From c45c52db8736d095c8fecef154e01e4ad8894841 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 22 Sep 2020 14:32:51 -0400 Subject: [PATCH] removed deleted rule and edited discussion --- baselines/800-53_high.yaml | 2 -- rules/os/os_implement_cryptography.yaml | 1 + rules/os/os_implement_memory_protection.yaml | 2 ++ rules/os/os_required_crypto_module.yaml | 1 + rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 01f83f06..55b92bb6 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -124,7 +124,6 @@ profile: - os_ssh_fips_140_ciphers - os_ssh_fips_140_macs - os_ssh_login_grace_time_configure - - os_ssh_max_sessions_configure - os_ssh_permit_root_login_configure - os_sudoers_tty_configure - os_system_wide_preferences_configure @@ -154,7 +153,6 @@ profile: - os_fail_secure_state - os_implement_memory_protection - os_implement_cryptography - - os_implement_random_address_space - os_isolate_security_functions - os_limit_gui_sessions - os_logical_access diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index c8e3a436..220c19c4 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -8,6 +8,7 @@ discussion: | macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST). link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 7feb44bc..f7890f89 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -8,7 +8,9 @@ discussion: | macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] + link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] + link:https://www.apple.com/macos/security/[] check: | diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 72bdc619..2cf158c3 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -6,6 +6,7 @@ discussion: | macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST). link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index c4527037..f8b13da8 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_emergency_accounts_disable title: "Automatically Remove or Disable Emergency Accounts within 72 Hours" discussion: | - The macOS MUST be configured to automatically remove or disable emergency accounts within 72 hours or less. + The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.