From c7c5f8fcb4457370861b8d2831b53847763811c4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 1 Oct 2021 15:07:59 -0400 Subject: [PATCH 1/8] cisv8 ref and tags monterey --- rules/audit/audit_auditd_enabled.yaml | 4 ++++ rules/audit/audit_flags_aa_configure.yaml | 5 +++++ rules/audit/audit_flags_ad_configure.yaml | 5 +++++ rules/audit/audit_flags_ex_configure.yaml | 5 +++++ rules/audit/audit_flags_fd_configure.yaml | 5 +++++ rules/audit/audit_flags_fm_configure.yaml | 5 +++++ rules/audit/audit_flags_fr_configure.yaml | 5 +++++ rules/audit/audit_flags_fw_configure.yaml | 5 +++++ rules/audit/audit_flags_lo_configure.yaml | 5 +++++ rules/audit/audit_off_load_records.yaml | 2 ++ rules/audit/audit_retention_configure.yaml | 4 ++++ rules/auth/auth_pam_login_smartcard_enforce.yaml | 5 +++++ rules/auth/auth_pam_su_smartcard_enforce.yaml | 5 +++++ rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 5 +++++ rules/auth/auth_smartcard_allow.yaml | 5 +++++ rules/auth/auth_smartcard_enforce.yaml | 5 +++++ rules/auth/auth_ssh_password_authentication_disable.yaml | 5 +++++ rules/icloud/icloud_addressbook_disable.yaml | 5 +++++ rules/icloud/icloud_appleid_prefpane_disable.yaml | 4 ++++ rules/icloud/icloud_bookmarks_disable.yaml | 5 +++++ rules/icloud/icloud_calendar_disable.yaml | 5 +++++ rules/icloud/icloud_drive_disable.yaml | 5 +++++ rules/icloud/icloud_keychain_disable.yaml | 5 +++++ rules/icloud/icloud_mail_disable.yaml | 5 +++++ rules/icloud/icloud_notes_disable.yaml | 5 +++++ rules/icloud/icloud_photos_disable.yaml | 5 +++++ rules/icloud/icloud_reminders_disable.yaml | 5 +++++ rules/icloud/icloud_sync_disable.yaml | 5 +++++ rules/os/os_access_control_mobile_devices.yaml | 3 +++ rules/os/os_airdrop_disable.yaml | 5 +++++ rules/os/os_appleid_prompt_disable.yaml | 4 ++++ rules/os/os_auth_peripherals.yaml | 3 +++ rules/os/os_authenticated_root_enable.yaml | 3 +++ rules/os/os_bonjour_disable.yaml | 4 ++++ rules/os/os_calendar_app_disable.yaml | 4 ++++ rules/os/os_config_data_install_enforce.yaml | 5 +++++ rules/os/os_directory_services_configured.yaml | 3 +++ rules/os/os_facetime_app_disable.yaml | 4 ++++ rules/os/os_filevault_autologin_disable.yaml | 4 ++++ rules/os/os_firewall_log_enable.yaml | 5 +++++ rules/os/os_gatekeeper_enable.yaml | 5 +++++ rules/os/os_gatekeeper_rearm.yaml | 3 +++ rules/os/os_handoff_disable.yaml | 4 ++++ rules/os/os_hbss_installed.yaml | 6 ++++++ rules/os/os_httpd_disable.yaml | 4 ++++ rules/os/os_icloud_storage_prompt_disable.yaml | 4 ++++ rules/os/os_internet_accounts_prefpane_disable.yaml | 4 ++++ rules/os/os_ir_support_disable.yaml | 5 +++++ rules/os/os_logical_access.yaml | 4 ++++ rules/os/os_mail_app_disable.yaml | 4 ++++ rules/os/os_malicious_code_prevention.yaml | 5 +++++ rules/os/os_mdm_require.yaml | 4 ++++ rules/os/os_messages_app_disable.yaml | 4 ++++ rules/os/os_mfa_network_access.yaml | 3 +++ rules/os/os_nfsd_disable.yaml | 4 ++++ rules/os/os_obscure_password.yaml | 3 +++ rules/os/os_parental_controls_enable.yaml | 3 +++ rules/os/os_password_autofill_disable.yaml | 4 ++++ rules/os/os_password_proximity_disable.yaml | 4 ++++ rules/os/os_password_sharing_disable.yaml | 4 ++++ rules/os/os_privacy_setup_prompt_disable.yaml | 4 ++++ rules/os/os_root_disable.yaml | 3 +++ rules/os/os_secure_name_resolution.yaml | 3 +++ rules/os/os_sip_enable.yaml | 5 +++++ rules/os/os_siri_prompt_disable.yaml | 4 ++++ rules/os/os_skip_unlock_with_watch_enabled.yaml | 3 +++ rules/os/os_store_encrypted_passwords.yaml | 3 +++ rules/os/os_tftpd_disable.yaml | 5 +++++ rules/os/os_time_server_enabled.yaml | 3 +++ rules/os/os_touchid_prompt_disable.yaml | 3 +++ rules/os/os_unique_identification.yaml | 4 ++++ rules/os/os_uucp_disable.yaml | 5 +++++ rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 3 +++ .../pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_force_password_change.yaml | 3 +++ rules/pwpolicy/pwpolicy_history_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml | 3 +++ rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 3 +++ rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 3 +++ rules/sysprefs/sysprefs_airplay_receiver_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_bluetooth_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_content_caching_disable.yaml | 4 ++++ .../sysprefs/sysprefs_critical_update_install_enforce.yaml | 5 +++++ rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_filevault_enforce.yaml | 4 ++++ rules/sysprefs/sysprefs_find_my_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_firewall_enable.yaml | 5 +++++ rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 5 +++++ rules/sysprefs/sysprefs_guest_access_smb_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_guest_account_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_location_services_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 4 ++++ .../sysprefs/sysprefs_personalized_advertising_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_power_nap_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_rae_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_screen_sharing_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 3 +++ rules/sysprefs/sysprefs_siri_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_smbd_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_ssh_disable.yaml | 4 ++++ rules/sysprefs/sysprefs_time_server_configure.yaml | 3 +++ rules/sysprefs/sysprefs_time_server_enforce.yaml | 3 +++ rules/sysprefs/sysprefs_wifi_disable.yaml | 4 ++++ 112 files changed, 459 insertions(+) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index efe9106d..9fb99ced 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -61,6 +61,9 @@ references: - 3.3.1 - 3.3.2 - 3.3.7 + cisv8: + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -72,6 +75,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 72fd9af2..9754e640 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -37,6 +37,10 @@ references: 800-171r2: - 3.3.1 - 3.3.2 + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -49,6 +53,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index ebb56f29..0a22abc7 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -52,6 +52,10 @@ references: - 3.1.7 - 3.3.1 - 3.3.2 + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -64,6 +68,7 @@ tags: - 800-53r5_low - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 690e3e94..d0a7d787 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -37,6 +37,10 @@ references: 800-171r2: - 3.3.1 - 3.3.2 + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -49,5 +53,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index d5e80558..742ae0a4 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -42,6 +42,10 @@ references: - N/A 800-171r2: - N/A + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -49,6 +53,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 0036ba86..7bc34da8 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -42,10 +42,15 @@ references: - N/A 800-171r2: - N/A + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: - stig + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 546dad7f..a054a5b4 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -44,6 +44,10 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -56,6 +60,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 2f11dbd8..f638b800 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -43,6 +43,10 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -55,6 +59,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 33e594d9..34453690 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -40,6 +40,10 @@ references: - 3.1.12 - 3.3.1 - 3.3.2 + cisv8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -52,6 +56,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 35f95d35..f3ff739f 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -23,6 +23,8 @@ references: - N/A srg: - N/A + cisv8: + - 8.9 macOS: - "12.0" tags: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 761c5385..0a39cd57 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -28,6 +28,9 @@ references: - N/A disa_stig: - N/A + cisv8: + - 8.3 + - 8.1 macOS: - "12.0" tags: @@ -39,6 +42,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 32b9f690..1aefc2a7 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -52,6 +52,10 @@ references: - N/A 800-171r2: - 3.5.3 + cisv8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: @@ -63,6 +67,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index af0e3eba..61176798 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -47,6 +47,10 @@ references: - N/A 800-171r2: - 3.5.3 + cisv8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: @@ -58,6 +62,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index c373c2c1..d17a669d 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -46,6 +46,10 @@ references: - N/A 800-171r2: - 3.5.3 + cisv8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: @@ -57,6 +61,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 24510ad6..3db7d567 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -28,6 +28,10 @@ references: - N/A disa_stig: - N/A + cisv8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: @@ -38,6 +42,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 90a77bf9..a0f8caf8 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -49,6 +49,10 @@ references: - 3.5.1 - 3.5.2 - 3.5.3 + cisv8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: @@ -60,6 +64,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index aa17e27b..716552b6 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -48,9 +48,14 @@ references: - 3.5.2 - 3.5.3 - 3.7.5 + cisv8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: - none + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index d6ef13bb..fa467da3 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index af71cb9c..2aa1ca6e 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -32,6 +32,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -43,6 +46,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 716fa847..62a6f061 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 1a9ac403..c8c06ff3 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index e4465e2e..c99985d4 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 48cc0f0b..fa648805 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 9766139c..842a139f 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 4fdcd296..f09c04bd 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 23beb370..6e7735cc 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 7062188c..fc59d0b4 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -34,6 +34,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index ec8fd604..c76df61d 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -33,6 +33,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -44,6 +48,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 5c6e2f16..73e808f5 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -23,6 +23,8 @@ references: - N/A srg: - N/A + cisv8: + - 6.4 macOS: - "12.0" tags: @@ -30,5 +32,6 @@ tags: - 800-53r5_moderate - 800-53r5_high - n_a + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 3c401d86..15c214d9 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -35,6 +35,10 @@ references: - 3.1.16 - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 6.7 macOS: - "12.0" tags: @@ -46,6 +50,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index b93941ae..eeb9bdb2 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -25,6 +25,9 @@ references: - N/A 800-171r2: - 3.1.20 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -36,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 46a7fb65..b4ed22e3 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -22,6 +22,8 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cisv8: + - 13.9 macOS: - "12.0" tags: @@ -31,5 +33,6 @@ tags: - 800-53r4_high - cnssi-1253 - permanent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 9673e1c5..38269918 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -42,6 +42,8 @@ references: - 3.1.1 - 3.1.2 - 3.4.5 + cisv8: + - 3.3 macOS: - "12.0" tags: @@ -53,5 +55,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 96ecc532..c6b2ad77 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -25,6 +25,9 @@ references: - N/A 800-171r2: - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -36,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index e02038a4..4b84c410 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -33,6 +33,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -44,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 301a317a..87ac5632 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -30,12 +30,17 @@ references: - N/A 800-171r2: - N/A + cisv8: + - 10.1 + - 10.2 + - 10.4 macOS: - "12.0" tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: true mobileconfig_info: com.apple.SoftwareUpdate: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 39479d71..2ea8e550 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -23,10 +23,13 @@ references: - N/A disa_stig: - N/A + cisv8: + - 6.7 macOS: - 11.0 tags: - manual + - cisv8 severity: "high" mobileconfig: mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 36794b16..2557d62c 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index eb551843..510645fe 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -32,6 +32,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 3.3 + - 6.7 macOS: - "12.0" tags: @@ -43,6 +46,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 2ad1e87b..8901cd7f 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -33,6 +33,10 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 + cisv8: + - 4.5 + - 8.2 + - 8.5 macOS: - "12.0" tags: @@ -44,6 +48,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.security.firewall: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 02ca4c1f..2cad2a91 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -37,6 +37,10 @@ references: - N/A 800-171r2: - 3.4.5 + cisv8: + - 10.1 + - 10.2 + - 10.5 macOS: - "12.0" tags: @@ -47,6 +51,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 68c8989f..587219c4 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -24,6 +24,8 @@ references: - N/A 800-171r2: - 3.4.5 + cisv8: + - 10.5 macOS: - "12.0" tags: @@ -34,6 +36,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 86680a39..9edbb67a 