - '15.0' + - '26.0' odv: hint: Number of minutes. recommended: 0 diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index 1a939c5c..fca6553f 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94312-6 + - CCE-95318-2 cci: - CCI-002038 800-53r5: @@ -27,7 +27,7 @@ references: - SRG-OS-000373-GPOS-00157 - SRG-OS-000373-GPOS-00156 disa_stig: - - APPL-15-004060 + - APPL-26-004060 cis: benchmark: - 5.5 (level 1) @@ -36,7 +36,7 @@ references: 800-171r3: - 03.05.01 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 3d4732fa..bac911de 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -12,7 +12,7 @@ fix: | NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - - CCE-94313-4 + - CCE-95319-0 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index ea2726ab..b3794446 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-94314-2 + - CCE-95320-8 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: controls v8: - 3.3 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 2fcc57a1..f3f6ee2c 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94315-9 + - CCE-95321-6 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - 4.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index 37bc97c7..d7479fa2 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94316-7 + - CCE-95322-4 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - N/A macOS: - - '15.0' + - '26.0' tags: - inherent mobileconfig: false diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 7557a36b..aa4f7ec1 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -7,18 +7,30 @@ discussion: | NOTE: TFTP service is disabled at startup by default macOS. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => disabled' + result="FAIL" + enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.tftpd" => enabled') + running=$(/bin/launchctl print system/com.apple.tftpd 2>/dev/null) + + if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then + result="PASS" + elif [[ -n "$running" ]]; then + result=result+" RUNNING" + elif [[ -n "$enabled" ]]; then + result=result+" ENABLED" + fi + echo $result result: - integer: 1 + string: PASS fix: | [source,bash] ---- + /bin/launchctl bootout system/com.apple.tftpd /bin/launchctl disable system/com.apple.tftpd ---- The system may need to be restarted for the update to take effect. references: cce: - - CCE-94317-5 + - CCE-95323-2 cci: - CCI-000197 - CCI-000213 @@ -33,7 +45,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000074-GPOS-00042 disa_stig: - - APPL-15-002038 + - APPL-26-002038 800-171r3: - 03.01.02 - 03.04.06 @@ -51,7 +63,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 792472ed..64a0dbc9 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94318-3 + - CCE-95324-0 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - N/A macOS: - - '15.0' + - '26.0' tags: - none mobileconfig: false diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index e29eaa0f..db3e0f9e 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -5,7 +5,7 @@ discussion: | NOTE: The time synchronization daemon is enabled by default on macOS. check: | - /bin/launchctl list | /usr/bin/grep -c com.apple.timed + /bin/launchctl print system | /usr/bin/grep -c -E '\tcom.apple.timed' result: integer: 1 fix: | @@ -17,7 +17,7 @@ fix: | NOTE: The service `timed` cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled. references: cce: - - CCE-94319-1 + - CCE-95325-7 cci: - CCI-002046 - CCI-001891 @@ -34,7 +34,7 @@ references: - SRG-OS-000356-GPOS-00144 - SRG-OS-000785-GPOS-00250 disa_stig: - - APPL-15-000180 + - APPL-26-000180 800-171r3: - 03.03.07 cis: @@ -45,7 +45,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 52201aca..76d62498 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -5,9 +5,9 @@ discussion: | macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings. check: | - /usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript 2>/dev/null << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipTouchIDSetup').js + .objectForKey('SkipSetupItems').containsObject("Biometric") EOS result: string: 'true' @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94320-9 + - CCE-95326-5 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005054 + - APPL-26-005054 800-171r3: - 03.04.02 cis: @@ -36,7 +36,7 @@ references: cmmc: - CM.L2-3.4.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -55,4 +55,5 @@ severity: medium mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipTouchIDSetup: true + SkipSetupItems: + - Biometric diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 03a150db..6f3c99cf 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94321-7 + - CCE-95327-3 cci: - N/A 800-53r5: @@ -30,7 +30,7 @@ references: 800-171r3: - 03.05.05 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index f2b0f739..c418030f 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -5,21 +5,42 @@ discussion: | macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. - NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. This setting can also be deployed with a configuration profile. + NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. A configuration profile will be generated to include the setting that restores the expected behavior. You can also apply the settings using `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. WARNING: This rule may cause issues when platformSSO is configured. check: | - /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '$ODV' + RESULT="FAIL" + SS_RULE=$(/usr/bin/security -q authorizationdb read system.login.screensaver 2>&1 | /usr/bin/xmllint --xpath "//dict/key[.='rule']/following-sibling::array[1]/string/text()" -) + + if [[ "${SS_RULE}" == "$ODV" ]]; then + RESULT="PASS" + else + PSSO_CHECK=$(/usr/bin/security -q authorizationdb read "$SS_RULE" 2>&1 | /usr/bin/xmllint --xpath '//key[.="rule"]/following-sibling::array[1]/string/text()' -) + if /usr/bin/grep -Fxq "$ODV" <<<"$PSSO_CHECK"; then + RESULT="PASS" + fi + fi + + echo $RESULT result: - integer: 1 + string: "PASS" fix: | [source,bash] ---- - /usr/bin/security authorizationdb write system.login.screensaver "$ODV" + SS_RULE=$(/usr/bin/security -q authorizationdb read system.login.screensaver 2>&1 | /usr/bin/xmllint --xpath "//dict/key[.='rule']/following-sibling::array[1]/string/text()" -) + + if [[ "$SS_RULE" == *psso* ]]; then + /usr/bin/security -q authorizationdb read psso-screensaver > "/tmp/psso-screensaver-mscp.plist" + /usr/bin/sed -i.bak 's/authenticate-session-owner-or-admin<\/string>/$ODV<\/string>/' /tmp/psso-screensaver-mscp.plist + /usr/bin/security -q authorizationdb write psso-screensaver-mscp < /tmp/psso-screensaver-mscp.plist + /usr/bin/security -q authorizationdb write system.login.screensaver psso-screensaver-mscp 2>&1 + else + /usr/bin/security -q authorizationdb write system.login.screensaver "$ODV" 2>&1 + fi ---- references: cce: - - CCE-94322-5 + - CCE-95328-1 cci: - CCI-000764 - CCI-000770 @@ -31,7 +52,7 @@ references: - IA-2 - IA-2(5) disa_stig: - - APPL-15-000090 + - APPL-26-000090 srg: - SRG-OS-000109-GPOS-00056 - SRG-OS-000104-GPOS-00051 @@ -46,7 +67,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - '15.0' + - '26.0' odv: hint: "Review the /System/Library/Security/authorization.plist file for more information." recommended: "authenticate-session-owner" @@ -71,5 +92,7 @@ tags: - stig - cnssi-1253_moderate severity: medium -mobileconfig: false +mobileconfig: true mobileconfig_info: + com.apple.loginwindow: + screenUnlockMode: 1 diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 51a1e4cc..2950c902 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -30,7 +30,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94323-3 + - CCE-95329-9 cci: - CCI-001812 - CCI-003980 @@ -41,11 +41,11 @@ references: srg: - SRG-OS-000362-GPOS-00149 disa_stig: - - APPL-15-005080 + - APPL-26-005080 cmmc: - CM.L2-3.4.9 macOS: - - '15.0' + - '26.0' tags: - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 02947a23..5b33efa6 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -7,18 +7,30 @@ discussion: | NOTE: UUCP service is disabled at startup by default macOS. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => disabled' + result="FAIL" + enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.uucp" => enabled') + running=$(/bin/launchctl print system/com.apple.uucp 2>/dev/null) + + if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then + result="PASS" + elif [[ -n "$running" ]]; then + result=result+" RUNNING" + elif [[ -n "$enabled" ]]; then + result=result+" ENABLED" + fi + echo $result result: - integer: 1 + string: PASS fix: | [source,bash] ---- + /bin/launchctl bootout system/com.apple.uucp /bin/launchctl disable system/com.apple.uucp ---- The system may need to be restarted for the update to take effect. references: cce: - - CCE-94324-1 + - CCE-95330-7 cci: - CCI-000213 800-53r5: @@ -29,7 +41,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-002006 + - APPL-26-002006 800-171r3: - 03.01.02 - 03.04.06 @@ -43,7 +55,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index 30a823af..99a656ab 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94325-8 + - CCE-95331-5 cci: - N/A 800-53r5: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000395-GPOS-00175 macOS: - - '15.0' + - '26.0' tags: - inherent - cnssi-1253_low diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index f1dda009..9e6975a6 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -5,20 +5,20 @@ discussion: | NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. check: | - /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do + for libPermissions in $(/usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null); do /bin/chmod -R o-w "$libPermissions" done ---- references: cce: - - CCE-94326-6 + - CCE-95332-3 cci: - N/A 800-53r5: @@ -37,7 +37,7 @@ references: controls v8: - 3.3 macOS: - - '15.0' + - '26.0' tags: - cis_lvl2 - cisv8 diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index a8bacf8a..2f96491d 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - CCE-94327-4 + - CCE-95333-1 cci: - N/A 800-53r5: @@ -35,7 +35,7 @@ references: controls v8: - 3.3 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/os/os_writing_tools_disable.yaml b/rules/os/os_writing_tools_disable.yaml index 6d3e2594..74c3bd14 100644 --- a/rules/os/os_writing_tools_disable.yaml +++ b/rules/os/os_writing_tools_disable.yaml @@ -13,14 +13,14 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94328-2 + - CCE-95334-9 cci: - CCI-000381 - CCI-001774 srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-005160 + - APPL-26-005160 800-53r5: - AC-20 - AC-20(1) @@ -40,7 +40,7 @@ references: controls v8: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index e0c11e44..cc917d2b 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94329-0 + - CCE-95335-6 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: 800-171r3: - 03.05.07 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 2fc3e1c5..51afcb20 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -36,7 +36,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-94330-8 + - CCE-95336-4 cci: - CCI-000795 - CCI-003627 @@ -49,7 +49,7 @@ references: - SRG-OS-000118-GPOS-00060 - SRG-OS-000590-GPOS-00110 disa_stig: - - APPL-15-003080 + - APPL-26-003080 800-171r3: - 03.01.01 cis: @@ -60,7 +60,7 @@ references: cmmc: - IA.L2-3.5.6 macOS: - - '15.0' + - '26.0' odv: hint: Number of days. recommended: 35 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 2ed9799f..e22d8935 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -5,14 +5,14 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= $ODV) {print "yes"} else {print "no"}}' | /usr/bin/uniq + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= $ODV) {print "pass"} else {print "fail"}}' | /usr/bin/uniq result: - string: 'yes' + string: 'pass' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94331-6 + - CCE-95337-2 cci: - CCI-000044 - CCI-002238 @@ -24,7 +24,7 @@ references: - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 disa_stig: - - APPL-15-000022 + - APPL-26-000022 800-171r3: - 03.01.08 cis: @@ -35,7 +35,7 @@ references: cmmc: - AC.L2-3.1.8 macOS: - - '15.0' + - '26.0' odv: hint: Number of failed attempts. recommended: 3 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 93dae9d9..4789fd93 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -5,14 +5,14 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= $ODV ) {print "yes"} else {print "no"}}' | /usr/bin/uniq + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= $ODV ) {print "pass"} else {print "fail"}}' | /usr/bin/uniq result: - string: 'yes' + string: 'pass' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94332-4 + - CCE-95338-0 cci: - CCI-002238 - CCI-000044 @@ -24,7 +24,7 @@ references: - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 disa_stig: - - APPL-15-000060 + - APPL-26-000060 800-171r3: - 03.01.08 cis: @@ -35,7 +35,7 @@ references: cmmc: - AC.L2-3.1.8 macOS: - - '15.0' + - '26.0' odv: hint: Number of minutes. recommended: 15 diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 945d3c39..92e2a63e 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94333-2 + - CCE-95339-8 cci: - CCI-000194 - CCI-004066 @@ -27,7 +27,7 @@ references: - SRG-OS-000071-GPOS-00039 - SRG-OS-000775-GPOS-00230 disa_stig: - - APPL-15-003007 + - APPL-26-003007 800-171r3: - 03.05.07 cis: @@ -41,7 +41,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - cis_lvl2 - cisv8 diff --git a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml index 002dd25f..7e7e5561 100644 --- a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94334-0 + - CCE-95340-6 cci: - CCI-000192 - CCI-000193 @@ -30,7 +30,7 @@ references: - IA-5 - IA-5(1) disa_stig: - - APPL-15-003060 + - APPL-26-003060 srg: - SRG-OS-000070-GPOS-00038 - SRG-OS-000069-GPOS-00037 @@ -46,7 +46,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Custom regex (recommended is 1 upper, 1 lowercase, and 1 numeric digit) recommended: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$ diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index f58a4607..ce817d39 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94335-7 + - CCE-95341-4 cci: - N/A 800-53r5: @@ -29,7 +29,7 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index fc57942f..94975def 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -17,7 +17,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94336-5 + - CCE-95342-2 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 98fbc215..d2c0c295 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -9,14 +9,14 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' | /usr/bin/uniq + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "pass"} else {print "fail"}}' | /usr/bin/uniq result: - string: 'yes' + string: 'pass' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94337-3 + - CCE-95343-0 cci: - CCI-000200 800-53r5: @@ -40,7 +40,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of previous passwords. recommended: 5 @@ -61,7 +61,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig - cnssi-1253_moderate severity: medium mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 3407f5d0..5d009e40 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -9,9 +9,9 @@ discussion: | NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "pass"} else {print "fail"}}' result: - string: 'yes' + string: 'pass' fix: | This setting may be enforced using local policy or by a directory service. @@ -27,7 +27,7 @@ fix: | policyParameters minimumAlphaCharactersLowerCase - 1 + $ODV ---- @@ -40,7 +40,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-94338-1 + - CCE-95344-8 cci: - N/A 800-53r5: @@ -64,7 +64,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of lowercase characters. recommended: 1 diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index 66c527bb..6162fd19 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -7,14 +7,14 @@ discussion: | NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeExpiresEveryNDays"]/following-sibling::*[1]/text()' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeExpiresEveryNDays"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 <= $ODV ) {print "pass"} else {print "fail"}}' | /usr/bin/uniq result: - integer: $ODV + string: "pass" fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94339-9 + - CCE-95345-5 cci: - CCI-000199 - CCI-004066 @@ -27,7 +27,7 @@ references: - SRG-OS-000076-GPOS-00044 - SRG-OS-000775-GPOS-00230 disa_stig: - - APPL-15-003008 + - APPL-26-003008 800-171r3: - 03.05.12 cis: @@ -39,7 +39,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of days. recommended: 60 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index bcbf271d..88b1907d 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -7,14 +7,14 @@ discussion: | NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | tail +2 | grep -oE "policyAttributePassword matches '.