usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Updated baseline files

Browse Source
This commit is contained in:
Bob Gendler
2025-12-17 15:25:50 -05:00
parent c8c9a916a2
commit a65a7c4a2f
9 changed files with 63 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
baselines/800-53r5_high.yaml
View File

@@ -30,6 +30,7 @@ profile:
- os_airdrop_unmanaged_destination_enable
- os_airplay_incoming_password_require
- os_airplay_outgoing_password_require
- os_airprint_credential_storage_disable
- os_airprint_force_trusted_TLS
- os_allow_contacts_read_managed_sources_unmanaged_destinations_disable
- os_allow_contacts_write_managed_sources_unmanaged_destinations_disable
@@ -40,6 +41,8 @@ profile:
- os_application_allow_list
- os_authentication_password_autofill_enable
- os_auto_unlock_disable
- os_automatic_app_download_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_chat_disable
- os_default_browser_modification_disable
@@ -50,6 +53,7 @@ profile:
- os_diagnostics_reports_modification_disable
- os_disallow_enterprise_app_trust
- os_erase_contents_and_settings_disable
- os_facetime_disable
- os_files_network_drive_access_disable
- os_files_usb_drive_access_disable
- os_find_my_friends_disable
@@ -57,6 +61,7 @@ profile:
- os_force_encrypted_backups_enable
- os_genmoji_disable
- os_handoff_disable
- os_ibeacon_airprint_disable
- os_image_playground_disable
- os_image_wand_disable
- os_install_vpn_configuration_disable
@@ -66,6 +71,7 @@ profile:
- os_mail_smart_reply_disable
- os_marketplace_prevent
- os_modify_cellular_data_app_settings_disable
- os_movie_content_allowed
- os_new_device_proximity_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
@@ -94,6 +100,7 @@ profile:
- os_supervised_mdm_require
- os_system_settings_find_my_device_disable
- os_system_settings_find_my_friends_modification_disable
- os_tv_content_allowed
- os_usb_accessories_when_locked_disable
- os_visual_intelligence_summary
- os_voice_dialing_when_locked_disabled

7
baselines/800-53r5_low.yaml
View File

@@ -28,6 +28,7 @@ profile:
- os_account_modification_disable
- os_airdrop_disable
- os_airdrop_unmanaged_destination_enable
- os_airprint_credential_storage_disable
- os_allow_contacts_read_managed_sources_unmanaged_destinations_disable
- os_allow_contacts_write_managed_sources_unmanaged_destinations_disable
- os_allow_documents_managed_sources_unmanaged_destinations_disable
@@ -35,6 +36,8 @@ profile:
- os_apple_watch_pairing_disable
- os_apple_watch_wrist_detection_enable
- os_authentication_password_autofill_enable
- os_automatic_app_download_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_chat_disable
- os_default_browser_modification_disable
@@ -45,11 +48,13 @@ profile:
- os_diagnostics_reports_modification_disable
- os_disallow_enterprise_app_trust
- os_erase_contents_and_settings_disable
- os_facetime_disable
- os_find_my_friends_disable
- os_force_date_and_time_enable
- os_force_encrypted_backups_enable
- os_genmoji_disable
- os_handoff_disable
- os_ibeacon_airprint_disable
- os_image_playground_disable
- os_image_wand_disable
- os_install_vpn_configuration_disable
@@ -59,6 +64,7 @@ profile:
- os_mail_smart_reply_disable
- os_marketplace_prevent
- os_modify_cellular_data_app_settings_disable
- os_movie_content_allowed
- os_new_device_proximity_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
@@ -84,6 +90,7 @@ profile:
- os_supervised_mdm_require
- os_system_settings_find_my_device_disable
- os_system_settings_find_my_friends_modification_disable
- os_tv_content_allowed
- os_usb_accessories_when_locked_disable
- os_visual_intelligence_summary
- os_voice_dialing_when_locked_disabled

7
baselines/800-53r5_moderate.yaml
View File

@@ -30,6 +30,7 @@ profile:
- os_airdrop_unmanaged_destination_enable
- os_airplay_incoming_password_require
- os_airplay_outgoing_password_require
- os_airprint_credential_storage_disable
- os_airprint_force_trusted_TLS
- os_allow_contacts_read_managed_sources_unmanaged_destinations_disable
- os_allow_contacts_write_managed_sources_unmanaged_destinations_disable
@@ -40,6 +41,8 @@ profile:
- os_application_allow_list
- os_authentication_password_autofill_enable
- os_auto_unlock_disable
- os_automatic_app_download_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_chat_disable
- os_default_browser_modification_disable
@@ -50,6 +53,7 @@ profile:
- os_diagnostics_reports_modification_disable
- os_disallow_enterprise_app_trust
- os_erase_contents_and_settings_disable
- os_facetime_disable
- os_files_network_drive_access_disable
- os_files_usb_drive_access_disable
- os_find_my_friends_disable
@@ -57,6 +61,7 @@ profile:
- os_force_encrypted_backups_enable
- os_genmoji_disable
- os_handoff_disable
- os_ibeacon_airprint_disable
- os_image_playground_disable
- os_image_wand_disable
- os_install_vpn_configuration_disable
@@ -66,6 +71,7 @@ profile:
- os_mail_smart_reply_disable
- os_marketplace_prevent
- os_modify_cellular_data_app_settings_disable
- os_movie_content_allowed
- os_new_device_proximity_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
@@ -94,6 +100,7 @@ profile:
- os_supervised_mdm_require
- os_system_settings_find_my_device_disable
- os_system_settings_find_my_friends_modification_disable
- os_tv_content_allowed
- os_usb_accessories_when_locked_disable
- os_visual_intelligence_summary
- os_voice_dialing_when_locked_disabled

19
baselines/all_rules.yaml
View File

@@ -30,6 +30,7 @@ profile:
- os_airdrop_unmanaged_destination_enable
- os_airplay_incoming_password_require
- os_airplay_outgoing_password_require
- os_airprint_credential_storage_disable
- os_airprint_disable
- os_airprint_force_trusted_TLS
- os_allow_contacts_read_managed_sources_unmanaged_destinations_disable
@@ -44,7 +45,10 @@ profile:
- os_auto_correction_disable
- os_auto_dim_allow
- os_auto_unlock_disable
- os_automatic_app_download_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_camera_disable
- os_chat_disable
- os_default_browser_modification_disable
- os_default_calling_modification_disable
@@ -58,18 +62,22 @@ profile:
- os_erase_contents_and_settings_disable
- os_esim_delete
- os_esim_transfers_disable
- os_exchange_SMIME_encryption_certificate_overwirte_disable
- os_exchange_SMIME_encryption_certificate_overwrite_disable
- os_exchange_SMIME_encryption_default_certificate_overwrite_enable
- os_exchange_SMIME_encryption_enforce
- os_exchange_SMIME_encryption_per_message_disable
- os_exchange_SMIME_signing_certificate_overwirte_disable
- os_exchange_SMIME_signing_certificate_overwrite_disable
- os_exchange_SMIME_signing_enabled
- os_exchange_SMIME_signing_overwrite_disable
- os_exchange_mail_recents_sync_disable
- os_exchange_notes_disable
- os_exchange_notes_user_override_disable
- os_exchange_peraccountVPN
- os_exchange_prevent_move_enforce
- os_exchange_reminders_disable
- os_exchange_reminders_user_override_disable
- os_external_intelligence_integration_disable
- os_external_intelligence_integration_sign_in_disable
- os_facetime_disable
- os_files_network_drive_access_disable
- os_files_usb_drive_access_disable
- os_find_my_friends_disable
@@ -77,6 +85,8 @@ profile:
- os_force_encrypted_backups_enable
- os_genmoji_disable
- os_handoff_disable
- os_hide_apps_disable
- os_ibeacon_airprint_disable
- os_image_playground_disable
- os_image_wand_disable
- os_install_configuration_profile_disable
@@ -92,6 +102,7 @@ profile:
- os_mail_summary_disable
- os_marketplace_prevent
- os_modify_cellular_data_app_settings_disable
- os_movie_content_allowed
- os_network_known_only
- os_new_device_proximity_disable
- os_notes_transcription_disable
@@ -107,6 +118,7 @@ profile:
- os_predictive_keyboard_disable
- os_rapid_security_responses_install_enable
- os_rapid_security_responses_remove_disable
- os_rcs_messaging_disable
- os_require_managed_pasteboard_enforce
- os_safari_JavaScript_disable
- os_safari_cookies_set
@@ -130,6 +142,7 @@ profile:
- os_supervised_mdm_require
- os_system_settings_find_my_device_disable
- os_system_settings_find_my_friends_modification_disable
- os_tv_content_allowed
- os_unpaired_boot_disable
- os_untrusted_tls_disable
- os_update_OTAPKI_allow

