updates for 1.1.0

Gemfile

@@ -1,5 +1,5 @@
 source 'https://rubygems.org'
 
 gem 'asciidoctor'
-gem 'asciidoctor-pdf', '2.3.5'
+gem 'asciidoctor-pdf'
 gem 'rouge', '3.30.0'

baselines/cis_lvl1.yaml

@@ -1,6 +1,6 @@
 title: "macOS 13.0: Security Configuration - CIS Benchmarks"
 description: |
-  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)
+  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)
 authors: |
   The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
   |===

baselines/cis_lvl2.yaml

@@ -1,6 +1,6 @@
 title: "macOS 13.0: Security Configuration - CIS Benchmarks"
 description: |
-  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1 and 2)
+  This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1 and 2)
 authors: |
   The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
   |===

includes/mscp-data.yaml

@@ -55,7 +55,7 @@ titles:
   800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
   800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
   800-171: NIST 800-171 Rev 2
-  cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)
-  cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)
+  cis_lvl1: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 1)
+  cis_lvl2: CIS Apple macOS 13.0 Ventura v1.1.0 Benchmark (Level 2)
   cisv8: CIS Controls Version 8
   cnssi-1253: Committee on National Security Systems Instruction No. 1253

rules/os/os_hibernate_mode_apple_silicon_enable.yaml

@@ -1,4 +1,4 @@
-id: os_hibernate_mode_enable
+id: os_hibernate_mode_apple_silicon_enable
 title: "Enable Hibernate Mode (Apple Silicon)"
 discussion: |
   Hibernate mode _MUST_ be enabled. 

rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml

@@ -28,7 +28,7 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.3 (level 2)
+      - 2.9.1.3 (level 2)
     controls v8: 
       - 4.1
 macOS:

rules/os/os_hibernate_mode_intel_enable.yaml

@@ -1,4 +1,4 @@
-id: os_hibernate_mode_enable
+id: os_hibernate_mode_intel_enable
 title: "Enable Hibernate Mode (Intel)"
 discussion: |
   Hibernate mode _MUST_ be enabled. 

scripts/generate_guidance.py

@@ -13,6 +13,7 @@ import argparse
 import subprocess
 import logging
 import tempfile
+import base64
 from datetime import date
 from xlwt import Workbook
 from string import Template
@@ -20,7 +21,7 @@ from itertools import groupby
 from uuid import uuid4
 
 class MacSecurityRule():
-    def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, odv, tags, result_value, mobileconfig, mobileconfig_info, customized):
+    def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, cmmc, custom_refs, odv, tags, result_value, mobileconfig, mobileconfig_info, customized):
         self.rule_title = title
         self.rule_id = rule_id
         self.rule_severity = severity
@@ -34,6 +35,7 @@ class MacSecurityRule():
         self.rule_disa_stig = disa_stig
         self.rule_srg = srg
         self.rule_cis = cis
+        self.rule_cmmc = cmmc
         self.rule_custom_refs = custom_refs
         self.rule_odv = odv
         self.rule_result_value = result_value
@@ -56,6 +58,7 @@ class MacSecurityRule():
             rule_80053r5=self.rule_80053r5,
             rule_disa_stig=self.rule_disa_stig,
             rule_cis=self.rule_cis,
+            rule_cmmc=self.rule_cmmc,
             rule_srg=self.rule_srg,
             rule_result=self.rule_result_value
         )
@@ -602,6 +605,14 @@ if [[ $EUID -ne 0 ]]; then
     exit 1
 fi
 
+ssh_key_check=0
+if /usr/sbin/sshd -T &> /dev/null; then
+    ssh_key_check=0
+else
+    /usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
+    ssh_key_check=1
+fi
+
 # path to PlistBuddy
 plb="/usr/libexec/PlistBuddy"
 
@@ -1068,6 +1079,12 @@ else
         read_options
     done
 fi
+
+if [[ "$ssh_key_check" -ne 0 ]]; then
+    /bin/rm /etc/ssh/ssh_host_rsa_key
+    /bin/rm /etc/ssh/ssh_host_rsa_key.public
+    ssh_key_check=0
+fi
     """
 