\{[0-9]+," | awk -F'[{,]' -v ODV=$ODV '{if ($2 > max) max=$2} END {print (max >= ODV) ? "pass" : "fail"}' result: - string: 'true' + string: 'pass' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94340-7 + - CCE-95346-3 cci: - CCI-000205 - CCI-004066 @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000078-GPOS-00046 disa_stig: - - APPL-15-003010 + - APPL-26-003010 800-171r3: - 03.05.07 cis: @@ -39,7 +39,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Minimum password length. recommended: 15 diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 2a3db1e6..d3a03719 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -7,9 +7,9 @@ discussion: | NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "pass"} else {print "fail"}}' result: - string: 'yes' + string: 'pass' fix: | This setting may be enforced using local policy or by a directory service. @@ -38,7 +38,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-94341-5 + - CCE-95347-1 cci: - CCI-000198 - CCI-004066 @@ -47,7 +47,7 @@ references: 800-53r4: - IA-5(1) disa_stig: - - APPL-15-003070 + - APPL-26-003070 srg: - SRG-OS-000075-GPOS-00043 800-171r3: @@ -61,7 +61,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of hours. recommended: 24 diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index f1f78d19..598d37db 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -14,7 +14,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94342-3 + - CCE-95348-9 cci: - N/A 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000480-GPOS-00225 macOS: - - '15.0' + - '26.0' tags: - permanent mobileconfig: false diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 02296536..db816de5 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94343-1 + - CCE-95349-7 cci: - N/A 800-53r5: @@ -40,7 +40,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_low diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 81afa0ab..92706a39 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -9,14 +9,14 @@ discussion: | NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | - /usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | /usr/bin/tail -n +2 | /usr/bin/xmllint --xpath "//string[contains(text(), \"policyAttributePassword matches '(.*[^a-zA-Z0-9].*){\")]" - 2>/dev/null | /usr/bin/awk -F"{|}" '{if ($2 >= $ODV) {print "true"} else {print "false"}}' + /usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | /usr/bin/tail -n +2 | /usr/bin/xmllint --xpath "//string[contains(text(), \"policyAttributePassword matches '(.*[^a-zA-Z0-9].*){\")]" - 2>/dev/null | /usr/bin/awk -F"{|}" '{if ($2 >= $ODV) {print "pass"} else {print "fail"}}' result: - string: 'true' + string: 'pass' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94344-9 + - CCE-95350-5 cci: - CCI-001619 - CCI-004066 @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000266-GPOS-00101 disa_stig: - - APPL-15-003011 + - APPL-26-003011 800-171r3: - 03.05.07 cis: @@ -41,7 +41,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of special characters. recommended: 1 diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 477f5cd5..67c30931 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-94345-6 + - CCE-95351-3 cci: - N/A 800-53r5: @@ -27,7 +27,7 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 21b6a232..cbcff3d0 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -56,7 +56,7 @@ fix: | /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file references: cce: - - CCE-94346-4 + - CCE-95352-1 cci: - CCI-001682 - CCI-000016 @@ -68,9 +68,9 @@ references: - SRG-OS-000002-GPOS-00002 - SRG-OS-000123-GPOS-00064 disa_stig: - - APPL-15-000012 + - APPL-26-000012 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 41c9d6eb..d3d60283 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -9,9 +9,9 @@ discussion: | NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "pass"} else {print "fail"}}' result: - string: 'yes' + string: 'pass' fix: | This setting may be enforced using local policy or by a directory service. @@ -40,7 +40,7 @@ fix: | NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-94347-2 + - CCE-95353-9 cci: - N/A 800-53r5: @@ -64,7 +64,7 @@ references: - IA.L2-3.5.8 - IA.L2-3.5.9 macOS: - - '15.0' + - '26.0' odv: hint: Number of Upper Case characters. recommended: 1 diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index e5e28bed..a008640b 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -8,14 +8,24 @@ discussion: | |Section |System Settings + |Recommendations + | 1.7 Ensure the System is Managed by a Mobile Device Management (MDM) Software + |=== + + [cols="15%h, 85%a"] + |=== + |Section + |System Settings + |Recommendations |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + - 2.1.1.4 Audit Security Keys Used With AppleIDs + + 2.1.1.4 Audit Security Keys Used With Apple Accounts + 2.1.1.5 Audit Freeform Sync to iCloud + 2.1.1.6 Audit Find My Mac + 2.1.2 Audit App Store Password Settings + 2.3.3.11 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + + 2.4.1 Audit Menu Bar and Control Center Icons + 2.5.2.2 Ensure Listen for Siri is Disabled + 2.6.1.3 Audit Location Services Access + 2.6.2.1 Audit Full Disk Access for Applications + @@ -29,7 +39,6 @@ discussion: | 2.15.1 Audit Notification & Focus Settings + 2.16.1 Audit Wallet & Apple Pay Settings + 2.17.1 Audit Internet Accounts for Authorized Use + - 6.5.1 Audit Passwords System Preference Setting + |=== [cols="15%h, 85%a"] @@ -61,11 +70,13 @@ discussion: | |Applications |Recommendations - |6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + + |6.1.1 Ensure Show All Filename Extensions Setting is Enabled + + 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + 6.3.8 Audit Autofill + 6.3.9 Audit Pop-up Windows + + 6.5.1 Audit Passwords + |=== check: | fix: | @@ -81,11 +92,10 @@ references: disa_stig: - N/A macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 - - cisv8 - supplemental mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 3a35e59a..854e520b 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -192,7 +192,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_high diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 7e4f9a25..7fd3accc 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -68,7 +68,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_high diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index a6936147..8dbbae91 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -117,7 +117,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_high diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index 087cc28e..e423df5f 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -51,6 +51,11 @@ discussion: | If directory services is being utilized, password policies should come from the domain. ==== + [WARNING] + ==== + In order to apply any password policy, the `allowPasscodeModification` setting in `com.apple.applicationaccess` must not be set to `false`. + ==== + check: | fix: | references: @@ -67,7 +72,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_high @@ -83,6 +88,7 @@ tags: - cmmc_lvl1 - cmmc_lvl2 - cnssi-1253_high + - cnssi-1253_moderate - cnssi-1253_low - stig - supplemental diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index 7e689daf..590ae54c 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -302,7 +302,7 @@ references: cmmc: - N/A macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r4_high diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 5fd54a23..fa5e116b 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94348-0 + - CCE-95354-7 cci: - CCI-000381 - CCI-001443 @@ -30,7 +30,7 @@ references: - SRG-OS-000300-GPOS-00118 - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002080 + - APPL-26-002080 800-171r3: - 03.04.06 cis: @@ -43,7 +43,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 5d921e76..4c72446f 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94349-8 + - CCE-95355-4 cci: - CCI-000056 800-53r5: @@ -27,13 +27,13 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-15-000001 + - APPL-26-000001 800-171r3: - 03.05.12 cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index 873fc3d7..325090fd 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94350-6 + - CCE-95356-2 cci: - CCI-000366 800-53r5: @@ -29,7 +29,7 @@ references: - SRG-OS-000104-GPOS-00051 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002066 + - APPL-26-002066 800-171r3: - 03.05.01 cis: @@ -41,7 +41,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index 42367987..90211624 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94351-4 + - CCE-95357-0 cci: - CCI-002361 800-53r5: @@ -29,7 +29,7 @@ references: 800-53r4: - AC-12 disa_stig: - - APPL-15-000160 + - APPL-26-000160 srg: - SRG-OS-000279-GPOS-00109 800-171r3: @@ -39,7 +39,7 @@ references: - AC.L2-3.1.10 - AC.L2-3.1.11 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds recommended: 86400 diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index 2022d990..568cb9de 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94352-2 + - CCE-95358-8 cci: - CCI-001967 - CCI-002418 @@ -34,7 +34,7 @@ references: - SRG-OS-000481-GPOS-00481 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002062 + - APPL-26-002062 800-171r2: - 3.13.8 - N/A @@ -51,7 +51,7 @@ references: cmmc: - AC.L2-3.1.16 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r4_moderate diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index f6109c01..cad03dc4 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94353-0 + - CCE-95359-6 cci: - N/A 800-53r5: @@ -28,15 +28,13 @@ references: - N/A cis: benchmark: - - 2.4.2 (level 1) + - N/A controls v8: - 4.8 - 13.9 macOS: - - '15.0' + - '26.0' tags: - - cis_lvl1 - - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_settings_disable.yaml b/rules/system_settings/system_settings_bluetooth_settings_disable.yaml index 455effae..22d29968 100644 --- a/rules/system_settings/system_settings_bluetooth_settings_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_settings_disable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94354-8 + - CCE-95360-4 cci: - CCI-000381 800-53r5: @@ -21,7 +21,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002260 + - APPL-26-002260 800-171r3: - 03.04.06 cis: @@ -34,7 +34,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index f7d81c98..29fa3425 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -7,10 +7,10 @@ discussion: | [NOTE] ==== - The check and fix are for the currently logged in user. To get the currently logged in user, run the following. + The check and fix are for the last logged in user. To get the last logged in user, run the following. [source,bash] ---- - CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' ) + CURRENT_USER=$( /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName ) ---- ==== check: | @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-94355-5 + - CCE-95361-2 cci: - CCI-000213 - CCI-000381 @@ -42,7 +42,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002110 + - APPL-26-002110 800-171r3: - 03.04.06 cis: @@ -56,7 +56,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index 006e8a16..13ed114e 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94357-1 + - CCE-95362-0 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002140 + - APPL-26-002140 800-171r3: - 03.04.06 cis: @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index d570cefc..1e3b3a46 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94358-9 + - CCE-95363-8 cci: - N/A 800-53r5: @@ -28,7 +28,7 @@ references: - 03.14.01 cis: benchmark: - - 1.6 (level 1) + - 1.5 (level 1) controls v8: - 7.3 - 7.4 @@ -37,7 +37,7 @@ references: - SI.L1-3.14.1 - SI.L1-3.14.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index 043099ad..80dca21e 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94359-7 + - CCE-95364-6 cci: - CCI-001312 - CCI-001314 @@ -39,7 +39,7 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - APPL-15-002021 + - APPL-26-002021 800-171r3: - 03.01.20 cis: @@ -52,7 +52,7 @@ references: cmmc: - AC.L1-3.1.20 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_download_software_update_enforce.yaml b/rules/system_settings/system_settings_download_software_update_enforce.yaml new file mode 100644 index 00000000..4b77ec9c --- /dev/null +++ b/rules/system_settings/system_settings_download_software_update_enforce.yaml @@ -0,0 +1,43 @@ +id: system_settings_download_software_update_enforce +title: Enforce Software Update Downloads Updates Automatically using DDM. +discussion: | + Software Update _MUST_ be configured to enforce automatic downloads of updates from Apple and that the user cannot modify the setting within System Settings. +check: | + /usr/bin/plutil -convert json /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist -o - | /usr/bin/jq --raw-output .'SUCorePersistedStatePolicyFields.SUCoreDDMDeclarationGlobalSettings.automaticallyDownload' +result: + integer: 1 +fix: | + This is implemented by Declarative Device Management (DDM). +references: + cce: + - CCE-95403-2 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r3: + - N/A + cis: + benchmark: + - N/A + controls v8: + - 7.3 + - 7.4 +macOS: + - '26.0' +tags: + - cisv8 + - ddm +mobileconfig: false +mobileconfig_info: +ddm_info: + declarationtype: com.apple.configuration.softwareupdate.settings + ddm_key: AutomaticActions + ddm_value: + Download: AlwaysOn \ No newline at end of file diff --git a/rules/system_settings/system_settings_external_intelligence_disable.yaml b/rules/system_settings/system_settings_external_intelligence_disable.yaml index b953253f..b72f0618 100644 --- a/rules/system_settings/system_settings_external_intelligence_disable.yaml +++ b/rules/system_settings/system_settings_external_intelligence_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94523-8 + - CCE-95365-3 cci: - CCI-000381 800-53r5: @@ -45,7 +45,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.2' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -60,6 +60,8 @@ tags: - cnssi-1253_moderate - cis_lvl1 - cis_lvl2 + - cmmc_lvl1 + - cmmc_lvl2 severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml b/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml index ab400f13..a5e10231 100644 --- a/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml +++ b/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94524-6 + - CCE-95366-1 cci: - CCI-000381 800-53r5: @@ -45,7 +45,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.2' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -60,6 +60,8 @@ tags: - cnssi-1253_moderate - cis_lvl1 - cis_lvl2 + - cmmc_lvl1 + - cmmc_lvl2 severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index 3b220be7..bca0ccf4 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -4,6 +4,8 @@ discussion: | FileVault _MUST_ be enforced. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. + + NOTE: See the FileVault supplemental to implement this rule. check: | dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ @@ -22,7 +24,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - CCE-94360-5 + - CCE-95367-9 cci: - CCI-001199 - CCI-002475 @@ -38,7 +40,7 @@ references: - SRG-OS-000405-GPOS-00184 - SRG-OS-000404-GPOS-00183 disa_stig: - - APPL-15-005020 + - APPL-26-005020 800-171r3: - 03.13.08 cis: @@ -50,7 +52,7 @@ references: cmmc: - SC.L2-3.13.16 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index ea0832b1..941d7117 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -28,7 +28,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94361-3 + - CCE-95368-7 cci: - CCI-000381 800-53r5: @@ -42,7 +42,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002180 + - APPL-26-002180 800-171r3: - 03.01.20 - 03.04.06 @@ -58,7 +58,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 25a217fa..957fe185 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94362-1 + - CCE-95369-5 cci: - CCI-000366 800-53r5: @@ -35,7 +35,7 @@ references: srg: - SRG-OS-000480-GPOS-00232 disa_stig: - - APPL-15-005050 + - APPL-26-005050 800-171r3: - 03.01.03 - 03.04.06 @@ -53,7 +53,7 @@ references: - CM.L2-3.4.7 - SC.L1-3.13.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index ce0679dd..731b4d09 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -20,7 +20,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94363-9 + - CCE-95370-3 cci: - N/A 800-53r5: @@ -52,7 +52,7 @@ references: - CM.L2-3.4.7 - SC.L1-3.13.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index ec9096f8..51f90312 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94364-7 + - CCE-95371-1 cci: - CCI-001749 - CCI-003992 @@ -41,13 +41,13 @@ references: - SRG-OS-000366-GPOS-00153 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002060 + - APPL-26-002060 800-171r3: - 03.14.02 cmmc: - CM.L2-3.4.5 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index a769f530..90bf4c44 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94365-4 + - CCE-95372-9 cci: - N/A 800-53r5: @@ -33,7 +33,7 @@ references: cmmc: - CM.L2-3.4.5 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 5f86ab9a..37b722a7 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-94366-2 + - CCE-95373-7 cci: - N/A 800-171r3: @@ -38,7 +38,7 @@ references: cmmc: - AC.L1-3.1.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate @@ -54,5 +54,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index c63aba34..f041e4f0 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -24,7 +24,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94367-0 + - CCE-95374-5 cci: - CCI-001813 800-53r5: @@ -37,7 +37,7 @@ references: - SRG-OS-000364-GPOS-00151 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002063 + - APPL-26-002063 800-171r3: - 03.01.01 cis: @@ -50,7 +50,7 @@ references: cmmc: - AC.L1-3.1.