1
baselines/cnssi-1253_high.yaml
View File

@@ -39,6 +39,7 @@ profile:
- os_application_allow_list
- os_authentication_password_autofill_enable
- os_auto_unlock_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_chat_disable
- os_default_browser_modification_disable

1
baselines/cnssi-1253_low.yaml
View File

@@ -39,6 +39,7 @@ profile:
- os_application_allow_list
- os_authentication_password_autofill_enable
- os_auto_unlock_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_chat_disable
- os_default_browser_modification_disable

1
baselines/cnssi-1253_moderate.yaml
View File

@@ -39,6 +39,7 @@ profile:
- os_application_allow_list
- os_authentication_password_autofill_enable
- os_auto_unlock_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_chat_disable
- os_default_browser_modification_disable

21
baselines/indigo_base.yaml
View File

@@ -1,13 +1,13 @@
title: "iOS/iPadOS 26.0.1: Security Configuration - BSI indigo iOS 26.0.1 Base Configuration - Version 1.4"
title: "iOS/iPadOS 26.0: Security Configuration - BSI indigo iOS 26.x Base Configuration"
description: |
This guide describes the actions to take when securing an iOS/iPadOS 26.0.1 system against the BSI indigo iOS 26.0.1 Base Configuration security baseline, version 1.4, released on 2025-10-16.
This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the BSI indigo iOS 26.x Base Configuration security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
*macOS Security Compliance Project*
|===
|Henry Stamerjohann|Declarative IT GmbH
|Henry Stamerjohann|Zentral Pro Services GmbH
|Allen Golbig|Jamf
|Bob Gendler|National Institute of Standards and Technology
|===
@@ -40,9 +40,10 @@ profile:
- os_exchange_notes_disable
- os_exchange_notes_user_override_disable
- os_exchange_peraccountVPN
- os_exchange_prevent_move_enforce
- os_exchange_reminders_disable
- os_exchange_reminders_user_override_disable
- os_external_intelligence_integration_disable
- os_external_intelligence_integration_sign_in_disable
- os_files_network_drive_access_disable
- os_files_usb_drive_access_disable
- os_force_date_and_time_enable
@@ -55,15 +56,12 @@ profile:
- os_mail_block_remote_content
- os_mail_maildrop_disable
- os_mail_move_messages_disable
- os_mail_summary_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_external_intelligence_integration_disable
- os_external_intelligence_integration_sign_in_disable
- os_mail_smart_reply_disable
- os_visual_intelligence_summary
- os_mail_summary_disable
- os_marketplace_prevent
- os_new_device_proximity_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_on_device_translation_enforce
- os_pairing_non_configurator_hosts_disable
@@ -72,12 +70,12 @@ profile:
- os_predictive_keyboard_disable
- os_rapid_security_responses_install_enable
- os_require_managed_pasteboard_enforce
- os_safari_reader_summary_disable
- os_screen_observation_remote_disable
- os_screen_observation_unprompted_disable
- os_screenshots_disable
- os_show_control_center_lock_screen_disable
- os_show_notification_center_lock_screen_disable
- os_siri_allow_dictation_disable
- os_siri_assistant_disable
- os_siri_user_generated_content_disable
- os_siri_when_locked_disabled
@@ -86,6 +84,7 @@ profile:
- os_update_enforced_software_update_delay
- os_usb_accessories_when_locked_disable
- os_video_conferencing_remote_control_disable
- os_visual_intelligence_summary
- os_web_distribution_app_installation_disable
- os_writing_tools_disable
- section: "passwordpolicy"