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -34,6 +34,9 @@ references: - 3.1.2 - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -45,6 +48,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml index 3dddc40c..c41f86ff 100644 --- a/rules/os/os_hbss_installed.yaml +++ b/rules/os/os_hbss_installed.yaml @@ -22,10 +22,16 @@ references: - N/A disa_stig: - N/A + cisv8: + - 10.1 + - 10.2 + - 10.6 + - 10.7 macOS: - "12.0" tags: - manual + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index a8802a06..87e2c063 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -30,6 +30,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 3.3 + - 6.7 macOS: - "12.0" tags: @@ -41,6 +44,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 87fb1c8d..977dca7c 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -25,6 +25,9 @@ references: - N/A 800-171r2: - 3.1.20 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -36,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index e99560ad..09f146c8 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -31,6 +31,9 @@ references: - N/A 800-171r2: - 3.1.20 + cisv8: + - 4.8 + - 15.2 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index c9fcf65a..bcfd551a 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -32,6 +32,10 @@ references: 800-171r2: - 3.1.16 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 12.6 macOS: - "12.0" tags: @@ -43,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 7a32dfa2..f0df30f5 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -26,6 +26,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 3.3 + - 6.7 macOS: - "12.0" tags: @@ -38,5 +41,6 @@ tags: - 800-171 - cnssi-1253 - inherent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 50cc73b0..fe0579ad 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -35,6 +35,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -46,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 195f9afc..b2cf685a 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -45,6 +45,10 @@ references: - N/A srg: - N/A + cisv8: + - 10.1 + - 10.2 + - 10.5 macOS: - "12.0" tags: @@ -52,5 +56,6 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index e62d0825..7d192047 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -42,6 +42,9 @@ references: 800-171r2: - 3.4.1 - 3.4.2 + cisv8: + - 4.1 + - 5.1 macOS: - "12.0" tags: @@ -53,5 +56,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index a3dac7ef..4432efa8 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 779904ab..931ee87a 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -20,9 +20,12 @@ references: - N/A srg: - N/A + cisv8: + - 5.6 macOS: - "12.0" tags: - inherent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 75d0a171..61f07e7b 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -29,6 +29,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 3.3 + - 6.7 macOS: - "12.0" tags: @@ -40,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index da1460f3..4fb9a546 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -29,6 +29,8 @@ references: - 3.5.1 - 3.5.2 - 3.5.11 + cisv8: + - 4.1 macOS: - "12.0" tags: @@ -41,5 +43,6 @@ tags: - 800-171 - cnssi-1253 - inherent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index e4ff49a8..66661689 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -28,6 +28,8 @@ references: - N/A 800-171r2: - 3.4.7 + cisv8: + - 4.8 macOS: - "12.0" tags: @@ -37,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 3410b4c8..2cb8a08e 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -35,6 +35,9 @@ references: - 3.4.6 - 3.5.1 - 3.5.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -46,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 58f42945..ca225634 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 6e040b5e..e96fe0e9 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -28,6 +28,9 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -39,6 +42,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index baef32e9..d5d669c4 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -25,10 +25,14 @@ references: - N/A disa_stig: - N/A + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: - none + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 1b80e534..260f247f 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -27,6 +27,8 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cisv8: + - 4.7 macOS: - "12.0" tags: @@ -38,5 +40,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index c55f91d8..1dcef83e 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -24,6 +24,8 @@ references: - N/A srg: - N/A + cisv8: + - 4.9 macOS: - "12.0" tags: @@ -35,5 +37,6 @@ tags: - 800-53r4_high - cnssi-1253 - permanent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 5537c258..10461fb0 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -65,6 +65,10 @@ references: - 3.3.8 - 3.4.5 - 3.13.4 + cisv8: + - 2.6 + - 3.3 + - 10.5 macOS: - "12.0" tags: @@ -76,6 +80,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 1dad0fe3..5c6aaa36 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_unlock_with_watch_enabled.yaml b/rules/os/os_skip_unlock_with_watch_enabled.yaml index ba1e7861..dcda6aa6 100644 --- a/rules/os/os_skip_unlock_with_watch_enabled.yaml +++ b/rules/os/os_skip_unlock_with_watch_enabled.yaml @@ -25,6 +25,8 @@ references: - N/A 800-171r2: - 3.1.20 + cisv8: + - 4.1 macOS: - "12.0" tags: @@ -36,6 +38,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 61b52ebd..54ad1cd7 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -30,6 +30,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 3.11 macOS: - "12.0" tags: @@ -42,5 +44,6 @@ tags: - 800-171 - cnssi-1253 - inherent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 7448f599..9a735f5b 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -35,6 +35,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 3.3 + - 3.1 + - 5.2 macOS: - "12.0" tags: @@ -46,6 +50,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 1b295c54..9d41d2a5 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -30,6 +30,8 @@ references: - N/A 800-171r2: - 3.3.7 + cisv8: + - 8.4 macOS: - "12.0" tags: @@ -40,6 +42,7 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index ae272049..1f9978a6 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -26,6 +26,8 @@ references: 800-171r2: - 3.4.1 - 3.4.2 + cisv8: + - 4.1 macOS: - "12.0" tags: @@ -37,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 2df1b5f1..7c0f5e9e 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -19,6 +19,9 @@ references: - N/A srg: - N/A + cisv8: + - 5.1 + - 6.1 macOS: - "12.0" tags: @@ -26,5 +29,6 @@ tags: - 800-53r5_moderate - 800-53r5_high - inherent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 9b2b60ea..2ee40966 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -33,6 +33,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 3.3 + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -44,6 +48,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 5107d72d..9a44432c 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -33,6 +33,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 4.7 macOS: - "12.0" tags: @@ -44,6 +46,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 738cbf6b..678dae8d 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -50,6 +50,8 @@ references: 800-171r2: - 3.5.5 - 3.5.6 + cisv8: + - 5.3 macOS: - "12.0" tags: @@ -60,5 +62,6 @@ tags: - 800-53r4_high - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index ae526a01..164a84c5 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -25,6 +25,8 @@ references: - N/A 800-171r2: - 3.1.8 + cisv8: + - 4.1 macOS: - "12.0" tags: @@ -36,6 +38,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 8b6c7edd..bc92b833 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -25,6 +25,8 @@ references: - N/A 800-171r2: - 3.1.8 + cisv8: + - 4.1 macOS: - "12.0" tags: @@ -36,6 +38,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 5428f16f..2ba366f9 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -33,6 +33,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -44,6 +46,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 8fae27e8..bff8b25c 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -36,6 +36,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -48,5 +50,6 @@ tags: - 800-53r5_moderate - 800-53r5_high - inherent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index c0a1f049..09aac667 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -32,6 +32,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -43,6 +45,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index d88cdb66..43693760 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -57,6 +57,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -68,5 +70,6 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 58c9a022..b6bb32e2 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -33,6 +33,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -44,6 +46,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 45d6b8fb..2ef25f10 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -54,6 +54,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 4.7 macOS: - "12.0" tags: @@ -65,5 +67,6 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 0dde0441..3a41ce18 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -33,6 +33,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -44,6 +46,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index bdd54b56..9d9923a2 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -35,6 +35,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -46,6 +48,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index d4823be8..4590872b 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -57,6 +57,8 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cisv8: + - 5.2 macOS: - "12.0" tags: @@ -68,5 +70,6 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index b2f68f6f..e4c52e6a 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -28,12 +28,16 @@ references: - N/A 800-171r2: - N/A + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: true mobileconfig_info: com.apple.controlcenter: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index ab4a445d..b993f4f9 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -31,6 +31,10 @@ references: - N/A 800-171r2: - 3.13.8 + cisv8: + - 4.8 + - 12.6 + - 13.9 macOS: - "12.0" tags: @@ -41,6 +45,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index e57bcdb8..96ed9951 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -46,6 +46,10 @@ references: - 3.1.2 - 3.1.16 - 3.4.7 + cisv8: + - 3.3 + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -57,6 +61,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 91f5763a..1d3504d3 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -27,6 +27,9 @@ references: - N/A 800-171r2: - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -38,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index 532b77d9..b1c1f6f6 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -23,12 +23,17 @@ references: - N/A 800-171r2: - N/A + cisv8: + - 7.3 + - 7.4 + - 7.7 macOS: - "12.0" tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 mobileconfig: true mobileconfig_info: com.apple.SoftwareUpdate: diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index a2fb2a1d..e90751a1 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -28,6 +28,9 @@ references: - N/A 800-171r2: - 3.1.20 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -39,6 +42,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index a2f9793a..29bbddd7 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -29,6 +29,9 @@ references: - N/A 800-171r2: - 3.13.16 + cisv8: + - 3.6 + - 3.11 macOS: - "12.0" tags: @@ -38,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 85132b50..2d2d05c2 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -32,6 +32,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: @@ -43,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index ead734db..00c95fb6 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -41,6 +41,10 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 + cisv8: + - 4.1 + - 4.5 + - 13.1 macOS: - "12.0" tags: @@ -52,6 +56,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 4e5ccc5d..a932e071 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -37,6 +37,10 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 + cisv8: + - 4.1 + - 4.5 + - 4.8 macOS: - "12.0" tags: @@ -48,6 +52,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index 301af272..daa3ae37 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -31,6 +31,10 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cisv8: + - 5.2 + - 6.2 + - 6.8 macOS: - "12.0" tags: @@ -42,5 +46,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 29863e40..4947d17a 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -28,6 +28,10 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cisv8: + - 5.2 + - 6.2 + - 6.8 macOS: - "12.0" tags: @@ -39,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 6a4a4f0b..6cc5180c 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -28,6 +28,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -39,6 +42,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.assistant.support: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index d3d8363e..6626b3a6 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -28,6 +28,9 @@ references: 800-171r2: - 3.1.3 - 3.1.20 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -39,6 +42,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index 41c5cdd3..d51307eb 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -31,6 +31,9 @@ references: - N/A 800-171r2: - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index b319e665..85f1a877 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -41,6 +44,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.preferences.sharing.SharingPrefsExtension: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index bb13c9c8..196c17af 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.AdLib: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index 4492ead6..3907329c 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -39,6 +39,9 @@ references: - N/A 800-171r2: - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -50,5 +53,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index d32c8224..29fa870f 