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 680dfc22..d80ba66f 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94368-8 + - CCE-95375-2 cci: - CCI-000060 800-53r5: @@ -22,13 +22,13 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - APPL-15-000007 + - APPL-26-000007 800-171r3: - 03.01.10 cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 9730d238..c8f55b16 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -4,6 +4,15 @@ discussion: | Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. + + [NOTE] + ==== + The check and fix are for the last logged in user. To get the last logged in user, run the following. + [source,bash] + ---- + CURRENT_USER=$( /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName ) + ---- + ==== check: | bl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)" tl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)" @@ -25,7 +34,7 @@ fix: | ---- references: cce: - - CCE-94369-6 + - CCE-95376-0 cci: - N/A 800-53r5: @@ -46,7 +55,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml b/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml index 331c83d6..6f999f7b 100644 --- a/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml +++ b/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94370-4 + - CCE-95377-8 cci: - CCI-000381 800-53r5: @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002023 + - APPL-26-002023 cis: benchmark: - 2.6.3.3 (level 1) @@ -46,7 +46,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_improve_search_disable.yaml b/rules/system_settings/system_settings_improve_search_disable.yaml index 72ce2265..999f40da 100644 --- a/rules/system_settings/system_settings_improve_search_disable.yaml +++ b/rules/system_settings/system_settings_improve_search_disable.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94371-2 + - CCE-95378-6 cci: - CCI-000381 800-53r5: @@ -35,10 +35,10 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002024 + - APPL-26-002024 cis: benchmark: - - 2.9.1 (level 1) + - 2.9.1 controls v8: - 4.1 - 4.8 @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index 9052ef24..4eb6b138 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94372-0 + - CCE-95379-4 cci: - CCI-000381 800-53r5: @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002210 + - APPL-26-002210 cis: benchmark: - 2.6.3.2 (level 1) @@ -46,7 +46,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index bb86cce2..5c6f1ec0 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94373-8 + - CCE-95380-2 cci: - N/A 800-53r5: @@ -28,12 +28,12 @@ references: - N/A cis: benchmark: - - 1.4 (level 1) + - 1.3 (level 1) controls v8: - 7.3 - 7.4 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml index 28daf313..5aa1d47d 100644 --- a/rules/system_settings/system_settings_internet_accounts_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94374-6 + - CCE-95381-0 cci: - CCI-000381 800-53r5: @@ -44,7 +44,7 @@ references: - AC.L1-3.1.20 - CM.L2-3.4.8 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index dc0d9c38..c2795f4e 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94375-3 + - CCE-95382-8 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002007 + - APPL-26-002007 800-171r3: - 03.01.03 - 03.01.20 @@ -41,7 +41,7 @@ references: - AC.L1-3.1.20 - AC.L2-3.1.3 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r4_low diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index e6ec9f2b..2c864b0e 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -15,12 +15,12 @@ fix: | [source,bash] ---- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false; - pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }') + pid=$(/bin/launchctl print system | /usr/bin/awk '/\tcom.apple.locationd/ {print $1}') kill -9 $pid ---- references: cce: - - CCE-94376-1 + - CCE-95383-6 cci: - CCI-000381 800-53r5: @@ -33,14 +33,14 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002004 + - APPL-26-002004 800-171r3: - 03.04.06 cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index 2e8f1548..1882abe2 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -13,12 +13,12 @@ fix: | [source,bash] ---- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; - pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }') + pid=$(/bin/launchctl print system | /usr/bin/awk '/\tcom.apple.locationd/ {print $1}') kill -9 $pid ---- references: cce: - - CCE-94377-9 + - CCE-95384-4 cci: - N/A 800-53r5: @@ -38,7 +38,7 @@ references: - 4.1 - 4.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index e6faf93f..344d30dd 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94378-7 + - CCE-95385-1 cci: - N/A 800-53r5: @@ -33,8 +33,9 @@ references: - 4.1 - 4.8 macOS: - - '15.0' + - '26.0' tags: + - cis_lvl1 - cis_lvl2 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index e0b56347..ae7e104f 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94379-5 + - CCE-95386-9 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - 4.1 macOS: - - '15.0' + - '26.0' odv: hint: Organization's approved message. recommended: Center for Internet Security Test Message diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index 7139fb29..1d8820bd 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94380-3 + - CCE-95387-7 cci: - CCI-000764 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000104-GPOS-00051 disa_stig: - - APPL-15-005052 + - APPL-26-005052 800-171r3: - 03.05.01 cis: @@ -37,7 +37,7 @@ references: - IA.L1-3.5.1 - IA.L1-3.5.2 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index b1aead14..32f49e9f 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -26,7 +26,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94381-1 + - CCE-95388-5 cci: - CCI-000213 800-53r5: @@ -37,7 +37,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-002100 + - APPL-26-002100 800-171r3: - 03.01.02 - 03.04.06 @@ -50,7 +50,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index ba71b023..de7efea0 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94382-9 + - CCE-95389-3 cci: - CCI-000206 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000079-GPOS-00047 disa_stig: - - APPL-15-003012 + - APPL-26-003012 800-171r3: - 03.05.11 cis: @@ -36,7 +36,7 @@ references: cmmc: - IA.L2-3.5.11 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 7b30cecc..02753641 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94383-7 + - CCE-95390-1 cci: - CCI-000381 800-53r5: @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002200 + - APPL-26-002200 800-171r3: - 03.01.20 - 03.04.06 @@ -44,7 +44,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index dd5a141d..44b62960 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - CCE-94384-5 + - CCE-95391-9 cci: - CCI-000381 800-53r5: @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002240 + - APPL-26-002240 800-171r3: - 03.04.06 cis: @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index 01cec897..6675a2ca 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -17,7 +17,7 @@ fix: | NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision. references: cce: - - CCE-94385-2 + - CCE-95392-7 cci: - CCI-000213 - CCI-000382 @@ -30,7 +30,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000096-GPOS-00050 disa_stig: - - APPL-15-002022 + - APPL-26-002022 800-171r3: - 03.01.02 - 03.04.06 @@ -43,7 +43,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index bc1e3613..a57d505f 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -3,7 +3,7 @@ title: Disable Remote Management discussion: | Remote Management _MUST_ be disabled. check: | - /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" + /usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null | /usr/bin/grep -c "RemoteDesktopEnabled = 0" result: integer: 1 fix: | @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94386-0 + - CCE-95393-5 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002250 + - APPL-26-002250 800-171r3: - 03.01.02 - 03.04.06 @@ -40,7 +40,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index 1f742937..39993fb5 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -5,18 +5,30 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => disabled' + result="FAIL" + enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.screensharing" => enabled') + running=$(/bin/launchctl print system/com.apple.screensharing 2>/dev/null) + + if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then + result="PASS" + elif [[ -n "$running" ]]; then + result=result+" RUNNING" + elif [[ -n "$enabled" ]]; then + result=result+" ENABLED" + fi + echo $result result: - integer: 1 + string: PASS fix: | [source,bash] ---- + /bin/launchctl bootout system/com.apple.screensharing /bin/launchctl disable system/com.apple.screensharing ---- NOTE - This will apply to the whole system references: cce: - - CCE-94387-8 + - CCE-95394-3 cci: - CCI-000213 800-53r5: @@ -28,7 +40,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-002050 + - APPL-26-002050 800-171r3: - 03.01.02 - 03.04.06 @@ -41,7 +53,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index 308db1e2..0fe57f40 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94388-6 + - CCE-95395-0 cci: - CCI-000056 800-53r5: @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-15-000003 + - APPL-26-000003 800-171r3: - 03.01.10 cis: @@ -43,7 +43,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 5 diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 65e2e56c..563f7073 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94389-4 + - CCE-95396-8 cci: - CCI-000056 800-53r5: @@ -25,14 +25,14 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-15-000002 + - APPL-26-000002 800-171r3: - 03.01.10 - 03.05.01 cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index 1830f8be..b985b923 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -22,7 +22,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94390-2 + - CCE-95397-6 cci: - CCI-000057 800-53r5: @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000029-GPOS-00010 disa_stig: - - APPL-15-000070 + - APPL-26-000070 800-171r3: - 03.01.10 - 03.05.01 @@ -45,7 +45,7 @@ references: cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' odv: hint: Number of seconds. recommended: 1200 diff --git a/rules/system_settings/system_settings_security_update_install.yaml b/rules/system_settings/system_settings_security_update_install.yaml new file mode 100644 index 00000000..63ee9e84 --- /dev/null +++ b/rules/system_settings/system_settings_security_update_install.yaml @@ -0,0 +1,54 @@ +id: system_settings_security_update_install +title: Enforce Automatic Installs of Available Security Updates using DDM. +discussion: | + Ensure that available security updates are installed as soon as they are available from Apple and that the user cannot modify the setting within System Settings. +check: | + /usr/bin/plutil -convert json /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist -o - | /usr/bin/jq --raw-output .'SUCorePersistedStatePolicyFields.SUCoreDDMDeclarationGlobalSettings.automaticallyInstallSystemAndSecurityUpdates' +result: + integer: 1 +fix: | + This is implemented by Declarative Device Management (DDM). +references: + cce: + - CCE-95602-9 + cci: + - N/A + 800-53r5: + - SI-2 + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r3: + - 03.14.01 + cis: + benchmark: + - N/A + controls v8: + - 7.3 + - 7.4 + - 7.7 + cmmc: + - SI.L1-3.14.1 + - SI.L1-3.14.4 +macOS: + - '26.0' +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cisv8 + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 + - cnssi-1253_moderate +mobileconfig: false +mobileconfig_info: +ddm_info: + declarationtype: com.apple.configuration.softwareupdate.settings + ddm_key: AutomaticActions + ddm_value: + InstallSecurityUpdate: AlwaysOn \ No newline at end of file diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index fdfae3c4..a5e6b5dd 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94391-0 + - CCE-95398-4 cci: - CCI-000381 - CCI-001774 @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002020 + - APPL-26-002020 800-171r3: - 03.01.20 - 03.04.06 @@ -47,7 +47,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_siri_listen_disable.yaml b/rules/system_settings/system_settings_siri_listen_disable.yaml index 64cc8c57..d3d3fde1 100644 --- a/rules/system_settings/system_settings_siri_listen_disable.yaml +++ b/rules/system_settings/system_settings_siri_listen_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94392-8 + - CCE-95399-2 cci: - N/A 800-53r5: @@ -31,7 +31,7 @@ references: - 4.1 - 4.8 macOS: - - "15.0" + - "26.0" tags: - cisv8 mobileconfig: true diff --git a/rules/system_settings/system_settings_siri_settings_disable.yaml b/rules/system_settings/system_settings_siri_settings_disable.yaml index 49f6ec38..4cd2ade3 100644 --- a/rules/system_settings/system_settings_siri_settings_disable.yaml +++ b/rules/system_settings/system_settings_siri_settings_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94393-6 + - CCE-95400-8 cci: - CCI-000381 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002053 + - APPL-26-002053 800-171r3: - 03.04.06 - 03.04.08 @@ -41,7 +41,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index f9091399..b1049346 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-94394-4 + - CCE-95401-6 cci: - CCI-000213 800-53r5: @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - APPL-15-002001 + - APPL-26-002001 800-171r3: - 03.01.02 - 03.04.06 @@ -41,7 +41,7 @@ references: cmmc: - AC.L1-3.1.1 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index dbc9109e..0c8df4ba 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94396-9 + - CCE-95403-2 cci: - N/A 800-53r5: @@ -28,12 +28,12 @@ references: - N/A cis: benchmark: - - 1.3 (level 1) + - 1.2 (level 1) controls v8: - 7.3 - 7.4 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml deleted file mode 100644 index fd037dc3..00000000 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: system_settings_software_update_enforce -title: Enforce Software Update Automatically -discussion: | - Software Update _MUST_ be configured to enforce automatic update is enabled. -check: | - /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ - .objectForKey('AutomaticCheckEnabled').js - EOS -result: - string: 'true' -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - CCE-94397-7 - cci: - - N/A - 800-53r5: - - SI-2(5) - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r3: - - 03.14.01 - - 03.14.02 - - 03.13.03 - cis: - benchmark: - - 1.2 (level 1) - controls v8: - - 7.3 - - 7.4 -macOS: - - '15.0' -tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 -mobileconfig: true -mobileconfig_info: - com.apple.SoftwareUpdate: - AutomaticCheckEnabled: true diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 67b88610..73576924 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -22,7 +22,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-94398-5 + - CCE-95405-7 cci: - N/A 800-53r5: @@ -42,7 +42,7 @@ references: - 7.3 - 7.4 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 76e324b3..aa6592ee 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -3,9 +3,20 @@ title: Disable SSH Server for Remote Access Sessions discussion: | SSH service _MUST_ be disabled for remote access. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled' + result="FAIL" + enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.openssh.sshd" => enabled') + running=$(/bin/launchctl print system/com.openssh.sshd 2>/dev/null) + + if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then + result="PASS" + elif [[ -n "$running" ]]; then + result=result+" RUNNING" + elif [[ -n "$enabled" ]]; then + result=result+" ENABLED" + fi + echo $result result: - integer: 1 + string: PASS fix: | [source,bash] ---- @@ -15,7 +26,7 @@ fix: | NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision. references: cce: - - CCE-94399-3 + - CCE-95406-5 cci: - N/A 800-53r5: @@ -44,7 +55,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index d96334c3..c63a489e 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94400-9 + - CCE-95407-3 cci: - N/A 800-53r5: @@ -41,7 +41,7 @@ references: - CM.L2-3.4.7 - IA.L2-3.5.4 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index 726447f4..d7fd7189 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -72,7 +72,7 @@ fix: | ---- references: cce: - - CCE-94401-7 + - CCE-95408-1 cci: - CCI-002235 800-53r5: @@ -87,7 +87,7 @@ references: - SRG-OS-000324-GPOS-00125 - SRG-OS-000480-GPOS-00228 disa_stig: - - APPL-15-002069 + - APPL-26-002069 800-171r3: - 03.01.07 cis: @@ -100,7 +100,7 @@ references: - AC.L2-3.1.5 - AC.L2-3.1.6 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index f9dd0e4a..1c4b900f 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94402-5 + - CCE-95409-9 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - 11.2 macOS: - - '15.0' + - '26.0' tags: - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 11408ef9..3b092823 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -3,15 +3,7 @@ title: Ensure Time Machine Volumes are Encrypted discussion: | Time Machine volumes _MUST_ be encrypted. check: | - error_count=0 - for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do - tmMounted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/Mounted/{print $2}') - tmEncrypted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/FileVault/{print $2}') - if [[ "$tmMounted" = "Yes" && "$tmEncrypted" = "No" ]]; then - ((error_count++)) - fi - done - echo "$error_count" + /usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted result: integer: 0 fix: | @@ -22,7 +14,7 @@ fix: | . Click *Use Disk* references: cce: - - CCE-94403-3 + - CCE-95410-7 cci: - N/A 800-53r5: @@ -43,7 +35,7 @@ references: - 3.11 - 11.3 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index ddc1caa1..b018fd0f 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94404-1 + - CCE-95411-5 cci: - CCI-001891 - CCI-002046 @@ -32,7 +32,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - APPL-15-000170 + - APPL-26-000170 800-171r3: - 03.03.07 cis: @@ -43,7 +43,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - '15.0' + - '26.0' odv: hint: Name of timeserver. As of macOS 10.13 only one time server is supported. recommended: time.nist.gov diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index