26
baselines/indigo_high.yaml
View File

@@ -1,13 +1,13 @@
title: "iOS/iPadOS 26.0.1: Security Configuration - BSI indigo iOS 26.0.1 High Configuration - Version 1.4"
title: "iOS/iPadOS 26.0: Security Configuration - BSI indigo iOS 26.x High Configuration"
description: |
This guide describes the actions to take when securing an iOS/iPadOS 26.0.1 system against the BSI indigo iOS 26.0.1 High Configuration security baseline, version 1.4, released on 2025-10-16.
This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the BSI indigo iOS 26.x High Configuration security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
*macOS Security Compliance Project*
|===
|Henry Stamerjohann|Declarative IT GmbH
|Henry Stamerjohann|Zentral Pro Services GmbH
|Allen Golbig|Jamf
|Bob Gendler|National Institute of Standards and Technology
|===
@@ -50,21 +50,21 @@ profile:
- os_diagnostics_reports_modification_disable
- os_disallow_enterprise_app_trust
- os_enterprise_books_disable
- os_esim_transfers_disable
- os_exchange_SMIME_encryption_certificate_overwirte_disable
- os_exchange_SMIME_encryption_certificate_overwrite_disable
- os_exchange_SMIME_encryption_default_certificate_overwrite_enable
- os_exchange_SMIME_encryption_enforce
- os_exchange_SMIME_encryption_per_message_disable
- os_exchange_SMIME_signing_certificate_overwirte_disable
- os_exchange_SMIME_signing_certificate_overwrite_disable
- os_exchange_SMIME_signing_enabled
- os_exchange_SMIME_signing_overwrite_disable
- os_exchange_mail_recents_sync_disable
- os_exchange_notes_disable
- os_exchange_notes_user_override_disable
- os_exchange_peraccountVPN
- os_exchange_prevent_move_enforce
- os_exchange_reminders_disable
- os_exchange_reminders_user_override_disable
- os_external_intelligence_integration_disable
- os_external_intelligence_integration_sign_in_disable
- os_files_network_drive_access_disable
- os_files_usb_drive_access_disable
- os_find_my_friends_disable
@@ -80,16 +80,13 @@ profile:
- os_mail_block_remote_content
- os_mail_maildrop_disable
- os_mail_move_messages_disable
- os_mail_summary_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_external_intelligence_integration_disable
- os_external_intelligence_integration_sign_in_disable
- os_mail_smart_reply_disable
- os_visual_intelligence_summary
- os_mail_summary_disable
- os_marketplace_prevent
- os_network_known_only
- os_new_device_proximity_disable
- os_notes_transcription_disable
- os_notes_transcription_summary_disable
- os_on_device_dictation_enforce
- os_on_device_translation_enforce
- os_pairing_non_configurator_hosts_disable
@@ -106,6 +103,7 @@ profile:
- os_safari_cookies_set
- os_safari_force_fraud_warning_enable
- os_safari_popups_disable
- os_safari_reader_summary_disable
- os_screen_observation_remote_disable
- os_screen_observation_unprompted_disable
- os_screenshots_disable
@@ -113,6 +111,7 @@ profile:
- os_show_notification_center_lock_screen_disable
- os_siri_allow_dictation_disable
- os_siri_assistant_disable
- os_siri_server_logging_disable
- os_siri_user_generated_content_disable
- os_siri_when_locked_disabled
- os_spell_check_disable
@@ -126,6 +125,7 @@ profile:
- os_update_enforced_software_update_delay
- os_usb_accessories_when_locked_disable
- os_video_conferencing_remote_control_disable
- os_visual_intelligence_summary
- os_voice_dialing_when_locked_disabled
- os_web_distribution_app_installation_disable
- os_writing_tools_disable