     #write out the compliance script
@@ -1246,7 +1263,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
     top = xlwt.easyxf("align: vert top")
     headers = xlwt.easyxf("font: bold on")
     counter = 1
-    column_counter = 16
+    column_counter = 17
     custom_ref_column = {}
     sheet1.write(0, 0, "CCE", headers)
     sheet1.write(0, 1, "Rule ID", headers)
@@ -1262,8 +1279,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
     sheet1.write(0, 11, "DISA STIG", headers)
     sheet1.write(0, 12, "CIS Benchmark", headers)
     sheet1.write(0, 13, "CIS v8", headers)
-    sheet1.write(0, 14, "CCI", headers)
-    sheet1.write(0, 15, "Modifed Rule", headers)
+    sheet1.write(0, 14, "CMMC", headers)
+    sheet1.write(0, 15, "CCI", headers)
+    sheet1.write(0, 16, "Modifed Rule", headers)
     sheet1.set_panes_frozen(True)
     sheet1.set_horz_split_pos(1)
     sheet1.set_vert_split_pos(2)
@@ -1351,18 +1369,24 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
                     cis = cis.replace(", ", "\n")
                     sheet1.write(counter, 13, cis, topWrap)
                     sheet1.col(13).width = 500 * 15
+        
+        cmmc_refs = (str(rule.rule_cmmc)).strip('[]\'')
+        cmmc_refs = cmmc_refs.replace(", ", "\n").replace("\'", "")
+
+        sheet1.write(counter, 14, cmmc_refs, topWrap)
+        sheet1.col(14).width = 500 * 15
 
         cci = (str(rule.rule_cci)).strip('[]\'')
         cci = cci.replace(", ", "\n").replace("\'", "")
 
-        sheet1.write(counter, 14, cci, topWrap)
-        sheet1.col(13).width = 400 * 15
+        sheet1.write(counter, 15, cci, topWrap)
+        sheet1.col(15).width = 400 * 15
 
         customized = (str(rule.rule_customized)).strip('[]\'')
         customized = customized.replace(", ", "\n").replace("\'", "")
 
-        sheet1.write(counter, 15, customized, topWrap)
-        sheet1.col(14).width = 400 * 15
+        sheet1.write(counter, 16, customized, topWrap)
+        sheet1.col(16).width = 400 * 15
 
         if rule.rule_custom_refs != ['None']:
             for title, ref in rule.rule_custom_refs.items():
@@ -1408,6 +1432,7 @@ def create_rules(baseline_yaml):
                   '800-53r5',
                   '800-171r2',
                   'cis',
+                  'cmmc',
                   'srg',
                   'custom']
 
@@ -1451,6 +1476,7 @@ def create_rules(baseline_yaml):
                                         rule_yaml['references']['disa_stig'],
                                         rule_yaml['references']['srg'],
                                         rule_yaml['references']['cis'],
+                                        rule_yaml['references']['cmmc'],
                                         rule_yaml['references']['custom'],
                                         rule_yaml['odv'],
                                         rule_yaml['tags'],
@@ -1562,6 +1588,7 @@ def parse_cis_references(reference):
             string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
     return string
 
+# Might have to do something similar to above for cmmc
 
 def main():
 
@@ -1586,8 +1613,14 @@ def main():
 
         if args.logo:
             logo = args.logo
+            pdf_logo_path = logo
         else:
             logo = "../../templates/images/mscp_banner.png"
+            pdf_logo_path = "../templates/images/mscp_banner.png"
+
+        # convert logo to base64 for inline processing
+        b64logo = base64.b64encode(open(pdf_logo_path, "rb").read())
+        
 
         build_path = os.path.join(parent_dir, 'build', f'{baseline_name}')
         if not (os.path.isdir(build_path)):
@@ -1704,6 +1737,11 @@ def main():
     else:
         adoc_cis_show=":show_cis!:"
 