abe85669..af278db2 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94405-8 + - CCE-95412-3 cci: - CCI-001891 - CCI-002046 @@ -31,7 +31,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - APPL-15-000014 + - APPL-26-000014 800-171r3: - 03.03.07 cis: @@ -42,7 +42,7 @@ references: cmmc: - AU.L2-3.3.7 macOS: - - '15.0' + - '26.0' tags: - 800-171 - 800-53r5_low diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 2fc6fd6e..e4926991 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -19,7 +19,7 @@ result: fix: This is implemented by a Configuration Profile. references: cce: - - CCE-94406-6 + - CCE-95413-1 cci: - CCI-000058 800-53r5: @@ -29,13 +29,13 @@ references: srg: - SRG-OS-000030-GPOS-00011 disa_stig: - - APPL-15-000005 + - APPL-26-000005 800-171r3: - 03.01.10 cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_touch_id_settings_disable.yaml b/rules/system_settings/system_settings_touch_id_settings_disable.yaml index 24c34c86..c35a47ad 100644 --- a/rules/system_settings/system_settings_touch_id_settings_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_settings_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94407-4 + - CCE-95414-9 cci: - N/A 800-53r5: @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml index 5e90ae08..af1953fe 100644 --- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml +++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml @@ -19,7 +19,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94408-2 + - CCE-95415-6 cci: - CCI-000056 800-53r5: @@ -29,13 +29,13 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - APPL-15-002090 + - APPL-26-002090 800-171r3: - 03.05.12 cmmc: - AC.L2-3.1.10 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index 6643fa08..45e4ce6b 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -25,7 +25,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94409-0 + - CCE-95416-4 cci: - CCI-001958 - CCI-003959 @@ -46,9 +46,9 @@ references: - SRG-OS-000378-GPOS-00163 - SRG-OS-000690-GPOS-00140 disa_stig: - - APPL-15-005090 + - APPL-26-005090 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index cca68df0..2e606b1c 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-94410-8 + - CCE-95417-2 cci: - N/A 800-53r5: @@ -32,7 +32,7 @@ references: controls v8: - 4.8 macOS: - - '15.0' + - '26.0' tags: - cis_lvl1 - cis_lvl2 diff --git a/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml index 939e39e1..6f3ddb86 100644 --- a/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94411-6 + - CCE-95418-0 cci: - CCI-000381 800-53r5: @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - APPL-15-002052 + - APPL-26-002052 800-171r3: - 03.04.06 - 03.04.08 @@ -39,7 +39,7 @@ references: - CM.L2-3.4.6 - CM.L2-3.4.7 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_low - 800-53r5_moderate diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index 409a8cba..c4b36ffb 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-94412-4 + - CCE-95419-8 cci: - N/A 800-53r5: @@ -48,7 +48,7 @@ references: - AC.L2-3.1.16 - AC.L2-3.1.17 macOS: - - '15.0' + - '26.0' tags: - manual - 800-53r4_low diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index d82b6ff3..189b9f6e 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-94413-2 + - CCE-95420-6 cci: - N/A 800-53r5: @@ -34,7 +34,7 @@ references: - AC.L2-3.1.3 - AC.L2-3.1.17 macOS: - - '15.0' + - '26.0' tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index 2687343e..c11e190d 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-94414-0 + - CCE-95421-4 cci: - N/A 800-53r5: @@ -28,15 +28,13 @@ references: - N/A cis: benchmark: - - 2.4.1 (level 1) + - N/A controls v8: - 4.8 - 12.6 macOS: - - '15.0' + - '26.0' tags: - - cis_lvl1 - - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 115e3576..38dbe8ef 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -1,5 +1,5 @@ #!/usr/bin/env python3 -# filename: generate_guidance.py +# filename: generate_baseline.py # description: Process a given keyword, and output a baseline file import os.path @@ -556,4 +556,4 @@ def main(): os.chdir(original_working_directory) if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 51fb0477..e836ead9 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -126,7 +126,7 @@ def get_check_code(check_yaml): except: return check_yaml # print check_string - check_code = re.search("(?:----((?:.*?\r?\n?)*)----)+", check_string) + check_code = re.search(r"----\n?(.*?)\n?----", check_string, re.DOTALL) # print(check_code.group(1).rstrip()) return check_code.group(1).strip() @@ -140,7 +140,7 @@ def quotify(fix_code): def get_fix_code(fix_yaml): fix_string = fix_yaml.split("[source,bash]")[1] - fix_code = re.search("(?:----((?:.*?\r?\n?)*)----)+", fix_string) + fix_code = re.search(r"----\n?(.*?)\n?----", fix_string, re.DOTALL) return fix_code.group(1) @@ -174,33 +174,26 @@ def format_mobileconfig_fix(mobileconfig): rulefix = rulefix + (f"{item[1]}\n") elif type(item[1]) == dict: rulefix = rulefix + "\n" - for k,v in item[1].items(): + for k, v in item[1].items(): if type(v) == dict: - rulefix = rulefix + \ - (f" {k}\n") - rulefix = rulefix + \ - (f" \n") - for x,y in v.items(): - rulefix = rulefix + \ - (f" {x}\n") - rulefix = rulefix + \ - (f" {y}\n") - rulefix = rulefix + \ - (f" \n") + rulefix = rulefix + (f" {k}\n") + rulefix = rulefix + (f" \n") + for x, y in v.items(): + rulefix = rulefix + (f" {x}\n") + rulefix = rulefix + (f" {y}\n") + rulefix = rulefix + (f" \n") break if isinstance(v, list): rulefix = rulefix + " \n" for setting in v: - rulefix = rulefix + \ - (f" {setting}\n") + rulefix = rulefix + ( + f" {setting}\n" + ) rulefix = rulefix + " \n" else: - rulefix = rulefix + \ - (f" {k}\n") - rulefix = rulefix + \ - (f" {v}\n") + rulefix = rulefix + (f" {k}\n") + rulefix = rulefix + (f" {v}\n") rulefix = rulefix + "\n" - rulefix = rulefix + "----\n\n" @@ -219,20 +212,24 @@ class PayloadDict: The actual plist content can be accessed as a dictionary via the 'data' attribute. """ - def __init__(self, identifier, uuid=False, description='', organization='', displayname=''): + def __init__( + self, identifier, uuid=False, description="", organization="", displayname="" + ): self.data = {} self.data["PayloadVersion"] = 1 self.data["PayloadOrganization"] = organization if uuid: self.data["PayloadUUID"] = uuid else: - self.data['PayloadUUID'] = makeNewUUID() - self.data['PayloadType'] = 'Configuration' - self.data['PayloadScope'] = 'System' - self.data['PayloadDescription'] = description - self.data['PayloadDisplayName'] = displayname - self.data['PayloadIdentifier'] = identifier - self.data['ConsentText'] = {"default": "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER."} + self.data["PayloadUUID"] = makeNewUUID() + self.data["PayloadType"] = "Configuration" + self.data["PayloadScope"] = "System" + self.data["PayloadDescription"] = description + self.data["PayloadDisplayName"] = displayname + self.data["PayloadIdentifier"] = identifier + self.data["ConsentText"] = { + "default": "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER." + } # An empty list for 'sub payloads' that we'll fill later self.data["PayloadContent"] = [] @@ -246,10 +243,12 @@ class PayloadDict: payload_dict = {} # Boilerplate - payload_dict['PayloadVersion'] = 1 - payload_dict['PayloadUUID'] = makeNewUUID() - payload_dict['PayloadType'] = payload_content_dict['PayloadType'] - payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" + payload_dict["PayloadVersion"] = 1 + payload_dict["PayloadUUID"] = makeNewUUID() + payload_dict["PayloadType"] = payload_content_dict["PayloadType"] + payload_dict["PayloadIdentifier"] = ( + f"mscp.{payload_content_dict['PayloadType']}.{payload_dict['PayloadUUID']}" + ) payload_dict["PayloadContent"] = payload_content_dict # Add the payload to the profile @@ -264,10 +263,12 @@ class PayloadDict: payload_dict = {} # Boilerplate - payload_dict['PayloadVersion'] = 1 - payload_dict['PayloadUUID'] = makeNewUUID() - payload_dict['PayloadType'] = payload_content_dict['PayloadType'] - payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" + payload_dict["PayloadVersion"] = 1 + payload_dict["PayloadUUID"] = makeNewUUID() + payload_dict["PayloadType"] = payload_content_dict["PayloadType"] + payload_dict["PayloadIdentifier"] = ( + f"mscp.{payload_content_dict['PayloadType']}.{payload_dict['PayloadUUID']}" + ) payload_dict["PayloadContent"] = payload_content_dict # Add the payload to the profile @@ -284,10 +285,12 @@ class PayloadDict: payload_dict = {} # Boilerplate - payload_dict['PayloadVersion'] = 1 - payload_dict['PayloadUUID'] = makeNewUUID() - payload_dict['PayloadType'] = payload_type - payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" + payload_dict["PayloadVersion"] = 1 + payload_dict["PayloadUUID"] = makeNewUUID() + payload_dict["PayloadType"] = payload_type + payload_dict["PayloadIdentifier"] = ( + f"mscp.{payload_type}.{payload_dict['PayloadUUID']}" + ) # Add the settings to the payload for setting in settings: @@ -450,16 +453,20 @@ def generate_profiles( for sections in baseline_yaml["profile"]: for profile_rule in sections["rules"]: logging.debug(f"checking for rule file for {profile_rule}") - if glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True): - rule = glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True)[0] - custom=True + if glob.glob( + "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True + ): + rule = glob.glob( + "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True + )[0] + custom = True logging.debug(f"{rule}") - elif glob.glob('../rules/*/{}.y*ml'.format(profile_rule)): - rule = glob.glob('../rules/*/{}.y*ml'.format(profile_rule))[0] - custom=False + elif glob.glob("../rules/*/{}.y*ml".format(profile_rule)): + rule = glob.glob("../rules/*/{}.y*ml".format(profile_rule))[0] + custom = False logging.debug(f"{rule}") - #for rule in glob.glob('../rules/*/{}.y*ml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True): + # for rule in glob.glob('../rules/*/{}.y*ml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True): rule_yaml = get_rule_yaml(rule, baseline_yaml, custom) if rule_yaml["mobileconfig"]: @@ -555,20 +562,21 @@ def generate_profiles( organization = "macOS Security Compliance Project" displayname = f"[{baseline_name}] {payload} settings" - newProfile = PayloadDict(identifier=identifier, - uuid=False, - organization=organization, - displayname=displayname, - description=description) - - - + newProfile = PayloadDict( + identifier=identifier, + uuid=False, + organization=organization, + displayname=displayname, + description=description, + ) if payload == "com.apple.ManagedClient.preferences": for item in settings: newProfile.addMCXPayload(item, baseline_name) # handle these payloads for array settings - elif (payload == "com.apple.applicationaccess.new") or ( - payload == "com.apple.systempreferences" + elif ( + (payload == "com.apple.applicationaccess.new") + or (payload == "com.apple.systempreferences") + or (payload == "com.apple.SetupAssistant.managed") ): newProfile.addNewPayload( payload, concatenate_payload_settings(settings), baseline_name @@ -619,17 +627,19 @@ def zip_folder(folder_to_zip): return zip_object.filename -def create_ddm_activation(identifier, ddm_output_path): - ddm_output_path = f'{ddm_output_path}/activations' - ddm_identifier = f'{identifier.replace("config","activation").replace("asset","activation")}' +def create_ddm_activation(identifier, ddm_output_path): + ddm_output_path = f"{ddm_output_path}/activations" + ddm_identifier = ( + f"{identifier.replace('config', 'activation').replace('asset', 'activation')}" + ) ddm_json = {} ddm_json["Identifier"] = ddm_identifier ddm_json["Type"] = "com.apple.activation.simple" - ddm_json["Payload"] = { "StandardConfigurations" : [ identifier ]} + ddm_json["Payload"] = {"StandardConfigurations": [identifier]} ddm_object = json.dumps(ddm_json, indent=4) - + logging.debug(f"Building declarative activation for {ddm_identifier}...") # Writing the .json to disk @@ -639,25 +649,22 @@ def create_ddm_activation(identifier, ddm_output_path): except OSError: print("Creation of the directory %s failed" % ddm_output_path) - with open( - ddm_output_path + "/" + ddm_identifier + ".json", "w" - ) as outfile: + with open(ddm_output_path + "/" + ddm_identifier + ".json", "w") as outfile: outfile.write(ddm_object) return -def create_ddm_conf(identifier, service, ddm_output_path): - ddm_output_path = f'{ddm_output_path}/configurations' - ddm_identifier = f'{identifier.replace("asset","config")}' +def create_ddm_conf(identifier, service, ddm_output_path): + ddm_output_path = f"{ddm_output_path}/configurations" + ddm_identifier = f"{identifier.replace('asset', 'config')}" ddm_json = {} ddm_json["Identifier"] = ddm_identifier ddm_json["Type"] = "com.apple.configuration.services.configuration-files" - ddm_json["Payload"] = { "ServiceType" : service, - "DataAssetReference" : identifier } + ddm_json["Payload"] = {"ServiceType": service, "DataAssetReference": identifier} ddm_object = json.dumps(ddm_json, indent=4) - + logging.debug(f"Building declarative configuration for {ddm_identifier}...") # Writing the .json to disk @@ -667,12 +674,11 @@ def create_ddm_conf(identifier, service, ddm_output_path): except OSError: print("Creation of the directory %s failed" % ddm_output_path) - with open( - ddm_output_path + "/" + ddm_identifier + ".json", "w" - ) as outfile: + with open(ddm_output_path + "/" + ddm_identifier + ".json", "w") as outfile: outfile.write(ddm_object) - return + return + def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): """Generate the declarative management artifacts for the rules in the provided baseline YAML file""" @@ -712,7 +718,7 @@ def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): rule_yaml = get_rule_yaml(rule, baseline_yaml, custom) if "ddm_info" in rule_yaml.keys(): if rule_yaml["ddm_info"]: - logging.debug(f'adding {rule_yaml["id"]}') + logging.debug(f"adding {rule_yaml['id']}") ddm_rules.append(rule_yaml) for ddm_rule in ddm_rules: @@ -748,25 +754,28 @@ def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): ) if ddm_rule["ddm_info"]["configuration_key"] == "file": service_config_file.write( - f'{ddm_rule["ddm_info"]["configuration_value"]}\n' + f"{ddm_rule['ddm_info']['configuration_value']}\n" ) else: service_config_file.write( - f'{ddm_rule["ddm_info"]["configuration_key"]} {ddm_rule["ddm_info"]["configuration_value"]}\n' + f"{ddm_rule['ddm_info']['configuration_key']} {ddm_rule['ddm_info']['configuration_value']}\n" ) # add configuration-files type to ddm_dict - ddm_dict.setdefault(ddm_rule["ddm_info"]["declarationtype"], {}).update( - {} - ) + ddm_dict.setdefault(ddm_rule["ddm_info"]["declarationtype"], {}).update({}) service_config_file.close() else: ddm_key = ddm_rule["ddm_info"]["ddm_key"] ddm_key_value = ddm_rule["ddm_info"]["ddm_value"] - ddm_dict.setdefault(ddm_rule["ddm_info"]["declarationtype"], {}).update( - {ddm_key: ddm_key_value} - ) + if ddm_key in ddm_dict.get(ddm_rule["ddm_info"]["declarationtype"], ""): + ddm_dict[ddm_rule["ddm_info"]["declarationtype"]][ddm_key].update( + ddm_key_value + ) + else: + ddm_dict.setdefault(ddm_rule["ddm_info"]["declarationtype"], {}).update( + {ddm_key: ddm_key_value} + ) for ddm_type in mscp_data_yaml["ddm"]["supported_types"]: if ddm_type not in ddm_dict.keys(): @@ -792,19 +801,19 @@ def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): sha256_hash.update(byte_block) zip_sha = sha256_hash.hexdigest() - ddm_identifier = f'org.mscp.{baseline_name}.asset.{service.split(".")[2]}' + ddm_identifier = f"org.mscp.{baseline_name}.asset.{service.split('.')[2]}" # create declaration for asset created ddm_json = {} ddm_json["Identifier"] = ddm_identifier ddm_json["Type"] = "com.apple.asset.data" ddm_json["Payload"] = {} ddm_json["Payload"]["Reference"] = {} - ddm_json["Payload"]["Reference"][ - "ContentType" - ] = "application/zip" - ddm_json["Payload"]["Reference"][ - "DataURL" - ] = f"https://hostname.site.com/{service}.zip" + ddm_json["Payload"]["Reference"]["ContentType"] = ( + "application/zip" + ) + ddm_json["Payload"]["Reference"]["DataURL"] = ( + f"https://hostname.site.com/{service}.zip" + ) ddm_json["Payload"]["Reference"]["Hash-SHA-256"] = zip_sha ddm_json["Authentication"] = {} ddm_json["Authentication"]["Type"] = "None" @@ -812,21 +821,25 @@ def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): ddm_object = json.dumps(ddm_json, indent=4) # Writing the .json to disk - ddm_asset_output_path = f'{ddm_output_path}/assets' + ddm_asset_output_path = f"{ddm_output_path}/assets" if not (os.path.isdir(ddm_asset_output_path)): try: os.makedirs(ddm_asset_output_path) except OSError: - print("Creation of the directory %s failed" % ddm_asset_output_path) - + print( + "Creation of the directory %s failed" + % ddm_asset_output_path + ) + with open( - ddm_asset_output_path + "/" + ddm_identifier + ".json", "w" + ddm_asset_output_path + "/" + ddm_identifier + ".json", + "w", ) as outfile: outfile.write(ddm_object) - + # move .zips to assets - shutil.move(zip_file,ddm_asset_output_path) - + shutil.move(zip_file, ddm_asset_output_path) + # create activation create_ddm_activation(ddm_identifier, ddm_output_path) @@ -834,7 +847,7 @@ def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): create_ddm_conf(ddm_identifier, service, ddm_output_path) else: logging.debug(f"Building any declarations for {ddm_type}...") - ddm_identifier = f'org.mscp.{baseline_name}.config.{ddm_type.replace("com.apple.configuration.", "")}' + ddm_identifier = f"org.mscp.{baseline_name}.config.{ddm_type.replace('com.apple.configuration.', '')}" ddm_json = {} ddm_json["Identifier"] = ddm_identifier ddm_json["Type"] = ddm_type @@ -843,18 +856,20 @@ def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml): ddm_object = json.dumps(ddm_json, indent=4) # Writing the .json to disk - ddm_config_output_path = f'{ddm_output_path}/configurations' + ddm_config_output_path = f"{ddm_output_path}/configurations" if not (os.path.isdir(ddm_config_output_path)): try: os.makedirs(ddm_config_output_path) except OSError: - print("Creation of the directory %s failed" % ddm_config_output_path) - + print( + "Creation of the directory %s failed" % ddm_config_output_path + ) + with open( ddm_config_output_path + "/" + ddm_identifier + ".json", "w" ) as outfile: outfile.write(ddm_object) - + # create activation create_ddm_activation(ddm_identifier, ddm_output_path) @@ -888,8 +903,7 @@ def default_audit_plist(baseline_name, build_path, baseline_yaml): def generate_script(baseline_name, audit_name, build_path, baseline_yaml, reference): - """Generates the zsh script from the rules in the baseline YAML - """ + """Generates the zsh script from the rules in the baseline YAML""" compliance_script_file = open( build_path + "/" + baseline_name + "_compliance.sh", "w" ) @@ -919,9 +933,15 @@ fi ################### COMMANDS START BELOW THIS LINE ################### +# Check if the current shell is Zsh +if [[ -z "$ZSH_NAME" ]]; then + echo "ERROR: This script must be run in Zsh." + exit 1 +fi + ## Must be run as root if [[ $EUID -ne 0 ]]; then - echo "This script must be run as root" + echo "ERROR: This script must be run as root" exit 1 fi @@ -937,7 +957,7 @@ fi plb="/usr/libexec/PlistBuddy" # get the currently logged in user -CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ {{ print $3 }}') +CURRENT_USER=$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName) CURR_USER_UID=$(/usr/bin/id -u $CURRENT_USER) # get system architecture @@ -1150,13 +1170,17 @@ fi for sections in baseline_yaml["profile"]: for profile_rule in sections["rules"]: logging.debug(f"checking for rule file for {profile_rule}") - if glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True): - rule = glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True)[0] - custom=True + if glob.glob( + "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True + ): + rule = glob.glob( + "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True + )[0] + custom = True logging.debug(f"{rule}") - elif glob.glob('../rules/*/{}.y*ml'.format(profile_rule)): - rule = glob.glob('../rules/*/{}.y*ml'.format(profile_rule))[0] - custom=False + elif glob.glob("../rules/*/{}.y*ml".format(profile_rule)): + rule = glob.glob("../rules/*/{}.y*ml".format(profile_rule))[0] + custom = False logging.debug(f"{rule}") rule_yaml = get_rule_yaml(rule, baseline_yaml, custom) @@ -1190,7 +1214,7 @@ fi elif reference in cis_ref: if "v8" in reference: log_reference_id = [ - f"CIS Controls-{', '.join(map(str,rule_yaml['references']['cis']['controls v8']))}" + f"CIS Controls-{', '.join(map(str, rule_yaml['references']['cis']['controls v8']))}" ] else: log_reference_id = [ @@ -1252,12 +1276,12 @@ fi elif "boolean" in result: result_value = str(result["boolean"]).lower() elif "string" in result: - result_value = result['string'] + result_value = result["string"] elif "base64" in result: - result_string_bytes = f'{result["base64"]}\n'.encode("UTF-8") + result_string_bytes = f"{result['base64']}\n".encode("UTF-8") result_encoded = base64.b64encode(result_string_bytes) - result['base64'] = result_encoded.decode() - result_value = result['base64'] + result["base64"] = result_encoded.decode() + result_value = result["base64"] else: continue @@ -1343,7 +1367,7 @@ fi if "[source,bash]" in fix_text: nist_controls_commented = nist_controls.replace("\n", "\n#") zsh_fix_text = f""" -#####----- Rule: {rule_yaml['id']} -----##### +#####----- Rule: {rule_yaml["id"]} -----##### ## Addresses the following NIST 800-53 controls: {nist_controls_commented} # check to see if rule is exempt @@ -1351,28 +1375,28 @@ unset exempt unset exempt_reason exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null -ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.{baseline_name}.audit').objectForKey('{rule_yaml['id']}'))["exempt"] +ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.{baseline_name}.audit').objectForKey('{rule_yaml["id"]}'))["exempt"] EOS ) exempt_reason=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null -ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.{baseline_name}.audit').objectForKey('{rule_yaml['id']}'))["exempt_reason"] +ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.{baseline_name}.audit').objectForKey('{rule_yaml["id"]}'))["exempt_reason"] EOS ) -{rule_yaml['id']}_audit_score=$($plb -c "print {rule_yaml['id']}:finding" $audit_plist) +{rule_yaml["id"]}_audit_score=$($plb -c "print {rule_yaml["id"]}:finding" $audit_plist) if [[ ! $exempt == "1" ]] || [[ -z $exempt ]];then - if [[ ${rule_yaml['id']}_audit_score == "true" ]]; then - ask '{rule_yaml['id']} - Run the command(s)-> {quotify(get_fix_code(rule_yaml['fix']).strip())} ' N + if [[ ${rule_yaml["id"]}_audit_score == "true" ]]; then + ask '{rule_yaml["id"]} - Run the command(s)-> {quotify(get_fix_code(rule_yaml["fix"]).strip())} ' N if [[ $? == 0 ]]; then - logmessage "Running the command to configure the settings for: {rule_yaml['id']} ..." - {get_fix_code(rule_yaml['fix']).strip()} + logmessage "Running the command to configure the settings for: {rule_yaml["id"]} ..." + {get_fix_code(rule_yaml["fix"]).strip()} fi else - logmessage "Settings for: {rule_yaml['id']} already configured, continuing..." + logmessage "Settings for: {rule_yaml["id"]} already configured, continuing..." fi elif [[ ! -z "$exempt_reason" ]];then - logmessage "{rule_yaml['id']} has an exemption, remediation skipped (Reason: \"$exempt_reason\")" + logmessage "{rule_yaml["id"]} has an exemption, remediation skipped (Reason: \"$exempt_reason\")" fi """ @@ -1425,10 +1449,10 @@ echo "$(date -u) Beginning remediation of non-compliant settings" >> "$audit_log """ # write the footer for the script - zsh_fix_footer = """ + zsh_fix_footer = f""" echo "$(date -u) Remediation complete" >> "$audit_log" -} 2>/dev/null +}} 2>/dev/null usage=( "$0 Usage" @@ -1446,13 +1470,33 @@ usage=( "--quiet= : 1 - show only failed and exempted checks in output" " 2 - show minimal output" ) + +# Look for managed arguments for compliance script +if [[ $# -eq 0 ]];then + compliance_args=$(/usr/bin/osascript -l JavaScript << 'EOS' +var defaults = $.NSUserDefaults.alloc.initWithSuiteName('org.{audit_name}.audit'); +var args = defaults.objectForKey('compliance_args'); +if (args && args.count > 0) {{ + var result = []; + for (var i = 0; i < args.count; i++) {{ + result.push(ObjC.unwrap(args.objectAtIndex(i))); + }} + result.join(' '); + }} +EOS +) + if [[ -n "$compliance_args" ]]; then + logmessage "Managed arguments found for compliance script, setting: $compliance_args" + eval "set -- $compliance_args" + fi +fi + +zparseopts -D -E -help=flag_help -check=check -fix=fix -stats=stats -compliant=compliant_opt -non_compliant=non_compliant_opt -reset=reset -reset-all=reset_all -cfc=cfc -quiet:=quiet || {{ print -l $usage && return }} -zparseopts -D -E -help=flag_help -check=check -fix=fix -stats=stats -compliant=compliant_opt -non_compliant=non_compliant_opt -reset=reset -reset-all=reset_all -cfc=cfc -quiet:=quiet || { print -l $usage && return } - -[[ -z "$flag_help" ]] || { print -l $usage && return } +[[ -z "$flag_help" ]] || {{ print -l $usage && return }} if [[ ! -z $quiet ]];then - [[ ! -z ${quiet[2][2]} ]] || { print -l $usage && return } + [[ ! -z ${{quiet[2][2]}} ]] || {{ print -l $usage && return }} fi if [[ $reset ]] || [[ $reset_all ]]; then reset_plist; fi @@ -1530,24 +1574,45 @@ def fill_in_odv(resulting_yaml, parent_values): if "$ODV" in str(resulting_yaml["result"][result_value]): resulting_yaml["result"][result_value] = odv - if resulting_yaml['mobileconfig_info']: - for mobileconfig_type in resulting_yaml['mobileconfig_info']: - if isinstance(resulting_yaml['mobileconfig_info'][mobileconfig_type], dict): - for mobileconfig_value in resulting_yaml['mobileconfig_info'][mobileconfig_type]: - if "$ODV" in str(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]): - if type(resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value]) == dict: - for k,v in resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value].items(): + if resulting_yaml["mobileconfig_info"]: + for mobileconfig_type in resulting_yaml["mobileconfig_info"]: + if isinstance( + resulting_yaml["mobileconfig_info"][mobileconfig_type], dict + ): + for mobileconfig_value in resulting_yaml["mobileconfig_info"][ + mobileconfig_type + ]: + if "$ODV" in str( + resulting_yaml["mobileconfig_info"][mobileconfig_type][ + mobileconfig_value + ] + ): + if ( + type( + resulting_yaml["mobileconfig_info"][ + mobileconfig_type + ][mobileconfig_value] + ) + == dict + ): + for k, v in resulting_yaml["mobileconfig_info"][ + mobileconfig_type + ][mobileconfig_value].items(): if v == "$ODV": - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value][k] = odv + resulting_yaml["mobileconfig_info"][ + mobileconfig_type + ][mobileconfig_value][k] = odv else: - resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv + resulting_yaml["mobileconfig_info"][mobileconfig_type][ + mobileconfig_value + ] = odv if "ddm_info" in resulting_yaml.keys(): for ddm_type, value in resulting_yaml["ddm_info"].items(): if isinstance(value, dict): for _value in value: if "$ODV" in str(value[_value]): - resulting_yaml["ddm_info"][ddm_type] = odv + resulting_yaml["ddm_info"][ddm_type][_value] = odv if "$ODV" in value: resulting_yaml["ddm_info"][ddm_type] = odv @@ -1560,7 +1625,10 @@ def get_rule_yaml( """Takes a rule file, checks for a custom version, and returns the yaml for the rule""" global resulting_yaml resulting_yaml = {} - names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.y*ml', recursive=True)] + names = [ + os.path.basename(x) + for x in glob.glob("../custom/rules/**/*.y*ml", recursive=True) + ] file_name = os.path.basename(rule_file) # get parent values @@ -1785,14 +1853,14 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 10, srg_refs, topWrap) sheet1.col(10).width = 500 * 15 - sfr_refs = (str(rule.rule_sfr)).strip('[]\'') - sfr_refs = sfr_refs.replace(", ", "\n").replace("\'", "") + sfr_refs = (str(rule.rule_sfr)).strip("[]'") + sfr_refs = sfr_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 11, sfr_refs, topWrap) sheet1.col(11).width = 500 * 15 - disa_refs = (str(rule.rule_disa_stig)).strip('[]\'') - disa_refs = disa_refs.replace(", ", "\n").replace("\'", "") + disa_refs = (str(rule.rule_disa_stig)).strip("[]'") + disa_refs = disa_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 12, disa_refs, topWrap) sheet1.col(12).width = 500 * 15 @@ -1808,15 +1876,15 @@ def generate_xls(baseline_name, build_path, baseline_yaml): cis = cis.replace(", ", "\n") sheet1.write(counter, 14, cis, topWrap) sheet1.col(14).width = 500 * 15 - - cmmc_refs = (str(rule.rule_cmmc)).strip('[]\'') - cmmc_refs = cmmc_refs.replace(", ", "\n").replace("\'", "") + + cmmc_refs = (str(rule.rule_cmmc)).strip("[]'") + cmmc_refs = cmmc_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 15, cmmc_refs, topWrap) sheet1.col(15).width = 500 * 15 - indigo_refs = (str(rule.rule_indigo)).strip('[]\'') - indigo_refs = indigo_refs.replace(", ", "\n").replace("\'", "") + indigo_refs = (str(rule.rule_indigo)).strip("[]'") + indigo_refs = indigo_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 16, indigo_refs, topWrap) sheet1.col(16).width = 500 * 15 @@ -1833,11 +1901,11 @@ def generate_xls(baseline_name, build_path, baseline_yaml): severity = "" if isinstance(rule.rule_severity, dict): try: - severity = f'{rule.rule_severity[baseline_yaml["parent_values"]]}' + severity = f"{rule.rule_severity[baseline_yaml['parent_values']]}" except KeyError: severity = "" elif isinstance(rule.rule_severity, str): - severity = f'{rule.rule_severity}' + severity = f"{rule.rule_severity}" sheet1.write(counter, 18, severity, topWrap) sheet1.col(18).width = 400 * 15 @@ -1859,8 +1927,6 @@ def generate_xls(baseline_name, build_path, baseline_yaml): added_ref = added_ref.replace(", ", "\n").replace("'", "") sheet1.write(counter, custom_ref_column[title], added_ref, topWrap) - - tall_style = easyxf("font:height 640;") # 36pt sheet1.row(counter).set_style(tall_style) @@ -1873,31 +1939,35 @@ def generate_xls(baseline_name, build_path, baseline_yaml): def create_rules(baseline_yaml): """Takes a baseline yaml file and parses the rules, returns a list of containing rules""" all_rules = [] - #expected keys and references - keys = ['mobileconfig', - 'macOS', - 'severity', - 'title', - 'check', - 'fix', - 'tags', - 'id', - 'references', - 'odv', - 'result', - 'discussion', - 'customized'] - references = ['disa_stig', - 'cci', - 'cce', - '800-53r5', - '800-171r3', - 'cis', - 'cmmc', - 'indigo', - 'srg', - 'sfr', - 'custom'] + # expected keys and references + keys = [ + "mobileconfig", + "macOS", + "severity", + "title", + "check", + "fix", + "tags", + "id", + "references", + "odv", + "result", + "discussion", + "customized", + ] + references = [ + "disa_stig", + "cci", + "cce", + "800-53r5", + "800-171r3", + "cis", + "cmmc", + "indigo", + "srg", + "sfr", + "custom", + ] for sections in baseline_yaml["profile"]: for profile_rule in sections["rules"]: @@ -1929,30 +1999,33 @@ def create_rules(baseline_yaml): except: # print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) - all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', r'\|'), - rule_yaml['id'].replace('|', r'\|'), - rule_yaml['severity'], - rule_yaml['discussion'], #.replace('|', r'\|'), - rule_yaml['check'].replace('|', r'\|'), - rule_yaml['fix'].replace('|', r'\|'), - rule_yaml['references']['cci'], - rule_yaml['references']['cce'], - rule_yaml['references']['800-53r5'], - rule_yaml['references']['800-171r3'], - rule_yaml['references']['disa_stig'], - rule_yaml['references']['srg'], - rule_yaml['references']['sfr'], - rule_yaml['references']['cis'], - rule_yaml['references']['cmmc'], - rule_yaml['references']['indigo'], - rule_yaml['references']['custom'], - rule_yaml['odv'], - rule_yaml['tags'], - rule_yaml['result'], - rule_yaml['mobileconfig'], - rule_yaml['mobileconfig_info'], - rule_yaml['customized'] - )) + all_rules.append( + MacSecurityRule( + rule_yaml["title"].replace("|", r"\|"), + rule_yaml["id"].replace("|", r"\|"), + rule_yaml["severity"], + rule_yaml["discussion"], # .replace('|', r'\|'), + rule_yaml["check"].replace("|", r"\|"), + rule_yaml["fix"].replace("|", r"\|"), + rule_yaml["references"]["cci"], + rule_yaml["references"]["cce"], + rule_yaml["references"]["800-53r5"], + rule_yaml["references"]["800-171r3"], + rule_yaml["references"]["disa_stig"], + rule_yaml["references"]["srg"], + rule_yaml["references"]["sfr"], + rule_yaml["references"]["cis"], + rule_yaml["references"]["cmmc"], + rule_yaml["references"]["indigo"], + rule_yaml["references"]["custom"], + rule_yaml["odv"], + rule_yaml["tags"], + rule_yaml["result"], + rule_yaml["mobileconfig"], + rule_yaml["mobileconfig_info"], + rule_yaml["customized"], + ) + ) return all_rules @@ -2026,7 +2099,8 @@ def create_args(): help="sign the configuration profiles with subject key ID (hash value without spaces)", ) parser.add_argument( - "-a", "--audit_name", + "-a", + "--audit_name", default=None, help="name of audit plist and log - defaults to baseline name", ) @@ -2181,19 +2255,20 @@ def main(): with open(version_file) as r: version_yaml = yaml.load(r, Loader=yaml.SafeLoader) - adoc_templates = [ "adoc_rule_ios", - "adoc_rule", - "adoc_supplemental", - "adoc_rule_no_setting", - "adoc_rule_custom_refs", - "adoc_section", - "adoc_header", - "adoc_footer", - "adoc_foreword", - "adoc_scope", - "adoc_authors", - "adoc_acronyms", - "adoc_additional_docs" + adoc_templates = [ + "adoc_rule_ios", + "adoc_rule", + "adoc_supplemental", + "adoc_rule_no_setting", + "adoc_rule_custom_refs", + "adoc_section", + "adoc_header", + "adoc_footer", + "adoc_foreword", + "adoc_scope", + "adoc_authors", + "adoc_acronyms", + "adoc_additional_docs", ] adoc_templates_dict = {} @@ -2217,10 +2292,10 @@ def main(): pdf_theme = themes[0] # Setup AsciiDoc templates - with open(adoc_templates_dict['adoc_rule_ios']) as adoc_rule_ios_file: + with open(adoc_templates_dict["adoc_rule_ios"]) as adoc_rule_ios_file: adoc_rule_ios_template = Template(adoc_rule_ios_file.read()) - with open(adoc_templates_dict['adoc_rule']) as adoc_rule_file: + with open(adoc_templates_dict["adoc_rule"]) as adoc_rule_file: adoc_rule_template = Template(adoc_rule_file.read()) with open(adoc_templates_dict["adoc_supplemental"]) as adoc_supplemental_file: @@ -2273,11 +2348,11 @@ def main(): adoc_cmmc_show = ":show_CMMC:" else: adoc_cmmc_show = ":show_CMMC!:" - - if "indigo" in baseline_yaml['title']: + + if "indigo" in baseline_yaml["title"]: adoc_indigo_show = ":show_indigo:" else: - adoc_indigo_show=":show_indigo!:" + adoc_indigo_show = ":show_indigo!:" if "800" in baseline_yaml["title"]: adoc_171_show = ":show_171:" @@ -2289,7 +2364,7 @@ def main(): adoc_STIG_show = ":show_STIG:" adoc_cis_show = ":show_cis:" adoc_cmmc_show = ":show_CMMC:" - adoc_indigo_show=":show_indigo:" + adoc_indigo_show = ":show_indigo:" adoc_171_show = ":show_171:" else: adoc_tag_show = ":show_tags!:" @@ -2345,13 +2420,12 @@ def main(): adoc_output_file.write(adoc_additional_docs_template) # Create sections and rules - for sections in baseline_yaml['profile']: - section_yaml_file = sections['section'].lower() + '.yaml' - #check for custom section - if section_yaml_file in glob.glob1('../custom/sections/', '*.y*ml'): - #print(f"Custom settings found for section: {sections['section']}") - override_section = os.path.join( - f'../custom/sections/{section_yaml_file}') + for sections in baseline_yaml["profile"]: + section_yaml_file = sections["section"].lower() + ".yaml" + # check for custom section + if section_yaml_file in glob.glob1("../custom/sections/", "*.y*ml"): + # print(f"Custom settings found for section: {sections['section']}") + override_section = os.path.join(f"../custom/sections/{section_yaml_file}") with open(override_section) as r: section_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: @@ -2368,12 +2442,16 @@ def main(): # Read all rules in the section and output them - for rule in sections['rules']: - logging.debug(f'processing rule id: {rule}') - rule_path = glob.glob('../rules/*/{}.y*ml'.format(rule)) + for rule in sections["rules"]: + logging.debug(f"processing rule id: {rule}") + rule_path = glob.glob("../rules/*/{}.y*ml".format(rule)) if not rule_path: - print(f"Rule file not found in library, checking in custom folder for rule: {rule}") - rule_path = glob.glob('../custom/rules/**/{}.y*ml'.format(rule), recursive=True) + print( + f"Rule file not found in library, checking in custom folder for rule: {rule}" + ) + rule_path = glob.glob( + "../custom/rules/**/{}.y*ml".format(rule), recursive=True + ) try: rule_file = os.path.basename(rule_path[0]) except IndexError: @@ -2381,12 +2459,14 @@ def main(): f"defined rule {rule} does not have valid yaml file, check that rule ID and filename match." ) - #check for custom rule - if glob.glob('../custom/rules/**/{}.y*ml'.format(rule), recursive=True): + # check for custom rule + if glob.glob("../custom/rules/**/{}.y*ml".format(rule), recursive=True): print(f"Custom settings found for rule: {rule}") - #override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] - rule_location = glob.glob('../custom/rules/**/{}.y*ml'.format(rule), recursive=True)[0] - custom=True + # override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + rule_location = glob.glob( + "../custom/rules/**/{}.y*ml".format(rule), recursive=True + )[0] + custom = True else: rule_location = rule_path[0] custom = False @@ -2444,25 +2524,25 @@ def main(): cmmc = ulify(rule_yaml["references"]["cmmc"]) try: - rule_yaml['references']['indigo'] + rule_yaml["references"]["indigo"] except KeyError: indigo = "" else: - indigo = ulify(rule_yaml['references']['indigo']) + indigo = ulify(rule_yaml["references"]["indigo"]) try: rule_yaml["references"]["srg"] except KeyError: srg = "- N/A" else: - srg = ulify(rule_yaml['references']['srg']) - + srg = ulify(rule_yaml["references"]["srg"]) + try: - rule_yaml['references']['sfr'] + rule_yaml["references"]["sfr"] except KeyError: - sfr = '- N/A' + sfr = "- N/A" else: - sfr = ulify(rule_yaml['references']['sfr']) + sfr = ulify(rule_yaml["references"]["sfr"]) try: rule_yaml["references"]["custom"] @@ -2476,7 +2556,7 @@ def main(): except KeyError: rulefix = "No fix Found" else: - rulefix = rule_yaml['fix'] # .replace('|', r'\|') + rulefix = rule_yaml["fix"] # .replace('|', r'\|') try: rule_yaml["tags"] @@ -2503,14 +2583,14 @@ def main(): result_value = result["base64"] else: result_value = "N/A" - + # determine severity, if severity is determined, build asciidoc table row for references # uses 'parent_values' from baseline.yaml file to determine which/if any severity to use severity = "" if "severity" in rule_yaml.keys(): if isinstance(rule_yaml["severity"], dict): try: - severity = f'|Severity\n|{rule_yaml["severity"][baseline_yaml["parent_values"]]}' + severity = f"|Severity\n|{rule_yaml['severity'][baseline_yaml['parent_values']]}" except KeyError: severity = "" @@ -2536,22 +2616,25 @@ def main(): nist_controls = "- N/A" if "manual" in tags: - discussion = rule_yaml['discussion'] + '\n\nNOTE: This rule is marked as manual and may not be able to be automated. It is also excluded in the compliance scan and will not report any results.\n' + discussion = ( + rule_yaml["discussion"] + + "\n\nNOTE: This rule is marked as manual and may not be able to be automated. It is also excluded in the compliance scan and will not report any results.\n" + ) else: - discussion = rule_yaml['discussion'] + discussion = rule_yaml["discussion"] - if 'supplemental' in tags: + if "supplemental" in tags: rule_adoc = adoc_supplemental_template.substitute( - rule_title=rule_yaml['title'].replace('|', r'\|'), - rule_id=rule_yaml['id'].replace('|', r'\|'), + rule_title=rule_yaml["title"].replace("|", r"\|"), + rule_id=rule_yaml["id"].replace("|", r"\|"), rule_discussion=discussion, ) elif custom_refs: rule_adoc = adoc_rule_custom_refs_template.substitute( - rule_title=rule_yaml['title'].replace('|', r'\|'), - rule_id=rule_yaml['id'].replace('|', r'\|'), - rule_discussion=discussion, #.replace('|', r'\|'), - rule_check=rule_yaml['check'], # .replace('|', r'\|'), + rule_title=rule_yaml["title"].replace("|", r"\|"), + rule_id=rule_yaml["id"].replace("|", r"\|"), + rule_discussion=discussion, # .replace('|', r'\|'), + rule_check=rule_yaml["check"], # .replace('|', r'\|'), rule_fix=rulefix, rule_cci=cci, rule_80053r5=nist_controls, @@ -2566,14 +2649,14 @@ def main(): rule_srg=srg, rule_sfr=sfr, rule_result=result_value, - severity=severity + severity=severity, ) elif ("permanent" in tags) or ("inherent" in tags) or ("n_a" in tags): rule_adoc = adoc_rule_no_setting_template.substitute( - rule_title=rule_yaml['title'].replace('|', r'\|'), - rule_id=rule_yaml['id'].replace('|', r'\|'), - rule_discussion=discussion, #.replace('|', r'\|'), - rule_check=rule_yaml['check'], # .replace('|', r'\|'), + rule_title=rule_yaml["title"].replace("|", r"\|"), + rule_id=rule_yaml["id"].replace("|", r"\|"), + rule_discussion=discussion, # .replace('|', r'\|'), + rule_check=rule_yaml["check"], # .replace('|', r'\|'), rule_fix=rulefix, rule_80053r5=nist_controls, rule_800171=nist_800171, @@ -2586,13 +2669,16 @@ def main(): rule_srg=srg, ) else: - #using the same rule template for ios/ipados/visionos - if version_yaml['platform'] == "iOS/iPadOS" or version_yaml['platform'] == "visionOS": + # using the same rule template for ios/ipados/visionos + if ( + version_yaml["platform"] == "iOS/iPadOS" + or version_yaml["platform"] == "visionOS" + ): rule_adoc = adoc_rule_ios_template.substitute( - rule_title=rule_yaml['title'].replace('|', r'\|'), - rule_id=rule_yaml['id'].replace('|', r'\|'), - rule_discussion=discussion, #.replace('|', r'\|'), - rule_check=rule_yaml['check'], # .replace('|', r'\|'), + rule_title=rule_yaml["title"].replace("|", r"\|"), + rule_id=rule_yaml["id"].replace("|", r"\|"), + rule_discussion=discussion, # .replace('|', r'\|'), + rule_check=rule_yaml["check"], # .replace('|', r'\|'), rule_fix=rulefix, rule_cci=cci, rule_80053r5=nist_controls, @@ -2606,14 +2692,14 @@ def main(): rule_srg=srg, rule_sfr=sfr, rule_result=result_value, - severity=severity + severity=severity, ) else: rule_adoc = adoc_rule_template.substitute( - rule_title=rule_yaml['title'].replace('|', r'\|'), - rule_id=rule_yaml['id'].replace('|', r'\|'), - rule_discussion=discussion, #.replace('|', r'\|'), - rule_check=rule_yaml['check'], # .replace('|', r'\|'), + rule_title=rule_yaml["title"].replace("|", r"\|"), + rule_id=rule_yaml["id"].replace("|", r"\|"), + rule_discussion=discussion, # .replace('|', r'\|'), + rule_check=rule_yaml["check"], # .replace('|', r'\|'), rule_fix=rulefix, rule_cci=cci, rule_80053r5=nist_controls, @@ -2627,7 +2713,7 @@ def main(): rule_srg=srg, rule_sfr=sfr, rule_result=result_value, - severity=severity + severity=severity, ) adoc_output_file.write(rule_adoc) @@ -2639,7 +2725,7 @@ def main(): adoc_output_file.write(footer_adoc) adoc_output_file.close() - if args.audit_name: + if args.audit_name: audit_name = args.audit_name else: audit_name = baseline_name @@ -2656,7 +2742,9 @@ def main(): if args.script: print("Generating compliance script...") - generate_script(baseline_name, audit_name, build_path, baseline_yaml, log_reference) + generate_script( + baseline_name, audit_name, build_path, baseline_yaml, log_reference + ) default_audit_plist(baseline_name, build_path, baseline_yaml) if args.xls: diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index 2a57eb58..7eaf5a16 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -158,6 +158,7 @@ def generate_scap(all_rules, all_baselines, args, stig): now = datetime.now() date_time_string = now.strftime("%Y-%m-%dT%H:%M:%S") + year = now.year filenameversion = version_yaml['version'].split(",")[1].replace(" ", "_")[1:] output = "../build/macOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) @@ -187,13 +188,13 @@ def generate_scap(all_rules, all_baselines, args, stig): d = 1 ovalPrefix = ''' - + - 5.11.2 + 5.12.1 {0} - Copyright (c) 2020, NIST. + Copyright (c) {1}, NIST. macOS Security Compliance Project - '''.format(date_time_string) + '''.format(date_time_string, year) ostype = "macOS" if "ios" in version_yaml['cpe'] or "visionos" in version_yaml['cpe']: @@ -202,7 +203,7 @@ def generate_scap(all_rules, all_baselines, args, stig): ostype = "visionOS" xccdfPrefix = ''' - + draft {4} {1}: Security Configuration @@ -226,8 +227,8 @@ def generate_scap(all_rules, all_baselines, args, stig): '''.format(date_time_string, version_yaml['os'], version_yaml['version'],date_time_string.split("T")[0] + "Z", ostype) scapPrefix = ''' - - + + @@ -250,7 +251,7 @@ def generate_scap(all_rules, all_baselines, args, stig): - + draft macOS {1}: Security Configuration @@ -300,27 +301,18 @@ def generate_scap(all_rules, all_baselines, args, stig): for a in range(0, loop): rule_yaml = get_rule_yaml(rule_file, custom) - - try: + + try: + odv_keys = list(rule_yaml['odv'].keys()) - # # odv_label = list(rule_yaml['odv'].keys())[a] - # # odv_label.remove('hint') if args.baseline != "None": - odv_label = args.baseline - if args.baseline not in list(rule_yaml['odv'].keys())[a]: + if args.baseline in odv_keys: + odv_label = args.baseline + else: odv_label = "recommended" - # if args.baseline not in list(rule_yaml['odv'].keys())[a]: - # odv_label = "recommended" else: - odv_label = list(rule_yaml['odv'].keys())[a] - + odv_label = odv_keys[a] - - - # if odv_label == "hint": - # continue - - odv_value = str(rule_yaml['odv'][odv_label]) rule_yaml['title'] = rule_yaml['title'].replace("$ODV",str(odv_value)) @@ -482,7 +474,7 @@ def generate_scap(all_rules, all_baselines, args, stig): {7} {8} - '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, check_rule, references) + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], escape(rule_yaml['discussion']).rstrip(), escape(rule_yaml['check']).rstrip(), result, cce,escape(rule_yaml['fix']) + "\n" + mobileconfig_info, check_rule, references) if export_as == "xccdf": mobileconfig_info = "" @@ -501,7 +493,7 @@ def generate_scap(all_rules, all_baselines, args, stig): {7} - '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, references) + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], escape(rule_yaml['discussion']).rstrip(), escape(rule_yaml['check']).rstrip(), result, cce,escape(rule_yaml['fix']) + "\n" + mobileconfig_info, references) continue @@ -509,2811 +501,112 @@ def generate_scap(all_rules, all_baselines, args, stig): if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 - continue - if "time_machine" in rule_yaml['id'] and "encrypted" in rule_yaml['id']: - print(rule_yaml['id'] + " - Manual Check Required") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "objectIsForcedForKey" in rule_yaml['check']: - print(rule_yaml['id'] + " - Manual Check") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "bluetooth" in rule_yaml['id'] and "unpaired" in rule_yaml['id']: - print(rule_yaml['id'] + " - Manual Check Required") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if rule_yaml['check'][0] != "/" and "[source,bash]" not in rule_yaml['fix']: - print(rule_yaml['id'] + " - Manual Check") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "hint" in rule_yaml['check'] and "dscl" in rule_yaml['check']: - print(rule_yaml['id'] + " - no relevant oval") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue + continue if "manual" in rule_yaml['tags']: print(rule_yaml['id'] + " - Manual Check") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 continue - if "eficheck" in rule_yaml['check']: - print(rule_yaml['id'] + " - eficheck - no relevant oval") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check'] or "aslmanager" in rule_yaml['check']: - print(rule_yaml['id'] + " - Manual Check Required") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']: - print(rule_yaml['id'] + " - pwpolicy getaccountpolicies - no relevant oval") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "find" in rule_yaml['check'].split(" ")[0] and rule_yaml['id'] != "os_home_folders_secure": - print(rule_yaml['id'] + " - no relevant oval") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "/usr/sbin/firmwarepasswd" in rule_yaml['check']: - print(rule_yaml['id'] + " - no relevant oval") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "os_home_folders_secure" in rule_yaml['id']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label, rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - - - - - - .* - oval:mscp:ste:{} - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x+999,x+999) - - oval_state = oval_state + ''' - - true - true - true - false - false - false - false - false - false - - - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(rule_yaml['id'] + "_" + odv_label,x,x+999) - - oval_variable = oval_variable + ''' - - - '''.format(x,x+999) - x = x + 1 - continue - - if rule_yaml['mobileconfig']: - if "spctl" in rule_yaml['check']: - - if "verbose" in rule_yaml['check']: - xccdf_rules = replace_ocil(xccdf_rules,x) - x = x + 1 - continue - else: - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - '''.format(x,rule_yaml['id']) - - oval_state = oval_state + ''' - - true - '''.format(rule_yaml['id'] + "_" + odv_label,x) - - - x += 1 - continue - - for payload_type, info in rule_yaml['mobileconfig_info'].items(): - - if payload_type == "com.apple.systempolicy.control": - continue - if payload_type == "com.apple.ManagedClient.preferences": - for payload_domain, settings in info.items(): - oval_definition = oval_definition + ''' - - - {} - - - {} - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip()) - if len(settings) > 1: - oval_definition = oval_definition + '''''' - else: - oval_definition = oval_definition + '''''' - - for key, value in settings.items(): - state_kind = "" - if type(value) == bool: - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - elif type(value) == str: - state_kind = "string" - - dz = d + 5000 - oval_definition = oval_definition + ''''''.format(rule_yaml['id'] + '_' + odv_label + "_" + str(d), dz) - - oval_test = oval_test + ''' - - - - - - - '''.format(rule_yaml['id'] + "_" + odv_label + "_" + str(d),dz,dz,dz) - if payload_domain == "com.apple.dock": - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.loginwindow.plist - /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - - - - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(x+1999,key,dz,x,key) - - oval_variable = oval_variable + ''' - - - /Library/Managed Preferences/ - - /com.apple.dock.plist - - '''.format(x,x+1999) - - else: - oval_object = oval_object + ''' - - /Library/Managed Preferences/{}.plist - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - - - '''.format(rule_yaml['id'] + "_" + odv_label,dz,payload_domain,key) - - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,dz,state_kind,value) - d += 1 - x += 1 - oval_definition = oval_definition + ''' ''' - continue - for key, value in info.items(): - if key == "familyControlsEnabled": - xpath_search = "" - if len(info) > 1: - - xpath_search = info['pathBlackList'] - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - "" - oval_object = oval_object + ''' - - /Library/Managed Preferences/com.apple.applicationaccess.new.plist - boolean(plist/dict/array/string/text() = "{}") - - '''.format(rule_yaml['id'] + "_" + odv_label,x,str(xpath_search).replace('[',"").replace(']',"").replace("'","")) - - oval_state = oval_state + ''' - - true - - '''.format(rule_yaml['id'] + "_" + odv_label,x) - - x = x + 1 - continue - else: - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - - state_kind = "" - if type(value) == bool: - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - elif type(value) == str: - state_kind = "string" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - - x = x + 1 - continue - if payload_type == "com.apple.finder": - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.loginwindow.plist - /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - - - - '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - state_kind = "" - if type(value) == bool: - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - elif type(value) == str: - state_kind = "string" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - - - oval_variable = oval_variable + ''' - - - /Library/Managed Preferences/ - - /com.apple.finder.plist - - '''.format(x,x+1999) - x += 1 - continue - - if payload_type == "com.apple.DiscRecording": - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.loginwindow.plist - /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - - - - '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - state_kind = "" - if type(value) == bool: - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - elif type(value) == str: - state_kind = "string" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - - - oval_variable = oval_variable + ''' - - - /Library/Managed Preferences/ - - /com.apple.DiscRecording.plist - - '''.format(x,x+1999) - x += 1 - continue - if payload_type == "com.apple.Safari" and key == "AutoOpenSafeDownloads": - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.loginwindow.plist - /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - - - - '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - state_kind = "" - if type(value) == bool: - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - elif type(value) == str: - state_kind = "string" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - - - oval_variable = oval_variable + ''' - - - /Library/Managed Preferences/ - - /com.apple.Safari.plist - - '''.format(x,x+1999) - x += 1 - continue - if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "DisabledSystemSettings": - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.loginwindow.plist - /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - - - - /plist/dict/key[string()="{}"]/following-sibling::*[1]/string[string()="{}"]/text() - - '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x,key,str(value).strip('[]').strip("'")) - - - oval_state = oval_state + ''' - - - {} - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,str(value).strip('[]').strip("'")) - - oval_variable = oval_variable + ''' - - - /Library/Managed Preferences/ - - /com.apple.systempreferences.plist - - '''.format(x,x+1999) - x += 1 - continue - - state_kind = "" - if type(value) == bool: - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - elif type(value) == str: - state_kind = "string" - try: - int(value) - state_kind = "int" - except: - pass - - elif type(value) == dict: - state_kind = "string" - else: - - continue - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip().replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - - if state_kind == "boolean": - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - else: - if payload_type == "com.apple.mobiledevice.passwordpolicy" and "customRegex" in info: - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format("passwordContentRegex") - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value['passwordContentRegex']) - x += 1 - continue - else: - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - x += 1 - continue else: - command = rule_yaml['check'].split("/") - if "sntp" in rule_yaml['check']: - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "xprotect status" in rule_yaml['check']: - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "SPStorageDataType" in rule_yaml['check']: - - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - try: - if "fdesetup" in command[3]: - - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - except: - pass - try: - if "profiles" in command[3]: - if "/usr/bin/profiles status -type enrollment" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),x,x+899,x+799) + check_result = str() + for k,v in rule_yaml['result'].items(): + check_result = v + count_found = False - oval_test = oval_test + ''' - - - - - - - - - '''.format(x,x,x+899,x+899,x+799,x+799) + if " 2> /dev/null" in rule_yaml['check']: + rule_yaml['check'] = rule_yaml['check'].replace(" 2> /dev/null","") - oval_object = oval_object + ''' - - /Library/Managed Preferences/com.apple.extensiblesso.plist - - - /Library/Managed Preferences/com.apple.syspolicy.kernel-extension-policy.plist - - - /Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist - '''.format(x,x+899,x+799) - x += 1 - continue - except: - pass - try: - if "csrutil" in command[3]: - if "authenticated-root" in command[3]: - - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - SPSoftwareDataType - - //*[contains(text(), "system_integrity")]/following-sibling::string[position()=1]/text() - - '''.format(rule_yaml['id'] + "_" + odv_label,x) - - oval_state = oval_state + ''' - - SPSoftwareDataType - - //*[contains(text(), "system_integrity")]/following-sibling::string[position()=1]/text() - integrity_enabled - - '''.format(rule_yaml['id'] + "_" + odv_label,x) - x += 1 - continue - except: - pass - if "pfctl" in rule_yaml['check']: - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - if "dump-keychain" in rule_yaml['check']: - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - try: - if "mdmclient" in command[3]: - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - except: - pass - try: - if "nvram" in command[3]: - print(rule_yaml['id'] + " - No relevant oval test") - xccdf_rules = replace_ocil(xccdf_rules,x) - x += 1 - continue - except: - pass - - try: - if "pmset" in command[3] and "standby" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888) - - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_standbydelaylow",x+877,x+877,x+877) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888,x+888,x+888) - - - standbydelayhigh = str() - standbydelaylow = str() - highstandbythreshold = str() - - for line in rule_yaml['fix'].split("----")[1].split("\n"): - if line == "": - continue - if "standbydelayhigh" in line: - standbydelayhigh = line.split(" ")[-1].rstrip() - if "standbydelaylow" in line: - standbydelaylow = line.split(" ")[-1].rstrip() - if "highstandbythreshold" in line: - highstandbythreshold = line.split(" ")[-1].rstrip() - - oval_object = oval_object + ''' - - SPHardwareDataType - - //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() - '''.format("hardware UUID",x+999) - - oval_variable = oval_variable + ''' - - - /Library/Preferences/com.apple.PowerManagement. - - .plist - - '''.format(x,x+999) - - oval_object = oval_object + ''' - - '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x) - - oval_object = oval_object + ''' - boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format("High Standby Delay",standbydelayhigh) - - - oval_object = oval_object + ''' - - '''.format(rule_yaml['id'] + "_standbydelaylow",x+877, x) - - oval_object = oval_object + ''' - boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format("Standby Delay",standbydelaylow) - - oval_object = oval_object + ''' - - '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888, x) - - oval_object = oval_object + ''' - boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format("Standby Battery Threshold",highstandbythreshold) - - oval_state = oval_state + ''' - - true - '''.format(rule_yaml['id'] + "_standbydelayhigh",x) - - oval_state = oval_state + ''' - - true - '''.format(rule_yaml['id'] + "_standbydelaylow",x+877) - - oval_state = oval_state + ''' - - true - '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888) - - x += 1 - continue - except: - pass - if "sudo -V" in rule_yaml['check']: - - - if "grep" in rule_yaml['check'].split("|")[1]: - oval_definition = oval_definition + ''' - - - {1} - - - {4} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5051) - - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - oval_test = oval_test + ''' - - - - '''.format(x+5051, rule_yaml['id'] + "_" + odv_label, x+5051) - - check_string = rule_yaml['fix'].split("echo")[1].split('"')[1] - - oval_object = oval_object + ''' - - - /etc/sudoers - {} - 1 - '''.format(x, rule_yaml['id'] + "_" + odv_label, check_string) + check_existance = "all_exist" - oval_object = oval_object + ''' - - - /etc/sudoers.d/ - .* - {} - 1 - '''.format(x+5051, rule_yaml['id'] + "_" + odv_label, check_string) - - - x = x + 1 - continue - - if "awk" in rule_yaml['check'].split("|")[1]: - if "timestamp_type" in rule_yaml['fix'] and rule_yaml['result']['string'] == "tty": - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003) - - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - oval_test = oval_test + ''' - - - - '''.format(x+8000, rule_yaml['id'] + "_" + odv_label, x+8000) - - oval_test = oval_test + ''' - - - - '''.format(x+8001, rule_yaml['id'] + "_" + odv_label, x+8001) - - oval_test = oval_test + ''' - - - - '''.format(x+8002, rule_yaml['id'] + "_" + odv_label, x+8002) - - - oval_object = oval_object + ''' - - - /etc/sudoers - timestamp_type - 1 - '''.format(x, rule_yaml['id'] + "_" + odv_label) - - - oval_object = oval_object + ''' - - - /etc/sudoers.d/ - .* - timestamp_type - 1 - '''.format(x+8000, rule_yaml['id'] + "_" + odv_label) - - oval_object = oval_object + ''' - - - /etc/sudoers.d/ - .* - !tty_tickets - 1 - '''.format(x+8001, rule_yaml['id'] + "_" + odv_label) - oval_object = oval_object + ''' - - - /etc/sudoers.d/ - .* - !tty_tickets - 1 - '''.format(x+8002, rule_yaml['id'] + "_" + odv_label) - x = x + 1 - continue - else: - check_string = "Defaults.*.timestamp_type={}".format(rule_yaml['result']['string']) - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003) - - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - oval_test = oval_test + ''' - - - - '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, x+7000) - - oval_object = oval_object + ''' - - - /etc/sudoers - {} - 1 - '''.format(x, rule_yaml['id'] + "_" + odv_label, check_string) - - - oval_object = oval_object + ''' - - - /etc/sudoers.d/ - .* - {} - 1 - '''.format(x+7000, rule_yaml['id'] + "_" + odv_label, check_string) - - x = x + 1 - continue - - if "ssh_config" in rule_yaml['discussion'] and "dscl" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5010, rule_yaml['id'] + "_" + odv_label,x+5025) - - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - oval_test = oval_test + ''' - - - - '''.format(x+5010, rule_yaml['id'] + "_" + odv_label, x+5010) - oval_test = oval_test + ''' - - - - '''.format(x+5025, rule_yaml['id'] + "_" + odv_label, x+5025) - regex = r"(?<=grep).*$" - matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) - matchy_match = "" - for matchNum, match in enumerate(matches, start=1): - matchy_match = match.group() + if "/usr/bin/grep -c" in rule_yaml['check']: + if "echo \"1\"" not in rule_yaml['check'] or "echo \"0\"" not in rule_yaml['check']: + if "/usr/bin/ssh -G ." not in rule_yaml['check']: + if "auditd_enabled" not in rule_yaml['id']: + if "/usr/sbin/sshd -G" not in rule_yaml['check']: - ssh_config_pattern = matchy_match.split('"')[1] + rule_yaml['check'] = rule_yaml['check'].replace("/usr/bin/grep -c ", "/usr/bin/grep ") + count_found = True + if check_result == 0: + check_existance = "none_exist" - - oval_object = oval_object + ''' - - - /etc/ssh/ssh_config - {} - 1 - '''.format(x, rule_yaml['id'] + "_" + odv_label, ssh_config_pattern) - - - oval_object = oval_object + ''' - - - /etc/ssh/ssh_config.d/ - .* - {} - 1 - '''.format(x+5010, rule_yaml['id'] + "_" + odv_label, ssh_config_pattern) - - oval_object = oval_object + ''' - - - {} - 1 - - - - - - .* - oval:mscp:ste:{} - '''.format(x+5025,rule_yaml['id'] + "_" + odv_label,x,ssh_config_pattern,x+999,x+999) - - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+999) - - oval_variable = oval_variable + ''' - - - - /.ssh/config - - '''.format(x,x+999) - x = x + 1 - continue - if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check'] or "sshd -G" in rule_yaml['check'] and "fips" in rule_yaml['check']: - fipslist = rule_yaml['check'].split("\n")[0].split("(")[1].replace(")","").replace('" "',"\n").replace('"',"") - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+6000, rule_yaml['id'] + "_" + odv_label,x+6001) - - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - oval_test = oval_test + ''' - - - - '''.format(x+6000, rule_yaml['id'] + "_" + odv_label, x+6000) - - oval_object = oval_object + ''' - - - /etc/ssh/sshd_config - {} - 1 - '''.format(x, rule_yaml['id'] + "_" + odv_label, fipslist) - - - oval_object = oval_object + ''' - - - /etc/ssh/sshd_config.d/ - .* - {} - 1 - '''.format(x+6000, rule_yaml['id'] + "_" + odv_label, fipslist) - - x = x + 1 - - continue - if "sshd -T" in rule_yaml['check'] or "sshd -G" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+6000, rule_yaml['id'] + "_" + odv_label,x+6001) - - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - oval_test = oval_test + ''' - - - - '''.format(x+6000, rule_yaml['id'] + "_" + odv_label, x+6000) - sshd_config_pattern = "" - if "grep" in rule_yaml['check']: - regex = r"(?<=grep).*$" - matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) - matchy_match = "" - for matchNum, match in enumerate(matches, start=1): - matchy_match = match.group() - sshd_config_pattern = "" - if '"' in matchy_match: - sshd_config_pattern = matchy_match.split('"')[1] - elif "'" in matchy_match: - sshd_config_pattern = matchy_match.split("'")[1] - - if "awk" in rule_yaml['check']: - matchy_match = rule_yaml['check'].split("'")[1].split("/")[1] - for item in rule_yaml['result']: - sshd_config_pattern = matchy_match + " " + str(rule_yaml['result'][item]) - - oval_object = oval_object + ''' - - - /etc/ssh/sshd_config - {} - 1 - '''.format(x, rule_yaml['id'] + "_" + odv_label, sshd_config_pattern) - - - oval_object = oval_object + ''' - - - /etc/ssh/sshd_config.d/ - .* - {} - 1 - '''.format(x+6000, rule_yaml['id'] + "_" + odv_label, sshd_config_pattern) - - - x = x + 1 - continue - try: - if "pmset" in command[3]: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'] + "_" + odv_label,x) - pmset_key = str() - if "powernap" in rule_yaml['check']: - pmset_key = "DarkWakeBackgroundTasks" - if "womp" in rule_yaml['check']: - pmset_key = "Wake On LAN" - - oval_object = oval_object + ''' - boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format(pmset_key,rule_yaml['fix'].split("----")[1].replace("\n","")[-1]) - - oval_state = oval_state + ''' - - true - '''.format(rule_yaml['id'] + "_" + odv_label,x) - x += 1 - continue - except: - pass - if "socketfilterfw" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - if rule_yaml['check'].split()[1] == "--getloggingmode": - firewall_variable = "loggingenabled" - elif rule_yaml['check'].split()[1] == "--getstealthmode": - firewall_variable = "stealthenabled" - elif rule_yaml['check'].split()[1] == "--getglobalstate": - firewall_variable = "globalstate" - - oval_object = oval_object + ''' - - /Library/Preferences/com.apple.alf.plist - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(rule_yaml['id'] + "_" + odv_label,x,firewall_variable) - - oval_state = oval_state + ''' - - 1 - '''.format(rule_yaml['id'] + "_" + odv_label,x) - x += 1 - continue - try: - if "systemsetup" in command[3]: - oval_definition = oval_definition + ''' - - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - '''.format(rule_yaml['id'] + "_" + odv_label,x) - state_test = "" - if "-getnetworktimeserver" in rule_yaml['check']: - - timeservers = rule_yaml['result']['string'] - - state_test = ''' - {} - '''.format(timeservers) - oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x,state_test) - - - except: - pass - - abc = 0 - if "defaults" in rule_yaml['check'] and "grep" in rule_yaml['check'] and "CURRENT_USER" in rule_yaml['check']: - - regex = r"(?<=\()(.*?)(?=\))" - - test_str = rule_yaml['check'].split("grep")[1] - - matches = re.finditer(regex, test_str, re.MULTILINE) - matchy_match = "" - for matchNum, match in enumerate(matches, start=1): - matchy_match = match.group() - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - for multi_grep in matchy_match.split("|"): - - oval_definition = oval_definition + ''' - - '''.format(rule_yaml['id']+"_"+str(abc),x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id']+"_"+str(abc),x,x,x) - - key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","") - value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","") - if "$CURRENT_USER" in rule_yaml['check']: - - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - '''.format(x+1999,x+1999) - - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - - - - oval_variable = oval_variable + ''' - - - - /Library/Preferences/{}. - plist - - '''.format(x,x+1999,plist) - - - oval_object = oval_object + ''' - - '''.format(rule_yaml['id']+"_"+str(abc),x,x) - - oval_datatype = "" - try: - int(value) - - oval_datatype = "int" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - except: - if value.lower() == "true" or value.lower == "false": - oval_datatype = "boolean" - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - else: - oval_datatype = "string" - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value) - - abc =+ 1 - x = x+1 - oval_definition = oval_definition + ''' - ''' - oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - - x = x+1 - break - - - if "defaults" in rule_yaml['check']: - - if rule_yaml['id'] == "system_settings_hot_corners_secure" or rule_yaml['id'] == "sysprefs_hot_corners_secure": - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+5000,rule_yaml['id'] + "_" + odv_label,x+5001,rule_yaml['id'] + "_" + odv_label,x+5002) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x+5000,x+5000,x+5000) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x+5001,x+5001,x+5001) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x+5002,x+5002,x+5002) - - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - - - - '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'] + "_" + odv_label,x+5000,x) - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'] + "_" + odv_label,x+5001,x) - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'] + "_" + odv_label,x+5002,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - - - after_user = plist.split('"')[2] - oval_variable = oval_variable + ''' - - - - {} - .plist - - '''.format(x,x+1999,after_user,x+999) - try: - check_if = rule_yaml['check'].split("\n")[5] - - modifier = 0 - for n in check_if.split(): - - if n.replace('"',"").isdigit(): - if modifier >= 4999: - modifier = modifier + 1 - oval_state = oval_state + ''' - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x+modifier,n.replace('"',"")) - if modifier == 0: - modifier = 4999 - x = x + 1 - continue - except: - x = x + 1 - continue - - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - - if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - - oval_object = oval_object + ''' - - SPHardwareDataType - - //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() - '''.format("hardware UUID",x+999) - - if "$CURRENT_USER" in rule_yaml['check']: - - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].split()[check_length-1] - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - - - - '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - except: - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - - oval_variable = oval_variable + ''' - - - - /Library/Preferences/ByHost/{}. - - .plist - - '''.format(x,x+1999,plist,x+999) - - - - else: - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].replace(" 2>/dev/null","").split()[check_length-1] - - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - except: - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_variable = oval_variable + ''' - - - {}. - - .plist - - '''.format(x,plist,x+999) - - elif "$CURRENT_USER" in rule_yaml['check']: - - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].replace(" 2>/dev/null","").split()[-1] - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - - - - '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - except: - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - - oval_variable = oval_variable + ''' - - - - /Library/Preferences/{}. - plist - - '''.format(x,x+1999,plist,x+999) - - else: - - if plist[-6:] != ".plist": - plist = plist + ".plist" - - plist_key = rule_yaml['check'].replace(" 2>/dev/null","").split(" ")[3].rstrip() - oval_object = oval_object + ''' - - {}'''.format(rule_yaml['id'] + "_" + odv_label,x,plist) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(plist_key) - except: - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(plist_key) - - - datatype = "" - plist_key = rule_yaml['check'].split(" ")[3].rstrip() - for key in rule_yaml['result']: - datatype = key - if datatype == "integer": - oval_datatype = "int" - - else: - oval_datatype = datatype - - if oval_datatype == "boolean" and rule_yaml['result'][datatype] == 0: - value = "false" - elif oval_datatype == "boolean" and rule_yaml['result'][datatype] == 1: - value = "true" - else: - value = rule_yaml['result'][datatype] - - oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x,oval_datatype,value) - oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - x = x+1 - - continue - try: - if "security" in command[3]: - if rule_yaml['check'].split()[1] == "authorizationdb": - check = rule_yaml['check'].split("|") - - authdb = rule_yaml['check'].split()[3] - if len(check) > 2: - - matches = re.findall(r'(?<=\>)(.*)(?=\<)',check[1]) - key = str(matches).replace("[","").replace("]","").replace("'","") - - length = len(check[2].split()) - - last_string = check[2].split()[length-1].replace('"',"").replace("<","").replace(">","").replace("/","") - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - {} - boolean(//key[text()="{}"]/following-sibling::{}) - '''.format(rule_yaml['id'] + "_" + odv_label,x,authdb,key,last_string) - - oval_state = oval_state + ''' - - - true - '''.format(rule_yaml['id'] + "_" + odv_label,x) - else: - key = (check[1].split()[2].replace("'","")) - key = key.split('>')[1].split('<')[0] - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - {} - //*[contains(text(), "{}")]/text() - '''.format(rule_yaml['id'] + "_" + odv_label,x,authdb,key) - - oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x,key) - - else: - if "authorizationdb" in rule_yaml['check']: - regex = r"=\(.*.\)" - matchy_match = [] - matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) - for matchNum, match in enumerate(matches, start=1): - matchy_match = match.group().replace('=(',"").replace(")","").replace('"','').split() - - oval_definition = oval_definition + ''' - - - {} - - - {} - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&")) - - for match in matchy_match: - oval_definition = oval_definition + ''' - - '''.format(rule_yaml['id'] + "+" + match, x) - oval_test = oval_test + ''' - - - - '''.format(match,x,x,x) - key="shared" - value="" - if "false" in rule_yaml["check"]: - value="false" - else: - value="true" - - oval_object = oval_object + ''' - - {} - boolean(//key[text()="{}"]/following-sibling::{}) - '''.format(match,x,match,key,value) - - oval_state = oval_state + ''' - - - true - '''.format(match,x) - x += 1 - - oval_definition = oval_definition + "" - x += 1 - continue - except: - pass - if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - oval_test = oval_test + ''' - - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - - path = rule_yaml['fix'].split("----")[1].split(" ")[-1] - - oval_object = oval_object + ''' - - {} - - '''.format(x,rule_yaml['id'] + "_" + odv_label,path.rstrip()) - x += 1 - continue - - try: - if "ls" in command[2] or "stat" in command[3].split()[0]: - if '/Library/Security/PolicyBanner.rtf' in rule_yaml['check']: - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+2999) - - oval_test = oval_test + ''' - - - - - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x,x+2999,rule_yaml['id'] + "_" + odv_label,x+2999) - - oval_object = oval_object + ''' - - /Library/Security/PolicyBanner.rtf - - - - /Library/Security/PolicyBanner.rtfd - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x+2999,rule_yaml['id']) - x = x + 1 - continue - - s = rule_yaml['check'] - config_file = str() - oval_variable_need = bool() - if "grep" in s.split()[2]: - - - oval_variable_need = True - grep_search = re.search('\((.*?)\)', s).group(1) - - substring = grep_search.split("|")[0] - regex = re.search('\'(.*?)\'', substring).group(1) - - try: - regex = re.search('/(.*?)/', regex).group(1) - except: - regex = regex - - config_file = substring = grep_search.split("|")[0].split()[-1] - - oval_object = oval_object + ''' - - {} - {}:\s*(.*)$ - 1 - - '''.format(rule_yaml['id'] + "_" + odv_label, x+999, config_file, regex) - - oval_variable = oval_variable + ''' - - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x+999) - - else: - oval_variable_need = False - config_file = s.split()[2] - - s = rule_yaml['fix'] - - fix_command = re.search('-\n(.*?)\n-', s).group(1).split('$')[0] - - oval_definition = oval_definition + ''' - - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&").rstrip(),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x,x) - - if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": - behavior = '' - if "audit" in rule_yaml['id']: - filename = 'current' - else: - behavior = "" - filename = '' - - if oval_variable_need == True: - oval_object = oval_object + ''' - - {} - - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x,behavior,x,filename) - else: - oval_object = oval_object + ''' - - {} - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,behavior,config_file) - state_test = "" - if "-" in fix_command and "N" in fix_command and "chmod" in fix_command: - state_test = ''' - false - ''' - - elif "chgrp" in fix_command: - state_test = ''' - {} - '''.format(rule_yaml['result']['integer']) - - elif "chown" in fix_command: - - state_test = ''' - {} - '''.format(rule_yaml['result']['integer']) - - - elif "chmod" in fix_command: - - perms = fix_command.split()[1] - - if perms[0] == "0": - state_test = ''' - false - false - false''' - if perms[0] == "1": - state_test = ''' - false - false - true''' - elif perms[0] == "2": - state_test = ''' - false - true - false''' - elif perms[0] == "3": - state_test = ''' - false - true - true''' - elif perms[0] == "4": - - state_test = ''' - true - false - false''' - elif perms[0] == "5": - state_test = ''' - true - false - true''' - elif perms[0] == "6": - state_test = ''' - true - true - false''' - elif perms[0] == "7": - state_test = ''' - true - true - true''' - - if perms[1] == "0": - state_test = state_test + ''' - false - false - false''' - elif perms[1] == "1": - state_test = state_test + ''' - false - false - true''' - elif perms[1] == "2": - state_test = state_test + ''' - false - true - false''' - elif perms[1] == "3": - state_test = state_test + ''' - false - true - true''' - elif perms[1] == "4": - - state_test = state_test + ''' - true - false - false''' - elif perms[1] == "5": - state_test = state_test + ''' - true - false - true''' - elif perms[1] == "6": - state_test = state_test + ''' - true - true - false''' - elif perms[1] == "7": - state_test = state_test + ''' - true - true - true''' - - if perms[2] == "0": - - state_test = state_test + ''' - false - false - false''' - if perms[2] == "1": - state_test = state_test + ''' - false - false - true''' - elif perms[2] == "1": - state_test = state_test + ''' - false - false - true''' - elif perms[2] == "2": - state_test = state_test + ''' - false - true - false''' - elif perms[2] == "3": - state_test = state_test + ''' - false - true - true''' - elif perms[2] == "4": - state_test = state_test + ''' - true - false - false''' - elif perms[2] == "5": - state_test = state_test + ''' - true - false - true''' - elif perms[2] == "6": - state_test = state_test + ''' - true - true - false''' - elif perms[2] == "7": - state_test = state_test + ''' - true - true - true''' - - oval_state = oval_state + ''' - '''.format(rule_yaml['id'] + "_" + odv_label,x) + state_test + ''' - - ''' - - x += 1 - continue - except: - pass - try: - if "dscl" in command[3]: - if "UserShell" in rule_yaml['check']: - shell = rule_yaml['check'].split()[9].replace('"','') - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].replace("&","&"),rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - - oval_object = oval_object + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,command[5].split()[0]) - - oval_state = oval_state + ''' - - {} - - '''.format(rule_yaml['id'] + "_" + odv_label,x,shell) - x += 1 - continue - except: - pass - try: - if "awk" in command[3]: - awk_file = "" - awk_search = "" - field_sep = "" - - if "grep -qE" in rule_yaml['fix']: - awk_file = rule_yaml['fix'].split(" ")[3].strip(" ") - awk_search = rule_yaml['fix'].split(" ")[2].strip("\"") - - elif "grep" in rule_yaml['check']: - - awk_file = rule_yaml['check'].split("|")[0].split(" ")[-2] - awk_search = rule_yaml['check'].split("|")[-1].split(" ")[-2].strip("\'") - - else: - awk_file = rule_yaml['check'].split("'")[2].strip(" ") - awk_search = rule_yaml['check'].split("'")[1].split("/")[1] - - try: - field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") - - except: - field_sep = " " - - try: - - awk_result = rule_yaml['result']['string'] - - except: - - awk_result = str(rule_yaml['result']['integer']) - - if awk_search[0] != "^": - awk_search = "^" + awk_search + field_sep + awk_result - else: - awk_search = awk_search + field_sep + awk_result - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - oval_object = oval_object + ''' - - {} - {} - 1 - - '''.format(x,rule_yaml['id'] + "_" + odv_label,awk_file.rstrip(), awk_search) - x += 1 - continue - except: - pass - try: - if "grep" in command[3] and not "pgrep" in command[3]: - - if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']: - - text_to_find = rule_yaml['check'].split("=")[1].split('"')[1] - - matches = text_to_find.replace(".","\.").replace(")","\)").replace("(","\(").replace("*","\*") - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - - file_path = rule_yaml["check"].split(" ")[-1].rstrip() - - oval_object = oval_object + ''' - - {} - {} - 1 - '''.format(x,rule_yaml['id'] + "_" + odv_label,file_path,matches) - - x += 1 - continue - else: - - s = rule_yaml['check'] - - try: - - grep_search = re.search('"(.*?)"', s).group(1) - - except: - - grep_search = re.search('\'(.*?)\'', s).group(1) - - - grep_file = rule_yaml['check'].split(grep_search,1)[1].split(" ")[1] - - - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) - oval_test = oval_test + ''' - - - - '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - oval_object = oval_object + ''' - - {} - {} - 1 - - '''.format(x,rule_yaml['id'] + "_" + odv_label,grep_file.rstrip(),grep_search) - x += 1 - continue - except: - pass - try: - if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']: - if ("disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix'] or "disable" in command[2] and "=> disabled" in rule_yaml['check']) or ("disable" in rule_yaml['fix']): - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+999) - oval_test = oval_test + ''' - - - - - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x,x+999,rule_yaml['id'] + "_" + odv_label,x+999) - - domain = str() - if "launchctl" not in rule_yaml['check']: - if "launchctl disable system/" in rule_yaml["fix"]: - domain = rule_yaml['fix'].split()[4].split('/')[1] - else: - domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - else: - s = command[5].split()[2] - domain = re.search('"(.*?)"', s).group(1) - - oval_object = oval_object + ''' - - /var/db/com.apple.xpc.launchd/disabled.plist - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain.replace('(','').replace(')','')) - - status = "" - if "enable" in rule_yaml["fix"]: - status = "false" - else: - status = "true" - oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x,status) - - elif "launchctl unload" in rule_yaml['fix'] or "launchctl disable" in rule_yaml['fix']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+999) - - oval_test = oval_test + ''' - - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - - domain = str() - - if "launchctl" not in rule_yaml['check']: - domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - - else: - s = command[5].split()[2] - domain = re.search('"(.*?)"', s).group(1) - - oval_object = oval_object + ''' - - - '''.format(x, rule_yaml['id'] + "_" + odv_label,domain.replace('(','').replace(')','')) - - - - - elif "defaults write" in rule_yaml['fix']: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - - oval_test = oval_test + ''' - - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - plist = rule_yaml['fix'].split(" ")[2].replace(".plist","") - - if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - - oval_object = oval_object + ''' - - SPHardwareDataType - - //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() - '''.format("hardware UUID",x+999) - - if "$CURRENT_USER" in rule_yaml['check']: - - - - key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - - - - '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - else: - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - - oval_variable = oval_variable + ''' - - - - /Library/Preferences/ByHost/{}. - - .plist - - '''.format(x,x+1999,plist,x+999) - - - - else: - - - key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'] + "_" + odv_label,x,x) - - - if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - else: - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_variable = oval_variable + ''' - - - {}. - - .plist - - '''.format(x,plist,x+999) + if "launchctl list" in rule_yaml['check']: + rule_yaml['check'] = rule_yaml['check'].replace("launchctl list", "launchctl print system") + if "auditd_enabled" in rule_yaml['id']: + rule_yaml['check'] = rule_yaml['check'].replace("/usr/bin/grep -c com.apple.auditd", "/usr/bin/grep -c '\"com.apple.auditd\" => enabled'") + - elif "$CURRENT_USER" in rule_yaml['check']: - - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - - - - '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) - else: - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - - oval_variable = oval_variable + ''' - - - - /Library/Preferences/{}. - plist - - '''.format(x,x+1999,plist,x+999) - - else: - - if plist[-6:] != ".plist": - plist = plist + ".plist" - plist_key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - - oval_object = oval_object + ''' - - {}'''.format(rule_yaml['id'] + "_" + odv_label,x,plist) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' - name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(plist_key) - except: - oval_object = oval_object + ''' - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(plist_key) - - - datatype = "" - plist_key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - - oval_datatype = rule_yaml['fix'].split("defaults")[1].split(" ")[4].replace("-","") - - if oval_datatype == "integer": - oval_datatype = "int" - - if oval_datatype == "bool": - oval_datatype = "boolean" - - value = rule_yaml['fix'].split("defaults")[1].split(" ")[5].replace(";","") - - oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'] + "_" + odv_label,x,oval_datatype,value) - oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - - - x = x+1 + if "/usr/bin/wc -l" in rule_yaml['check']: + new_test = [] + for command in rule_yaml['check'].split("|"): + if "/usr/bin/wc -l" in command: + break + new_test.append(command.strip()) + count_found = True - continue - else: - oval_definition = oval_definition + ''' - - - {} - - - {} - - - - - '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) + rule_yaml['check'] = "|".join(new_test) + if check_result == 0: + check_existance = "none_exist" + - oval_test = oval_test + ''' - - - '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - - domain = command[5].split()[2] - domain = domain.replace('"','').replace("'",'') - ########### - label_obj = '