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -32,6 +32,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -43,6 +46,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index a2754c57..6bf39667 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -32,6 +32,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -43,6 +46,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 4c96fd60..c655a07a 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -26,6 +26,8 @@ references: - N/A 800-171r2: - 3.1.10 + cisv8: + - 4.3 macOS: - "12.0" tags: @@ -36,6 +38,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index edc7aa4d..444312ac 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -32,6 +32,9 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -43,6 +46,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 8f67e163..5608aef9 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -31,6 +31,9 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index ed03082a..3c8cf14b 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -39,6 +39,9 @@ references: - 3.1.2 - 3.4.6 - 3.5.4 + cisv8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -50,6 +53,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 93b16d38..4a587580 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -27,6 +27,8 @@ references: - N/A 800-171r2: - 3.3.7 + cisv8: + - 8.4 macOS: - "12.0" tags: @@ -37,6 +39,7 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index 98530608..acd26419 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -27,6 +27,8 @@ references: - N/A 800-171r2: - 3.3.7 + cisv8: + - 8.4 macOS: - "12.0" tags: @@ -37,6 +39,7 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 444a71f1..d15d31ec 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -36,6 +36,9 @@ references: - N/A 800-171r2: - N/A + cisv8: + - 4.2 + - 12.6 macOS: - "12.0" tags: @@ -47,6 +50,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From 9737ac06b5c00120e1080312ed2cfe027e3d7f80 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 10:49:38 -0400 Subject: [PATCH 2/8] CCE added --- rules/os/os_directory_services_configured.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 2ea8e550..ba4947e8 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -13,6 +13,8 @@ check: | fix: | Integrate the system into an existing directory services infrastructure. references: + cce: + - CCE-85493-5 cci: - CCI-000366 800-53r5: @@ -26,7 +28,7 @@ references: cisv8: - 6.7 macOS: - - 11.0 + - "12.0" tags: - manual - cisv8 From 67e6278bbd768e89b728e9d5d201d2dca2932d88 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 10:55:21 -0400 Subject: [PATCH 3/8] CCE added --- rules/os/os_directory_services_configured.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index ba4947e8..2500729e 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -14,7 +14,7 @@ fix: | Integrate the system into an existing directory services infrastructure. references: cce: - - CCE-85493-5 + - CCE-91087-7 cci: - CCI-000366 800-53r5: From f3b783cc14a982546e7576cd332ceb9816f233d8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 16:07:38 -0400 Subject: [PATCH 4/8] added references --- .../icloud/icloud_private_relay_disable.yaml | 7 +- .../sysprefs_airplay_receiver_disable.yaml | 2 +- scripts/generate_baseline.py | 10 +- scripts/generate_guidance.py | 232 ++++++++++-------- scripts/yaml-to-oval.py | 11 +- templates/adoc_acronyms.adoc | 3 + templates/adoc_additional_docs.adoc | 8 + templates/adoc_authors.adoc | 7 +- templates/adoc_foreword.adoc | 2 + templates/adoc_header.adoc | 1 + templates/adoc_rule.adoc | 5 + templates/adoc_rule_custom_refs.adoc | 5 + templates/adoc_rule_no_setting.adoc | 5 + templates/adoc_scope.adoc | 3 + 14 files changed, 179 insertions(+), 122 deletions(-) create mode 100644 templates/adoc_scope.adoc diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index f543a89b..cc53ef6d 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -31,7 +31,12 @@ references: disa_stig: - N/A 800-171r2: - - N/A + - 3.1.20 + - 3.4.6 + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index e4c52e6a..ce2a4692 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -27,7 +27,7 @@ references: disa_stig: - N/A 800-171r2: - - N/A + - 3.4.6 cisv8: - 4.1 - 4.8 diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 7839fc64..bda053fe 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -247,15 +247,9 @@ def output_baseline(rules, os, keyword): output_text = f'title: "macOS {os}: Security Configuration - {keyword}"\n' output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n' + output_text += f'authors: |\n |===\n |Name|Organization\n |===\n' output_text += 'profile:\n' - # sort the rules - other_rules.sort() - inherent_rules.sort() - permanent_rules.sort() - na_rules.sort() - supplemental_rules.sort() - if len(other_rules) > 0: for section in sections: output_text += (' - section: "{}"\n'.format(section_title(section))) @@ -367,4 +361,4 @@ def main(): os.chdir(original_working_directory) if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index d5453e8c..b8eb748f 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -23,7 +23,7 @@ from collections import namedtuple class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cisv8, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -36,6 +36,7 @@ class MacSecurityRule(): self.rule_800171 = nist_171 self.rule_disa_stig = disa_stig self.rule_srg = srg + self.rule_cisv8 = cisv8 self.rule_custom_refs = custom_refs self.rule_result_value = result_value self.rule_tags = tags @@ -56,6 +57,7 @@ class MacSecurityRule(): rule_cci=self.rule_cci, rule_80053r5=self.rule_80053r5, rule_disa_stig=self.rule_disa_stig, + rule_cisv8=self.rule_cisv8, rule_srg=self.rule_srg, rule_result=self.rule_result_value ) @@ -389,56 +391,46 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign for sections in baseline_yaml['profile']: for profile_rule in sections['rules']: - logging.debug(f"checking for rule file for {profile_rule}") - if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] - custom=True - logging.debug(f"{rule}") - elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): - rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] - custom=False - logging.debug(f"{rule}") - - #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule_yaml = get_rule_yaml(rule, custom) + for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): + rule_yaml = get_rule_yaml(rule, False) - if rule_yaml['mobileconfig']: - for payload_type, info in rule_yaml['mobileconfig_info'].items(): - try: - if payload_type not in manifests['payloads_types']: + if rule_yaml['mobileconfig']: + for payload_type, info in rule_yaml['mobileconfig_info'].items(): + try: + if payload_type not in manifests['payloads_types']: + profile_errors.append(rule) + raise ValueError( + "{}: Payload Type is not supported".format(payload_type)) + else: + pass + except (KeyError, ValueError) as e: profile_errors.append(rule) - raise ValueError( - "{}: Payload Type is not supported".format(payload_type)) - else: + #print(e) pass - except (KeyError, ValueError) as e: - profile_errors.append(rule) - #print(e) - pass - try: - if isinstance(info, list): - raise ValueError( - "Payload key is non-conforming") - else: + try: + if isinstance(info, list): + raise ValueError( + "Payload key is non-conforming") + else: + pass + except (KeyError, ValueError) as e: + profile_errors.append(rule) + #print(e) pass - except (KeyError, ValueError) as e: - profile_errors.append(rule) - #print(e) - pass - if payload_type == "com.apple.ManagedClient.preferences": - for payload_domain, settings in info.items(): - for key, value in settings.items(): - payload_settings = ( - payload_domain, key, value) + if payload_type == "com.apple.ManagedClient.preferences": + for payload_domain, settings in info.items(): + for key, value in settings.items(): + payload_settings = ( + payload_domain, key, value) + profile_types.setdefault( + payload_type, []).append(payload_settings) + else: + for profile_key, key_value in info.items(): + payload_settings = {profile_key: key_value} profile_types.setdefault( payload_type, []).append(payload_settings) - else: - for profile_key, key_value in info.items(): - payload_settings = {profile_key: key_value} - profile_types.setdefault( - payload_type, []).append(payload_settings) if len(profile_errors) > 0: print("There are errors in the following files, please correct the .yaml file(s)!") @@ -579,9 +571,6 @@ plb="/usr/libexec/PlistBuddy" CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}') CURR_USER_UID=$(/usr/bin/id -u $CURR_USER) -# get system architecture -arch=$(/usr/bin/arch) - # configure colors for text RED='\e[31m' STD='\e[39m' @@ -755,6 +744,8 @@ fi defaults write "$audit_plist" lastComplianceCheck "$(date)" """ + #compliance_script_file.write(check_zsh_header) + # Read all rules in the section and output the check functions for sections in baseline_yaml['profile']: for profile_rule in sections['rules']: @@ -768,20 +759,13 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" custom=False logging.debug(f"{rule}") + #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule_yaml = get_rule_yaml(rule, custom) if rule_yaml['id'].startswith("supplemental"): continue if "manual" in rule_yaml['tags']: continue - - if "arm64" in rule_yaml['tags']: - arch="arm64" - elif "intel" in rule_yaml['tags']: - arch="i386" - else: - arch="" - # grab the 800-53 controls try: rule_yaml['references']['800-53r5'] @@ -790,6 +774,21 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" else: nist_80053r5 = rule_yaml['references']['800-53r5'] + #try: + # rule_yaml['references']['disa_stig'] + #except KeyError: + # stig_ref = rule_yaml['id'] + #else: + # if rule_yaml['references']['disa_stig'][0] == "N/A": + # stig_ref = [rule_yaml['id']] + # else: + # stig_ref = rule_yaml['references']['disa_stig'] + # + #if "STIG" in baseline_yaml['title']: + # logging.debug(f'Setting STIG reference for logging: {stig_ref}') + # log_reference_id = stig_ref + #else: + # log_reference_id = [rule_yaml['id']] if reference == "default": log_reference_id = [rule_yaml['id']] else: @@ -848,40 +847,31 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)" zsh_check_text = """ #####----- Rule: {0} -----##### ## Addresses the following NIST 800-53 controls: {1} -rule_arch="{6}" -if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then - #echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log" - unset result_value - result_value=$({2}) - # expected result {3} +#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log" +unset result_value +result_value=$({2}) +# expected result {3} +# check to see if rule is exempt +unset exempt +unset exempt_reason +exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null) +exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null) - # check to see if rule is exempt - unset exempt - unset exempt_reason - exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null) - exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null) - - - - if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then - if [[ $result_value == "{4}" ]]; then - echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" - defaults write "$audit_plist" {0} -dict-add finding -bool NO - else - echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" - defaults write "$audit_plist" {0} -dict-add finding -bool YES - fi - elif [[ ! -z "$exempt_reason" ]];then - echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log" +if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then + if [[ $result_value == "{4}" ]]; then + echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" defaults write "$audit_plist" {0} -dict-add finding -bool NO - /bin/sleep 1 + else + echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" + defaults write "$audit_plist" {0} -dict-add finding -bool YES fi -else - echo "$(date -u) {5} does not apply to this architechture" | tee -a "$audit_log" +elif [[ ! -z "$exempt_reason" ]];then + echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log" defaults write "$audit_plist" {0} -dict-add finding -bool NO + /bin/sleep 1 fi - """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id), arch) + """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id)) check_function_string = check_function_string + zsh_check_text @@ -1124,7 +1114,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") counter = 1 - column_counter = 14 + column_counter = 15 custom_ref_column = {} sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) @@ -1138,8 +1128,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 9, "800-171", headers) sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) - sheet1.write(0, 12, "CCI", headers) - sheet1.write(0, 13, "Modifed Rule", headers) + sheet1.write(0, 12, "CIS Controls v8", headers) + sheet1.write(0, 13, "CCI", headers) + sheet1.write(0, 14, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1219,14 +1210,20 @@ def generate_xls(baseline_name, build_path, baseline_yaml): cci = (str(rule.rule_cci)).strip('[]\'') cci = cci.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 12, cci, topWrap) - sheet1.col(12).width = 400 * 15 + cisv8_refs = (str(rule.rule_cisv8)).strip('[]\'') + cisv8_refs = cisv8_refs.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 12, cisv8_refs, topWrap) + sheet1.col(12).width = 500 * 15 + + sheet1.write(counter, 13, cci, topWrap) + sheet1.col(13).width = 400 * 15 customized = (str(rule.rule_customized)).strip('[]\'') customized = customized.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 13, customized, topWrap) - sheet1.col(13).width = 400 * 15 + sheet1.write(counter, 14, customized, topWrap) + sheet1.col(14).width = 400 * 15 if rule.rule_custom_refs != ['None']: for title, ref in rule.rule_custom_refs.items(): @@ -1270,6 +1267,7 @@ def create_rules(baseline_yaml): 'cce', '800-53r5', '800-171r2', + 'cisv8', 'srg', 'custom'] @@ -1312,6 +1310,7 @@ def create_rules(baseline_yaml): rule_yaml['references']['800-171r2'], rule_yaml['references']['disa_stig'], rule_yaml['references']['srg'], + rule_yaml['references']['cisv8'], rule_yaml['references']['custom'], rule_yaml['tags'], rule_yaml['result'], @@ -1475,7 +1474,8 @@ def main(): "adoc_section", "adoc_header", "adoc_footer", - "adoc_foreword", + "adoc_foreword", + "adoc_scope", "adoc_authors", "adoc_acronyms", "adoc_additional_docs" @@ -1514,9 +1514,12 @@ def main(): with open(adoc_templates_dict['adoc_foreword']) as adoc_foreword_file: adoc_foreword_template = adoc_foreword_file.read() + "\n" + + with open(adoc_templates_dict['adoc_scope']) as adoc_scope_file: + adoc_scope_template = Template(adoc_scope_file.read() +"\n") with open(adoc_templates_dict['adoc_authors']) as adoc_authors_file: - adoc_authors_template = adoc_authors_file.read() + "\n" + adoc_authors_template = Template(adoc_authors_file.read() + "\n") with open(adoc_templates_dict['adoc_acronyms']) as adoc_acronyms_file: adoc_acronyms_template = adoc_acronyms_file.read() + "\n" @@ -1535,6 +1538,11 @@ def main(): else: adoc_STIG_show=":show_STIG!:" + if "CIS" in baseline_yaml['title'].upper(): + adoc_cisv8_show=":show_cisv8:" + else: + adoc_cisv8_show=":show_cisv8!:" + if "800" in baseline_yaml['title']: adoc_171_show=":show_171:" else: @@ -1551,17 +1559,29 @@ def main(): tag_attribute=adoc_tag_show, nist171_attribute=adoc_171_show, stig_attribute=adoc_STIG_show, + cisv8_attribute=adoc_cisv8_show, version=version_yaml['version'], os_version=version_yaml['os'], release_date=version_yaml['date'] ) + # Create scope + scope_adoc = adoc_scope_template.substitute( + scope_description=baseline_yaml['description'] + ) + + # Create author + authors_adoc = adoc_authors_template.substitute( + authors_list=baseline_yaml['authors'] + ) + # Output header adoc_output_file.write(header_adoc) # write foreword, authors, acronyms, supporting docs adoc_output_file.write(adoc_foreword_template) - adoc_output_file.write(adoc_authors_template) + adoc_output_file.write(scope_adoc) + adoc_output_file.write(authors_adoc) adoc_output_file.write(adoc_acronyms_template) adoc_output_file.write(adoc_additional_docs_template) @@ -1653,6 +1673,13 @@ def main(): else: disa_stig = ulify(rule_yaml['references']['disa_stig']) + try: + rule_yaml['references']['cisv8'] + except KeyError: + cisv8 = '- N/A' + else: + cisv8 = ulify(rule_yaml['references']['cisv8']) + try: rule_yaml['references']['srg'] except KeyError: @@ -1735,6 +1762,7 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, + rule_cisv8=cisv8, rule_cce=cce, rule_tags=tags, rule_srg=srg @@ -1750,6 +1778,7 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, + rule_cisv8=cisv8, rule_cce=cce, rule_custom_refs=custom_refs, rule_tags=tags, @@ -1767,6 +1796,7 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, + rule_cisv8=cisv8, rule_cce=cce, rule_tags=tags, rule_srg=srg, @@ -1805,16 +1835,14 @@ def main(): else: print("If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor") - # Don't create PDF if we are generating SCAP - if not args.gary: - asciidoctorPDF_path = is_asciidoctor_pdf_installed() - if asciidoctorPDF_path != "": - print('Generating PDF file from AsciiDoc...') - cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'" - process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) - process.communicate() - else: - print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf") + asciidoctorPDF_path = is_asciidoctor_pdf_installed() + if asciidoctorPDF_path != "": + print('Generating PDF file from AsciiDoc...') + cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'" + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) + process.communicate() + else: + print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf") # finally revert back to the prior directory os.chdir(original_working_directory) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index ce6e06f9..f7a6d336 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -348,15 +348,8 @@ def main(): 1 '''.format(rule_yaml['id'],x,key,payload_type) + - state_kind = "" - if type(value) == bool: - state_kind = "boolean" - elif type(value) == int: - state_kind = "int" - elif type(value) == str: - state_kind = "string" - oval_state = oval_state + ''' {} @@ -1130,7 +1123,7 @@ def main(): '''.format(x,rule_yaml['id'],x,x) if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": - behavior = '' + behavior = '' if "audit" in rule_file: filename = 'current' else: diff --git a/templates/adoc_acronyms.adoc b/templates/adoc_acronyms.adoc index a941e126..c425e436 100644 --- a/templates/adoc_acronyms.adoc +++ b/templates/adoc_acronyms.adoc @@ -6,9 +6,11 @@ |ABM|Apple Business Manager |AFP|Apple Filing Protocol |ALF|Application Layer Firewall +|AO|Authorizing Official |API|Application Programming Interface |ARD|Apple Remote Desktop |CA|Certificate Authority +|CIS|Center for Internet Security |CRL|Certificate Revocation List |DISA|Defense Information Systems Agency |DMA|Direct Memory Access @@ -31,6 +33,7 @@ |SIP|System Integrity Protection |SMB|Server Message Block |SSH|Secure Shell +|SSP|System Security Plan |STIG|Security Technical Implementation Guide |UAMDM|User Approved MDM |UUCP|Unix-to-Unix Copy Protocol diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index ba642505..2776e437 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -50,4 +50,12 @@ ASSOCIATED DOCUMENTS |link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_ |link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_ |link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ +|=== + +[%header, cols=2*a] +.Center for Internet Security +|=== +|Document Number or Descriptor +|Document Title +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 11.0]|_CIS Apple macOS 11.0 Benchmark version 1.2.0_ |=== \ No newline at end of file diff --git a/templates/adoc_authors.adoc b/templates/adoc_authors.adoc index d8ad420e..1f78e65c 100644 --- a/templates/adoc_authors.adoc +++ b/templates/adoc_authors.adoc @@ -1,5 +1,9 @@ == Authors [width="100%",cols="1,3"] + +$authors_list + +//// |=== |Bob Gendler|National Institute of Standards and Technology |Allen Golbig|National Aeronautics and Space Administration @@ -9,4 +13,5 @@ |Joshua Glemza|National Aeronautics and Space Administration |Elyse Anderson|National Aeronautics and Space Administration |Gary Gapinski|National Aeronautics and Space Administration -|=== \ No newline at end of file +|=== +//// \ No newline at end of file diff --git a/templates/adoc_foreword.adoc b/templates/adoc_foreword.adoc index 1b31428a..26dbf62a 100644 --- a/templates/adoc_foreword.adoc +++ b/templates/adoc_foreword.adoc @@ -5,3 +5,5 @@ The macOS Security Compliance Project is an open source effort to provide a prog This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. + +Any and all risk based decisions to tailor the content produced by this project in order to meet the needs of a specific organization shall be approved by the responsible Information System Owner (ISO) and Authorizing Official (AO) and formally documented in their System Security Plan (SSP). While the project attempts to provide settings to meet compliance requirements, it is recommended that each rule be reviewed by your organization's Information System Security Officer (ISSO) prior to implementation. diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc index 59c5e5f6..951cb8d0 100644 --- a/templates/adoc_header.adoc +++ b/templates/adoc_header.adoc @@ -14,6 +14,7 @@ :nofooter: $nist171_attribute $stig_attribute +$cisv8_attribute ifdef::backend-pdf[] = $profile_title $version ($release_date) diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index df9683bd..bf9b2ef4 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -45,6 +45,11 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] +ifdef::show_CISv8[] +!CIS Controls V8 +!$rule_cisv8 +endif::[] + !CCE !$rule_cce diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc index 19cd3165..b0bbfef4 100644 --- a/templates/adoc_rule_custom_refs.adoc +++ b/templates/adoc_rule_custom_refs.adoc @@ -45,6 +45,11 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] +ifdef::show_CISv8[] +!CIS Controls V8 +!$rule_cisv8 +endif::[] + !CCE !$rule_cce diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc index a0a4a207..44c950ac 100644 --- a/templates/adoc_rule_no_setting.adoc +++ b/templates/adoc_rule_no_setting.adoc @@ -31,6 +31,11 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] +ifdef::show_CISv8[] +!CIS Controls V8 +!$rule_cisv8 +endif::[] + ifdef::show_tags[] !CCE !$rule_cce diff --git a/templates/adoc_scope.adoc b/templates/adoc_scope.adoc new file mode 100644 index 00000000..7c770e0d --- /dev/null +++ b/templates/adoc_scope.adoc @@ -0,0 +1,3 @@ +== Scope + +$scope_description \ No newline at end of file From 18a042ab33c09a00e2ebefceec03d5855a390ab8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 16:08:09 -0400 Subject: [PATCH 5/8] updated generate guidance and baseline to handle CIS --- scripts/generate_baseline.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index bda053fe..c5d5bbf0 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -249,6 +249,13 @@ def output_baseline(rules, os, keyword): output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n' output_text += f'authors: |\n |===\n |Name|Organization\n |===\n' output_text += 'profile:\n' + + # sort the rules + other_rules.sort() + inherent_rules.sort() + permanent_rules.sort() + na_rules.sort() + supplemental_rules.sort() if len(other_rules) > 0: for section in sections: From 59c5f1c0f6de398f956b5ef4fb568772e954e188 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 16:08:25 -0400 Subject: [PATCH 6/8] cis v8 baseline --- baselines/cisv8.yaml | 148 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 baselines/cisv8.yaml diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml new file mode 100644 index 00000000..0b616cfd --- /dev/null +++ b/baselines/cisv8.yaml @@ -0,0 +1,148 @@ +title: "macOS 12.0: Security Configuration - CIS Controls Version 8" +description: | + This guide describes the actions to take when securing a macOS 12.0 system against the CIS Controls version 8 baseline. +authors: | + CIS Critical Security Controls® (CIS Controls®) are referenced with the permission and support of the Center for Internet Security® (CIS®) + |=== + |Edward Byrd|Center for Internet Security + |Bob Gendler|National Institute of Standards and Technology + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|JAMF + |=== +profile: + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "auditing" + rules: + - audit_auditd_enabled + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_retention_configure + - section: "macos" + rules: + - os_airdrop_disable + - os_appleid_prompt_disable + - os_authenticated_root_enable + - os_bonjour_disable + - os_calendar_app_disable + - os_config_data_install_enforce + - os_directory_services_configured + - os_facetime_app_disable + - os_filevault_autologin_disable + - os_firewall_log_enable + - os_gatekeeper_enable + - os_gatekeeper_rearm + - os_handoff_disable + - os_hbss_installed + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_internet_accounts_prefpane_disable + - os_ir_support_disable + - os_mail_app_disable + - os_mdm_require + - os_messages_app_disable + - os_nfsd_disable + - os_parental_controls_enable + - os_password_autofill_disable + - os_password_proximity_disable + - os_password_sharing_disable + - os_privacy_setup_prompt_disable + - os_root_disable + - os_sip_enable + - os_siri_prompt_disable + - os_skip_unlock_with_watch_enabled + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_60_day_enforce + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_history_enforce + - pwpolicy_lower_case_character_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_special_character_enforce + - pwpolicy_upper_case_character_enforce + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_prefpane_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "systempreferences" + rules: + - sysprefs_airplay_receiver_disable + - sysprefs_bluetooth_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_content_caching_disable + - sysprefs_critical_update_install_enforce + - sysprefs_diagnostics_reports_disable + - sysprefs_filevault_enforce + - sysprefs_find_my_disable + - sysprefs_firewall_enable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_guest_access_smb_disable + - sysprefs_guest_account_disable + - sysprefs_improve_siri_dictation_disable + - sysprefs_internet_sharing_disable + - sysprefs_location_services_disable + - sysprefs_media_sharing_disabled + - sysprefs_personalized_advertising_disable + - sysprefs_power_nap_disable + - sysprefs_rae_disable + - sysprefs_screen_sharing_disable + - sysprefs_screensaver_timeout_enforce + - sysprefs_siri_disable + - sysprefs_smbd_disable + - sysprefs_ssh_disable + - sysprefs_time_server_configure + - sysprefs_time_server_enforce + - sysprefs_wifi_disable + - section: "Inherent" + rules: + - os_logical_access + - os_malicious_code_prevention + - os_mfa_network_access + - os_obscure_password + - os_store_encrypted_passwords + - os_unique_identification + - pwpolicy_force_password_change + - section: "Permanent" + rules: + - os_auth_peripherals + - os_secure_name_resolution + - section: "not_applicable" + rules: + - os_access_control_mobile_devices + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard From dc2e8c46290c54f34356259c39d4ee93052371e4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 16:25:00 -0400 Subject: [PATCH 7/8] yaml to oval fix --- scripts/yaml-to-oval.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index f7a6d336..ce6e06f9 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -348,8 +348,15 @@ def main(): 1 '''.format(rule_yaml['id'],x,key,payload_type) - + state_kind = "" + if type(value) == bool: + state_kind = "boolean" + elif type(value) == int: + state_kind = "int" + elif type(value) == str: + state_kind = "string" + oval_state = oval_state + ''' {} @@ -1123,7 +1130,7 @@ def main(): '''.format(x,rule_yaml['id'],x,x) if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": - behavior = '' + behavior = '' if "audit" in rule_file: filename = 'current' else: From ecbfd519108c692fa54bc07049046e7c360ed6ff Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 13 Oct 2021 16:25:33 -0400 Subject: [PATCH 8/8] updated version language --- VERSION.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.yaml b/VERSION.yaml index f55c0e78..1586227a 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,3 +1,3 @@ os: "12.0" -version: "Monterey, Revision 1" +version: "Monterey Guidance, Revision 1" date: "2021-XX-XX"