+    if "CMMC" in baseline_yaml['title'].upper():
+        adoc_cmmc_show=":show_CMMC:"
+    else:
+        adoc_cmmc_show=":show_CMMC!:"
+
     if "800" in baseline_yaml['title']:
          adoc_171_show=":show_171:"
     else:
@@ -1713,6 +1751,7 @@ def main():
         adoc_tag_show=":show_tags:"
         adoc_STIG_show=":show_STIG:"
         adoc_cis_show=":show_cis:"
+        adoc_cmmc_show=":show_CMMC:"
         adoc_171_show=":show_171:"
     else:
         adoc_tag_show=":show_tags!:"
@@ -1734,11 +1773,13 @@ def main():
         html_subtitle=adoc_html_subtitle,
         document_subtitle2=adoc_document_subtitle2,
         logo=logo,
+        pdflogo=b64logo.decode("ascii"),
         pdf_theme=pdf_theme,
         tag_attribute=adoc_tag_show,
         nist171_attribute=adoc_171_show,
         stig_attribute=adoc_STIG_show,
         cis_attribute=adoc_cis_show,
+        cmmc_attribute=adoc_cmmc_show,
         version=version_yaml['version'],
         os_version=version_yaml['os'],
         release_date=version_yaml['date']
@@ -1857,6 +1898,13 @@ def main():
             else:
                 cis = parse_cis_references(rule_yaml['references']['cis'])
 
+            try:
+                rule_yaml['references']['cmmc']
+            except KeyError:
+                cmmc = ""
+            else:
+                cmmc = ulify(rule_yaml['references']['cmmc'])
+
             try:
                 rule_yaml['references']['srg']
             except KeyError:
@@ -1941,6 +1989,7 @@ def main():
                     rule_800171=nist_800171,
                     rule_disa_stig=disa_stig,
                     rule_cis=cis,
+                    rule_cmmc=cmmc,
                     rule_cce=cce,
                     rule_custom_refs=custom_refs,
                     rule_tags=tags,
@@ -1958,6 +2007,7 @@ def main():
                     rule_800171=nist_800171,
                     rule_disa_stig=disa_stig,
                     rule_cis=cis,
+                    rule_cmmc=cmmc,
                     rule_cce=cce,
                     rule_tags=tags,
                     rule_srg=srg
@@ -1974,6 +2024,7 @@ def main():
                     rule_800171=nist_800171,
                     rule_disa_stig=disa_stig,
                     rule_cis=cis,
+                    rule_cmmc=cmmc,
                     rule_cce=cce,
                     rule_tags=tags,
                     rule_srg=srg,

sections/authentication.yaml

@@ -2,6 +2,6 @@
   description: |
     This section contains the configuration of authentication settings, including the enforcement of smartcard authentication.  
 
-    NOTE: See addittional guidance in the Smartcard Supplemental.
+    NOTE: See additional guidance in the Smartcard Supplemental.
 
     NOTE: The check/fix commands outlined in this section must be run with elevated privileges.

templates/adoc_additional_docs.adoc

@@ -56,5 +56,5 @@ ASSOCIATED DOCUMENTS
 |===
 |Document Number or Descriptor
 |Document Title
-|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.0.0_
+|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 13.0]|_CIS Apple macOS 13.0 Benchmark version 1.1.0_
 |===

templates/adoc_header.adoc

@@ -20,6 +20,7 @@ endif::[]
 $nist171_attribute
 $stig_attribute
 $cis_attribute
+$cmmc_attribute
 :version: $version ($release_date)
 :os: $os_version
 :proj-title: $html_header_title
@@ -28,11 +29,10 @@ $cis_attribute
 $document_subtitle2
 ifdef::backend-pdf[]
 = {document-title}: {document-subtitle}
-{document-subtitle2}
 $version ($release_date)
 :pdf-themesdir: ../templates
 :pdf-theme: $pdf_theme
-:title-logo-image: image:$logo[align=center]
+:title-logo-image: image:data:image/png;base64,$pdflogo[align=center]
 :nofooter!:
 endif::[]
 :data-uri: