diff --git a/baselines/ios_stig.yaml b/baselines/ios_stig.yaml new file mode 100644 index 00000000..ebdb6486 --- /dev/null +++ b/baselines/ios_stig.yaml @@ -0,0 +1,105 @@ +title: "iOS/iPadOS 26.0: Security Configuration - Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1" +description: | + This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1 security baseline. +authors: | + *macOS Security Compliance Project* + + |=== + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |Bob Gendler|National Institute of Standards and Technology + |=== +parent_values: "ios_stig" +profile: + - section: "icloud" + rules: + - icloud_backup_disabled + - icloud_drive_disable + - icloud_keychain_disable + - icloud_managed_apps_store_data_disabled + - icloud_photos_disable + - icloud_shared_photo_stream_disable + - section: "ios" + rules: + - os_airdrop_disable + - os_airdrop_unmanaged_destination_enable + - os_airplay_incoming_password_require + - os_airplay_outgoing_password_require + - os_airprint_credential_storage_disable + - os_airprint_disable + - os_airprint_force_trusted_TLS + - os_allow_contacts_read_managed_sources_unmanaged_destinations_disable + - os_allow_contacts_write_managed_sources_unmanaged_destinations_disable + - os_allow_documents_managed_sources_unmanaged_destinations_disable + - os_apple_watch_pairing_disable + - os_apple_watch_wrist_detection_enable + - os_auto_unlock_disable + - os_automatic_app_download_disable + - os_bluetooth_modification_disable + - os_call_recording_disable + - os_camera_disable + - os_diagnostics_reports_disable + - os_disallow_enterprise_app_trust + - os_enterprise_books_disable + - os_erase_contents_and_settings_disable + - os_esim_delete + - os_esim_transfers_disable + - os_exchange_notes_disable + - os_exchange_notes_user_override_disable + - os_exchange_reminders_disable + - os_exchange_reminders_user_override_disable + - os_external_intelligence_integration_disable + - os_external_intelligence_integration_sign_in_disable + - os_facetime_disable + - os_files_network_drive_access_disable + - os_files_usb_drive_access_disable + - os_find_my_friends_disable + - os_force_encrypted_backups_enable + - os_genmoji_disable + - os_handoff_disable + - os_hide_apps_disable + - os_ibeacon_airprint_disable + - os_image_playground_disable + - os_image_wand_disable + - os_install_configuration_profile_disable + - os_install_vpn_configuration_disable + - os_iphone_mirroring_disable + - os_iphone_widgets_on_mac_disable + - os_limit_ad_tracking_enable + - os_mail_maildrop_disable + - os_mail_move_messages_disable + - os_marketplace_prevent + - os_movie_content_allowed + - os_new_device_proximity_disable + - os_on_device_dictation_enforce + - os_on_device_translation_enforce + - os_pairing_non_configurator_hosts_disable + - os_password_autofill_disable + - os_password_proximity_disable + - os_password_sharing_disable + - os_require_managed_pasteboard_enforce + - os_safari_password_autofill_disable + - os_screenshots_disable + - os_show_calendar_lock_screen_disable + - os_show_notification_center_lock_screen_disable + - os_siri_assistant_disable + - os_siri_user_generated_content_disable + - os_siri_when_locked_disabled + - os_ssl_for_exchange_activesync_enable + - os_supervised_mdm_require + - os_system_settings_find_my_friends_modification_disable + - os_tv_content_allowed + - os_usb_accessories_when_locked_disable + - os_web_distribution_app_installation_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce + - pwpolicy_force_pin_enable + - pwpolicy_history_enforce + - pwpolicy_max_grace_period_enforce + - pwpolicy_max_inactivity_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_simple_sequence_disable + - section: "Supplemental" + rules: + - supplemental_stig diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 5856994c..55f0693d 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -92,7 +92,6 @@ authors: - Bob Gendler|National Institute of Standards and Technology ios_stig: names: - - Marco PiƱeyro|Department of State - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - Bob Gendler|National Institute of Standards and Technology diff --git a/rules/icloud/icloud_backup_disabled.yaml b/rules/icloud/icloud_backup_disabled.yaml index 0c4b0d46..cd9f6873 100644 --- a/rules/icloud/icloud_backup_disabled.yaml +++ b/rules/icloud/icloud_backup_disabled.yaml @@ -1,8 +1,8 @@ id: icloud_backup_disabled -title: "Ensure iCloud Backup is set to Disabled" +title: Ensure iCloud Backup is set to Disabled discussion: | iCloud backup _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -18,9 +18,9 @@ references: - CM-7(1) - SC-7(10) sfr: - - "FMT_MOF_EXT.1.2 #40" + - 'FMT_MOF_EXT.1.2 #40' disa_stig: - - N/A + - AIOS-26-003000 indigo: - ANNEX D (Section 5.4 - iCloud restrictions) - ANNEX K @@ -30,7 +30,7 @@ references: controls v8: - 2.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -44,7 +44,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index f4478937..be02bf7a 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -1,8 +1,8 @@ id: icloud_drive_disable -title: "Ensure Allow iCloud Documents and Data is set to Disabled" +title: Ensure Allow iCloud Documents and Data is set to Disabled discussion: | Institutionally owned devices _MUST_ not sync data through iCloud. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -19,11 +19,11 @@ references: - CM-7(1) - SC-7(10) sfr: - - "FMT_MOF_EXT.1.2 #40" + - 'FMT_MOF_EXT.1.2 #40' disa_stig: - - N/A + - AIOS-26-003200 indigo: - - ANNEX D (Section 5.4 - iCloud restrictions) + - ANNEX D (Section 5.4 - iCloud restrictions) - ANNEX K cis: benchmark: @@ -31,7 +31,7 @@ references: controls v8: - 2.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -44,7 +44,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 542c6008..9bd800e4 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -1,52 +1,53 @@ id: icloud_keychain_disable -title: "Disable iCloud Keychain Sync" +title: Disable iCloud Keychain Sync discussion: | The iOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95425-5 + - CCE-95425-5 cci: - - CCI-000097 - - CCI-000366 - - CCI-000370 + - CCI-000097 + - CCI-000366 + - CCI-000370 800-53r5: - - AC-20 - - AC-20(1) - - CM-7 - - CM-7(1) - - SC-7(10) + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) sfr: - - "FMT_MOF_EXT.1.2 #40" + - 'FMT_MOF_EXT.1.2 #40' disa_stig: - - N/A + - AIOS-26-003300 indigo: - ANNEX D (Section 5.4 - iCloud restrictions) - ANNEX K cis: benchmark: - - 3.2.1.6 (level 1 - Institutionally-Owned Devices) + - 3.2.1.6 (level 1 - Institutionally-Owned Devices) controls v8: - - 4.1 - - 4.8 - - 15.3 + - 4.1 + - 4.8 + - 15.3 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cis_lvl1_enterprise -- cis_lvl2_enterprise -- cisv8 -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl1_enterprise + - cis_lvl2_enterprise + - cisv8 + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml index c5a93e08..e9f0db1a 100644 --- a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml +++ b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml @@ -1,53 +1,54 @@ id: icloud_managed_apps_store_data_disabled -title: "Ensure Managed Apps Storing Data in iCloud is Set to Disabled" +title: Ensure Managed Apps Storing Data in iCloud is Set to Disabled discussion: | Managed Apps _MUST_ not store data in iCloud. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95426-3 + - CCE-95426-3 cci: - - CCI-000097 - - CCI-000366 - - CCI-000370 + - CCI-000097 + - CCI-000366 + - CCI-000370 800-53r5: - - AC-20 - - AC-20(1) - - CM-7 - - CM-7(1) - - SC-7(10) + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) sfr: - - "FMT_MOF_EXT.1.2 #40" + - 'FMT_MOF_EXT.1.2 #40' disa_stig: - - N/A + - AIOS-26-003600 indigo: - - ANNEX D (Section 5.4 - iCloud restrictions) + - ANNEX D (Section 5.4 - iCloud restrictions) - ANNEX K cis: benchmark: - - 2.2.1.3 (level 1 - End-User Owned Devices) - - 3.2.1.7 (level 1 - Institutionally-Owned Devices) + - 2.2.1.3 (level 1 - End-User Owned Devices) + - 3.2.1.7 (level 1 - Institutionally-Owned Devices) controls v8: - - 2.3 + - 2.3 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cis_lvl1_byod -- cis_lvl2_byod -- cis_lvl1_enterprise -- cis_lvl2_enterprise -- cisv8 -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl1_byod + - cis_lvl2_byod + - cis_lvl1_enterprise + - cis_lvl2_enterprise + - cisv8 + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 1c8e6fbe..490887bc 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -1,10 +1,10 @@ id: icloud_photos_disable -title: "Disable iCloud Photo Library" +title: Disable iCloud Photo Library discussion: | The iOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -19,12 +19,12 @@ references: - CM-7(1) - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-003450 indigo: - ANNEX D (Section 5.4 - iCloud restrictions) - - ANNEX K + - ANNEX K cis: benchmark: - N/A @@ -33,7 +33,7 @@ references: - 4.8 - 15.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -43,6 +43,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/icloud/icloud_shared_photo_stream_disable.yaml b/rules/icloud/icloud_shared_photo_stream_disable.yaml index c91c9d30..b7e4bfda 100644 --- a/rules/icloud/icloud_shared_photo_stream_disable.yaml +++ b/rules/icloud/icloud_shared_photo_stream_disable.yaml @@ -1,8 +1,8 @@ id: icloud_shared_photo_stream_disable -title: "Ensure Shared Photo Stream is set to Disabled" +title: Ensure Shared Photo Stream is set to Disabled discussion: | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -19,11 +19,11 @@ references: - CM-7(1) - SC-7(10) sfr: - - "FMT_MOF_EXT.1.2 #40" + - 'FMT_MOF_EXT.1.2 #40' disa_stig: - - N/A + - AIOS-26-003500 indigo: - - ANNEX D (Section 5.4 - iCloud restrictions) + - ANNEX D (Section 5.4 - iCloud restrictions) - ANNEX K cis: benchmark: @@ -31,7 +31,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -41,7 +41,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml index 7d617777..71768886 100644 --- a/rules/os/os_account_modification_disable.yaml +++ b/rules/os/os_account_modification_disable.yaml @@ -16,7 +16,7 @@ references: indigo: - ANNEX K iOS: -- "26.0" + - "26.0" tags: - ios - indigo_high diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index cd0e220a..8d220639 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -1,16 +1,16 @@ id: os_airdrop_disable -title: "Ensure AirDrop is set to Disabled" +title: Ensure AirDrop is set to Disabled discussion: | AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. - - AirDrop allows users to share and receive files from other nearby Apple devices. -check: " " + + AirDrop allows users to share and receive files from other nearby Apple devices. +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-002536 - CCI-000366 - CCI-000097 @@ -21,10 +21,11 @@ references: - CM-7 - CM-7(1) sfr: - - "FMT_SMF_EXT.1.1/WLAN" - - "FMT_SMF_EXT.1.1 #47" + - FMT_SMF_EXT.1.1/WLAN + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-010200 + - AIOS-26-012500 indigo: - ANNEX K cis: @@ -33,7 +34,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -44,7 +45,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airdrop_unmanaged_destination_enable.yaml b/rules/os/os_airdrop_unmanaged_destination_enable.yaml index d1a7022f..16e5dead 100644 --- a/rules/os/os_airdrop_unmanaged_destination_enable.yaml +++ b/rules/os/os_airdrop_unmanaged_destination_enable.yaml @@ -1,14 +1,14 @@ id: os_airdrop_unmanaged_destination_enable -title: "Ensure Treat AirDrop as unmanaged destination is set to Enabled" +title: Ensure Treat AirDrop as unmanaged destination is set to Enabled discussion: | AirDrop _MUST_ be treated as an unmanaged destination. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-002008 800-53r5: @@ -19,9 +19,9 @@ references: - MP-2 - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-011500 indigo: - ANNEX D (Section 5.7.5 - AirDrop) - ANNEX K @@ -32,7 +32,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -48,7 +48,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airplay_incoming_password_require.yaml b/rules/os/os_airplay_incoming_password_require.yaml index b066a0fd..851d30a9 100644 --- a/rules/os/os_airplay_incoming_password_require.yaml +++ b/rules/os/os_airplay_incoming_password_require.yaml @@ -1,8 +1,8 @@ id: os_airplay_incoming_password_require -title: "Require Passcode for Incoming Airplay Connection Requests" +title: Require Passcode for Incoming Airplay Connection Requests discussion: | When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DoD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -13,9 +13,10 @@ references: 800-53r5: - IA-3 sfr: - - "FMT_SMF_EXT.1.1 #40" + - 'FMT_SMF_EXT.1.1 #40' disa_stig: - - N/A + - AIOS-26-010900 + - AIOS-26-010950 indigo: - ANNEX K cis: @@ -24,7 +25,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_moderate @@ -34,6 +35,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_airplay_outgoing_password_require.yaml b/rules/os/os_airplay_outgoing_password_require.yaml index a2eb2834..039b3e0c 100644 --- a/rules/os/os_airplay_outgoing_password_require.yaml +++ b/rules/os/os_airplay_outgoing_password_require.yaml @@ -1,8 +1,8 @@ id: os_airplay_outgoing_password_require -title: "Require the User to Enter a Password when Connecting to an AirPlay-enabled device for the First Time." +title: Require the User to Enter a Password when Connecting to an AirPlay-enabled device for the First Time. discussion: | When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DoD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -13,9 +13,10 @@ references: 800-53r5: - IA-3 sfr: - - "FMT_SMF_EXT.1.1 #40" + - 'FMT_SMF_EXT.1.1 #40' disa_stig: - - N/A + - AIOS-26-010900 + - AIOS-26-010950 indigo: - ANNEX K cis: @@ -24,7 +25,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_moderate @@ -34,6 +35,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_airprint_credential_storage_disable.yaml b/rules/os/os_airprint_credential_storage_disable.yaml new file mode 100644 index 00000000..817708df --- /dev/null +++ b/rules/os/os_airprint_credential_storage_disable.yaml @@ -0,0 +1,33 @@ +id: os_airprint_credential_storage_disable +title: Disable Storage of AirPrint Credentials +discussion: | + Storage of AirPrint credentials _MUST_ be disabled. +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-6 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016800 + indigo: + - N/A +iOS: + - '26.0' +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +supervised: false +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAirPrintCredentialsStorage: false diff --git a/rules/os/os_airprint_disable.yaml b/rules/os/os_airprint_disable.yaml index 46fa360a..5a79960f 100644 --- a/rules/os/os_airprint_disable.yaml +++ b/rules/os/os_airprint_disable.yaml @@ -1,10 +1,10 @@ id: os_airprint_disable -title: "Disable AirPrint" +title: Disable AirPrint discussion: | The iOS built-in AirPrint capability _MUST_ be disabled. The service AirPrint _MUST_ be disabled to prevent intendedly printing content on unknown printers and leaking data. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -14,11 +14,18 @@ references: - N/A indigo: - ANNEX K + cci: + - CCI-000366 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016600 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_high + - ios_stig supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airprint_force_trusted_TLS.yaml b/rules/os/os_airprint_force_trusted_TLS.yaml index 1717a85a..212aee06 100644 --- a/rules/os/os_airprint_force_trusted_TLS.yaml +++ b/rules/os/os_airprint_force_trusted_TLS.yaml @@ -1,8 +1,8 @@ id: os_airprint_force_trusted_TLS -title: "Requires trusted certificates for TLS printing communication" +title: Requires trusted certificates for TLS printing communication discussion: | The service AirPrint _MUST_ be configured to require trusted certificates for TLS printing communication. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -11,14 +11,21 @@ references: 800-53r5: - AC-17(02) indigo: - - ANNEX K + - ANNEX K + cci: + - CCI-000366 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016900 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_high - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high + - ios_stig supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml b/rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml index e88863ab..22a2ccc0 100644 --- a/rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml +++ b/rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml @@ -1,8 +1,8 @@ id: os_allow_contacts_read_managed_sources_unmanaged_destinations_disable -title: "Ensure Managed Apps Cannot Read Unmanaged Contact Accounts" +title: Ensure Managed Apps Cannot Read Unmanaged Contact Accounts discussion: | Managed Apps _MUST_ not be allowed to read contacts from unmanaged contact destinations. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -18,10 +18,10 @@ references: - SC-7(10) - SC-39 sfr: - - "FMT_SMF_EXT.1.1 #42" - - "FDP_ACF_EXT.1.2" + - 'FMT_SMF_EXT.1.1 #42' + - FDP_ACF_EXT.1.2 disa_stig: - - N/A + - AIOS-26-012400 indigo: - ANNEX D (Section 5.6.3 - Contacts) - ANNEX K @@ -31,7 +31,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -42,6 +42,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml b/rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml index ca11ce49..d7279818 100644 --- a/rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml +++ b/rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml @@ -1,8 +1,8 @@ id: os_allow_contacts_write_managed_sources_unmanaged_destinations_disable -title: "Ensure Managed Apps Cannot Write to Unmanaged Contact Accounts" +title: Ensure Managed Apps Cannot Write to Unmanaged Contact Accounts discussion: | Managed Apps _MUST_ not be allowed to write contacts to unmanaged contact destinations. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -18,12 +18,12 @@ references: - SC-7(10) - SC-39 sfr: - - "FMT_SMF_EXT.1.1 #42" - - "FDP_ACF_EXT.1.2" + - 'FMT_SMF_EXT.1.1 #42' + - FDP_ACF_EXT.1.2 disa_stig: - - N/A + - AIOS-26-012300 indigo: - - ANNEX D (Section 5.6.3 - Contacts) + - ANNEX D (Section 5.6.3 - Contacts) - ANNEX K cis: benchmark: @@ -31,7 +31,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -42,7 +42,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "low" + - ios_stig +severity: low supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml b/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml index 9dc179c3..24efce1c 100644 --- a/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml +++ b/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml @@ -1,14 +1,14 @@ id: os_allow_documents_managed_sources_unmanaged_destinations_disable -title: "Ensure Allow documents from managed sources in unmanaged destinations is set to Disabled" +title: Ensure Allow documents from managed sources in unmanaged destinations is set to Disabled discussion: | Documents from managed sources _MUST_ not be allowed in unmanaged destinations. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-002233 - CCI-002530 800-53r5: @@ -17,10 +17,10 @@ references: - SC-7(10) - SC-39 sfr: - - "FMT_SMF_EXT.1.1 #42" - - "FDP_ACF_EXT.1.2" + - 'FMT_SMF_EXT.1.1 #42' + - FDP_ACF_EXT.1.2 disa_stig: - - N/A + - AIOS-26-009700 indigo: - ANNEX D (Section 5.6.3 - Contacts) - ANNEX K @@ -31,7 +31,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -47,7 +47,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_apple_watch_pairing_disable.yaml b/rules/os/os_apple_watch_pairing_disable.yaml index f4b89117..65a1ef19 100644 --- a/rules/os/os_apple_watch_pairing_disable.yaml +++ b/rules/os/os_apple_watch_pairing_disable.yaml @@ -1,10 +1,10 @@ id: os_apple_watch_pairing_disable -title: "Ensure Apple Watch Pairing is Disabled" +title: Ensure Apple Watch Pairing is Disabled discussion: | Pairing an Apple Watch _MUST_ be disabled. - + NOTE: Any currently paired Apple Watch is unpaired and the watch's content is erased. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -18,9 +18,9 @@ references: - CM-7 - CM-7(1) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-012600 indigo: - ANNEX K cis: @@ -29,7 +29,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -40,6 +40,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_apple_watch_wrist_detection_enable.yaml b/rules/os/os_apple_watch_wrist_detection_enable.yaml index c9be8e25..803d6aaf 100644 --- a/rules/os/os_apple_watch_wrist_detection_enable.yaml +++ b/rules/os/os_apple_watch_wrist_detection_enable.yaml @@ -1,23 +1,23 @@ id: os_apple_watch_wrist_detection_enable -title: "Ensure Force Apple Watch wrist detection is set to Enabled" +title: Ensure Force Apple Watch wrist detection is set to Enabled discussion: | Wrist detection _MUST_ be enabled for paired Apple Watches. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000381 800-53r5: - AC-3 - CM-7 - CM-7(1) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-011800 cis: benchmark: - 2.2.1.13 (level 1 - End-User Owned Devices) @@ -25,7 +25,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -39,7 +39,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "low" + - ios_stig +severity: low supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_auto_unlock_disable.yaml b/rules/os/os_auto_unlock_disable.yaml index ff332a08..2ec808d1 100644 --- a/rules/os/os_auto_unlock_disable.yaml +++ b/rules/os/os_auto_unlock_disable.yaml @@ -1,10 +1,10 @@ id: os_auto_unlock_disable -title: "Prevent Apple Watch from Unlocking a Device" +title: Prevent Apple Watch from Unlocking a Device discussion: | Apple Watches are not an approved authenticator and their use _MUST_ be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. -check: " " +check: ' ' fix: This is implemented by a Configuration Profile references: cce: @@ -15,9 +15,9 @@ references: 800-53r5: - AC-11 sfr: - - "FMT_MOF_EXT.1.2 #47" + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-014800 indigo: - ANNEX K cis: @@ -26,7 +26,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_moderate @@ -36,6 +36,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_automatic_app_download_disable.yaml b/rules/os/os_automatic_app_download_disable.yaml new file mode 100644 index 00000000..9286551c --- /dev/null +++ b/rules/os/os_automatic_app_download_disable.yaml @@ -0,0 +1,34 @@ +id: os_automatic_app_download_disable +title: Disallow Automatic Downloads of Apps Purchased on other Apple Devices. +discussion: | + The automatic download of apps to a mobile device could cause the exposure of sensitive information when an unauthorized app is installed. +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-7 + - CM-7(1) + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016400 + indigo: + - N/A +iOS: + - '26.0' +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +supervised: true +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAutomaticAppDownloads: false diff --git a/rules/os/os_bluetooth_modification_disable.yaml b/rules/os/os_bluetooth_modification_disable.yaml new file mode 100644 index 00000000..129beed8 --- /dev/null +++ b/rules/os/os_bluetooth_modification_disable.yaml @@ -0,0 +1,43 @@ +id: os_bluetooth_modification_disable +title: "Bluetooth Status Modification Disabled" +discussion: | + The ability to enable or disable Bluetooth _MUST_ be disabled. +check: " " +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-7 + - CM-7(1) + - SC-07(10) + sfr: + - 'FMT_SMF.1.1 #47' + disa_stig: + - AIOS-26-018200 + indigo: + - N/A + cis: + benchmark: + - N/A + controls v8: + - N/A +iOS: + - "26.0" +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high +supervised: false +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowBluetoothModification: false diff --git a/rules/os/os_call_recording_disable.yaml b/rules/os/os_call_recording_disable.yaml index d4da1640..8d4f3fa5 100644 --- a/rules/os/os_call_recording_disable.yaml +++ b/rules/os/os_call_recording_disable.yaml @@ -1,37 +1,38 @@ id: os_call_recording_disable -title: "Disable Call Recording" +title: Disable Call Recording discussion: | The built-in Call Recording _MUST_ be disabled in certain organizations or jurisdictions by legal statutes and/or privacy laws. The Call Recording service announces to all users that a cellular phone call is about to be recorded. When recording stops (either manually by the user or by ending the call), the recording is saved to a new note in the Notes app. This functionality may be prohibited by certain organizations or jurisdictions by legal statutes and/or privacy laws. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95449-5 + - CCE-95449-5 800-53r5: - - CM-6 + - CM-6 cci: - - CCI-000366 + - CCI-000366 sfr: - - "FMT_MOF_EXT.1.2 #47" + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-015700 indigo: - - ANNEX K + - ANNEX K iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml new file mode 100644 index 00000000..524ad16c --- /dev/null +++ b/rules/os/os_camera_disable.yaml @@ -0,0 +1,43 @@ +id: os_camera_disable +title: Disable Camera +discussion: | + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures. + + This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. + + This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. + + For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding. + + For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. + + If the camera is not disconnected, covered, or physically disabled, the following configuration is required. +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-7 + - CM-7(1) + - SC-07(10) + sfr: + - 'FMT_SMF.1.1 #47' + disa_stig: + - 'AIOS-26-018100' +iOS: + - "26.0" +tags: + - ios + - ios_stig +severity: medium +supervised: true +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowCamera: false diff --git a/rules/os/os_diagnostics_reports_disable.yaml b/rules/os/os_diagnostics_reports_disable.yaml index aeb86066..bd11d638 100644 --- a/rules/os/os_diagnostics_reports_disable.yaml +++ b/rules/os/os_diagnostics_reports_disable.yaml @@ -1,35 +1,35 @@ id: os_diagnostics_reports_disable -title: "Disable Sending Diagnostic and Usage Data to Apple" +title: Disable Sending Diagnostic and Usage Data to Apple discussion: | The ability to submit diagnostic data to Apple _MUST_ be disabled. - - The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. -check: " " + + The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-001199 800-53r5: - AC-20 - SC-7(10) - SI-11 sfr: - - "FMT_SMF_EXT.1.1 #47a" + - 'FMT_SMF_EXT.1.1 #47a' disa_stig: - - N/A + - AIOS-26-013400 indigo: - ANNEX K cis: - benchmark: + benchmark: - 2.2.1.12 (level 1 - End-User Owned Devices) - 3.2.1.25 (level 1 - Institutionally-Owned Devices) controls v8: - 4.8 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -45,7 +45,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_disallow_enterprise_app_trust.yaml b/rules/os/os_disallow_enterprise_app_trust.yaml index 1d0c49a7..621d2be4 100644 --- a/rules/os/os_disallow_enterprise_app_trust.yaml +++ b/rules/os/os_disallow_enterprise_app_trust.yaml @@ -1,8 +1,8 @@ id: os_disallow_enterprise_app_trust -title: "Disallow Apps to be Installed from Unauthorized Sources" +title: Disallow Apps to be Installed from Unauthorized Sources discussion: | Apps _MUST_ be installed from authorized application repositories. Disallowing enterprise app trust prevents apps from being provisioned by universal provisioning profiles. -check: " " +check: ' ' fix: This is implemented by a Configuration Profile references: cce: @@ -12,18 +12,18 @@ references: 800-53r5: - CM-11 sfr: - - "FMT_SMF_EXT.1.1 #8a" + - 'FMT_SMF_EXT.1.1 #8a' disa_stig: - - N/A + - AIOS-26-007000 indigo: - - ANNEX D - (Section 5.8.5) + - ANNEX D - (Section 5.8.5) cis: benchmark: - N/A controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -34,6 +34,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_enterprise_books_disable.yaml b/rules/os/os_enterprise_books_disable.yaml index b275b97c..a67187a4 100644 --- a/rules/os/os_enterprise_books_disable.yaml +++ b/rules/os/os_enterprise_books_disable.yaml @@ -1,8 +1,8 @@ id: os_enterprise_books_disable -title: "Ensure Backup of Enterprise Books is set to Disabled" +title: Ensure Backup of Enterprise Books is set to Disabled discussion: | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. -check: " " +check: ' ' fix: This is implemented by a Configuration Profile references: cce: @@ -13,9 +13,9 @@ references: 800-53r5: - CM-6 sfr: - - "FMT_MOF_EXT.1.2 #40" + - 'FMT_MOF_EXT.1.2 #40' disa_stig: - - N/A + - AIOS-26-003700 indigo: - ANNEX K cis: @@ -24,12 +24,12 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - ios_stig - indigo_high -severity: "medium" +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_erase_contents_and_settings_disable.yaml b/rules/os/os_erase_contents_and_settings_disable.yaml index 0927ceab..f6fcb466 100644 --- a/rules/os/os_erase_contents_and_settings_disable.yaml +++ b/rules/os/os_erase_contents_and_settings_disable.yaml @@ -1,41 +1,42 @@ id: os_erase_contents_and_settings_disable -title: "Ensure Allow Erase All Content and Settings is set to Disabled" +title: Ensure Allow Erase All Content and Settings is set to Disabled discussion: | Erase all contents and settings _MUST_ be disabled on institutionally owned iOS devices. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95460-2 + - CCE-95460-2 cci: - - N/A + - CCI-000366 800-53r5: - - CM-6 - - CM-7 - - CM-7(1) + - CM-6 + - CM-7 + - CM-7(1) sfr: - - N/A + - 'FMT_SMF.1.1 #47' disa_stig: - - N/A + - AIOS-26-016000 cis: benchmark: - - 3.2.1.12 (level 1 - Institutionally-Owned Devices) + - 3.2.1.12 (level 1 - Institutionally-Owned Devices) controls v8: - - 4.1 + - 4.1 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cis_lvl1_enterprise -- cis_lvl2_enterprise -- cisv8 -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl1_enterprise + - cis_lvl2_enterprise + - cisv8 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_esim_delete.yaml b/rules/os/os_esim_delete.yaml index ea0e5cba..3b133864 100644 --- a/rules/os/os_esim_delete.yaml +++ b/rules/os/os_esim_delete.yaml @@ -1,28 +1,29 @@ id: os_esim_delete -title: "Ensure the eSIM Contents are Deleted When Device is Erased" +title: Ensure the eSIM Contents are Deleted When Device is Erased discussion: | An eSIM may contain sensitive data and must be wiped of data when the mobile device is wiped to protect sensitive data from exposure. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95461-0 + - CCE-95461-0 cci: - - CCI-001033 + - CCI-001033 800-53r5: - - MP-6 + - MP-6 sfr: - - "FMT_MOF_EXT.1.2 #47" + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-015100 iOS: -- "26.0" + - '26.0' tags: -- ios -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_esim_transfers_disable.yaml b/rules/os/os_esim_transfers_disable.yaml index 3eaba0ca..08724ad7 100644 --- a/rules/os/os_esim_transfers_disable.yaml +++ b/rules/os/os_esim_transfers_disable.yaml @@ -1,21 +1,26 @@ id: os_esim_transfers_disable -title: "Ensure the ability to transfer an eSIM is set to Disabled" +title: Ensure the ability to transfer an eSIM is set to Disabled discussion: | Outgoing transfers of eSIMs _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: - - N/A + cci: + - CCI-000366 800-53r5: - N/A + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-017900 iOS: - - "26.0" + - '26.0' tags: - ios + - ios_stig supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_exchange_SMIME_encryption_certificate_overwirte_disable.yaml b/rules/os/os_exchange_SMIME_encryption_certificate_overwrite_disable.yaml similarity index 90% rename from rules/os/os_exchange_SMIME_encryption_certificate_overwirte_disable.yaml rename to rules/os/os_exchange_SMIME_encryption_certificate_overwrite_disable.yaml index dc0bf1e3..899723a2 100644 --- a/rules/os/os_exchange_SMIME_encryption_certificate_overwirte_disable.yaml +++ b/rules/os/os_exchange_SMIME_encryption_certificate_overwrite_disable.yaml @@ -1,4 +1,4 @@ -id: os_exchange_SMIME_encryption_certificate_overwirte_disable +id: os_exchange_SMIME_encryption_certificate_overwrite_disable title: "Disable changing the S/MIME encryption settings." discussion: | The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements. diff --git a/rules/os/os_exchange_SMIME_signing_certificate_overwirte_disable.yaml b/rules/os/os_exchange_SMIME_signing_certificate_overwrite_disable.yaml similarity index 90% rename from rules/os/os_exchange_SMIME_signing_certificate_overwirte_disable.yaml rename to rules/os/os_exchange_SMIME_signing_certificate_overwrite_disable.yaml index 86e7d1fc..ae85d692 100644 --- a/rules/os/os_exchange_SMIME_signing_certificate_overwirte_disable.yaml +++ b/rules/os/os_exchange_SMIME_signing_certificate_overwrite_disable.yaml @@ -1,4 +1,4 @@ -id: os_exchange_SMIME_signing_certificate_overwirte_disable +id: os_exchange_SMIME_signing_certificate_overwrite_disable title: "Disable changing the S/MIME signing settings" discussion: | The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements. diff --git a/rules/os/os_exchange_notes_disable.yaml b/rules/os/os_exchange_notes_disable.yaml index e0e955c1..2ae97929 100644 --- a/rules/os/os_exchange_notes_disable.yaml +++ b/rules/os/os_exchange_notes_disable.yaml @@ -1,7 +1,6 @@ id: os_exchange_notes_disable -title: "Ensure Notes service is disabled for Exchange ActiveSync" -discussion: |- - Exchange ActiveSync Notes service can be disabled for an account. Note: The user can reenable the Notes service unless the setting EnableNotesUserOverridable is set to false. +title: Ensure Notes service is disabled for Exchange ActiveSync +discussion: 'Exchange ActiveSync Notes service can be disabled for an account. Note: The user can reenable the Notes service unless the setting EnableNotesUserOverridable is set to false.' check: ' ' fix: This is implemented by a Configuration Profile references: @@ -14,18 +13,21 @@ references: sfr: - 'FMT_SMF_EXT.1.1 #47' indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - N/A controls v8: - N/A + disa_stig: + - AIOS-26-011300 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base - indigo_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_exchange_notes_user_override_disable.yaml b/rules/os/os_exchange_notes_user_override_disable.yaml index bae2239c..e34cd2d2 100644 --- a/rules/os/os_exchange_notes_user_override_disable.yaml +++ b/rules/os/os_exchange_notes_user_override_disable.yaml @@ -1,7 +1,6 @@ id: os_exchange_notes_user_override_disable -title: "Ensure Notes service override is disabled for Exchange ActiveSync" -discussion: |- - Exchange ActiveSync Notes service can be disabled for a user. Setting EnableNotesUserOverridable to false prevents the user from altering the service status. +title: Ensure Notes service override is disabled for Exchange ActiveSync +discussion: Exchange ActiveSync Notes service can be disabled for a user. Setting EnableNotesUserOverridable to false prevents the user from altering the service status. check: ' ' fix: This is implemented by a Configuration Profile references: @@ -14,18 +13,21 @@ references: sfr: - 'FMT_SMF_EXT.1.1 #47' indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - N/A controls v8: - N/A + disa_stig: + - AIOS-26-011300 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base - indigo_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_exchange_prevent_move_enforce.yaml b/rules/os/os_exchange_prevent_move_enforce.yaml deleted file mode 100644 index aaf9ac12..00000000 --- a/rules/os/os_exchange_prevent_move_enforce.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: os_exchange_prevent_move_enforce -title: "Prevent move manged mails to another account." -discussion: | - The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements. - - The setting, prevent moving to another account _MUST_ be configured to prevent data leakage. -check: " " -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - N/A - 800-53r5: - - N/A - indigo: - - ANNEX D (Section 5.6.1 - Mail) -iOS: - - "26.0" -tags: - - ios - - indigo_base - - indigo_high -supervised: false -mobileconfig: true -mobileconfig_info: - com.apple.mail.managed: - PreventMove: true diff --git a/rules/os/os_exchange_reminders_disable.yaml b/rules/os/os_exchange_reminders_disable.yaml index 585ef4fe..09efe564 100644 --- a/rules/os/os_exchange_reminders_disable.yaml +++ b/rules/os/os_exchange_reminders_disable.yaml @@ -1,7 +1,6 @@ id: os_exchange_reminders_disable -title: "Ensure Reminders service is disabled for Exchange ActiveSync" -discussion: |- - Exchange ActiveSync system can disable the Reminders service for an account. Note: The user can reenable the Notes service unless the setting 'EnableRemindersUserOverridable' is set to false. +title: Ensure Reminders service is disabled for Exchange ActiveSync +discussion: 'Exchange ActiveSync system can disable the Reminders service for an account. Note: The user can reenable the Notes service unless the setting ''EnableRemindersUserOverridable'' is set to false.' check: ' ' fix: This is implemented by a Configuration Profile references: @@ -14,18 +13,21 @@ references: sfr: - 'FMT_SMF_EXT.1.1 #47' indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - N/A controls v8: - N/A + disa_stig: + - AIOS-26-011300 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base - indigo_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_exchange_reminders_user_override_disable.yaml b/rules/os/os_exchange_reminders_user_override_disable.yaml index 76a471dd..ae6f38ee 100644 --- a/rules/os/os_exchange_reminders_user_override_disable.yaml +++ b/rules/os/os_exchange_reminders_user_override_disable.yaml @@ -1,7 +1,6 @@ id: os_exchange_reminders_user_override_disable -title: "Ensure Reminders service override is disabled for Exchange ActiveSync" -discussion: |- - Exchange ActiveSync system can disable the Reminders service for an account, but it can be reenabled by the user. The Reminders service is completely disabled when the 'EnableRemindersUserOverridable' setting is set to 'false'. +title: Ensure Reminders service override is disabled for Exchange ActiveSync +discussion: Exchange ActiveSync system can disable the Reminders service for an account, but it can be reenabled by the user. The Reminders service is completely disabled when the 'EnableRemindersUserOverridable' setting is set to 'false'. check: ' ' fix: This is implemented by a Configuration Profile references: @@ -14,18 +13,21 @@ references: sfr: - 'FMT_SMF_EXT.1.1 #47' indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - N/A controls v8: - N/A + disa_stig: + - AIOS-26-011300 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base - indigo_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_external_intelligence_integration_disable.yaml b/rules/os/os_external_intelligence_integration_disable.yaml index a4a4cbcf..731a955f 100644 --- a/rules/os/os_external_intelligence_integration_disable.yaml +++ b/rules/os/os_external_intelligence_integration_disable.yaml @@ -1,34 +1,35 @@ id: os_external_intelligence_integration_disable -title: "External Intelligence Integrations Must Be Disabled" +title: External Intelligence Integrations Must Be Disabled discussion: | The external intelligence integration feature of Apple Intelligence allows information to be downloaded from the device and processed by an external application in the cloud. The external intelligence integration feature of Apple Intelligence increases the risk of compromise of sensitive information. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95473-5 + - CCE-95473-5 cci: - - CCI-000366 + - CCI-000366 800-53r5: - - CM-6 - - CM-7 - - AC-20 + - CM-6 + - CM-7 + - AC-20 sfr: - - "FMT_MOF_EXT.1.2 #47" + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-015400 indigo: - - ANNEX K + - ANNEX K iOS: -- "26.0" + - '26.0' tags: -- ios -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_external_intelligence_integration_sign_in_disable.yaml b/rules/os/os_external_intelligence_integration_sign_in_disable.yaml index cf1471d5..2c79613c 100644 --- a/rules/os/os_external_intelligence_integration_sign_in_disable.yaml +++ b/rules/os/os_external_intelligence_integration_sign_in_disable.yaml @@ -1,10 +1,10 @@ id: os_external_intelligence_integration_sign_in_disable -title: "Sign In to External Intelligence Integrations Must Be Disabled" +title: Sign In to External Intelligence Integrations Must Be Disabled discussion: | The ability to sign into external intelligence integrations _MUST_ be disabled. The external intelligence integration feature of Apple Intelligence allows information to be downloaded from the device and processed by an external application in the cloud. The external intelligence integration feature of Apple Intelligence increases the risk of compromise of sensitive information. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -17,9 +17,9 @@ references: - CM-7 - AC-20 sfr: - - "FMT_MOF_EXT.1.2 #47" + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-015400 cis: benchmark: - 2.9.1 (level 1 - End-User Owned Devices) @@ -31,7 +31,7 @@ references: indigo: - ANNEX K iOS: - - "26.0" + - '26.0' tags: - ios - cis_lvl1_byod @@ -44,6 +44,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_facetime_disable.yaml b/rules/os/os_facetime_disable.yaml new file mode 100644 index 00000000..852c073c --- /dev/null +++ b/rules/os/os_facetime_disable.yaml @@ -0,0 +1,35 @@ +id: os_facetime_disable +title: Disable FaceTime App +discussion: | + FaceTime _MUST_ be disabled. +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-6 + - CM-7 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-017800 + indigo: + - N/A +iOS: + - '26.0' +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +severity: high +supervised: true +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowVideoConferencing: false diff --git a/rules/os/os_files_network_drive_access_disable.yaml b/rules/os/os_files_network_drive_access_disable.yaml index edfad17d..613f4637 100644 --- a/rules/os/os_files_network_drive_access_disable.yaml +++ b/rules/os/os_files_network_drive_access_disable.yaml @@ -1,23 +1,23 @@ id: os_files_network_drive_access_disable -title: "Ensure Allow Network Drive Access in Files App is Set to Disabled" +title: Ensure Allow Network Drive Access in Files App is Set to Disabled discussion: | Network drive access in Files app _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000097 - CCI-000370 800-53r5: - AC-20(2) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-014300 indigo: - ANNEX K cis: @@ -26,7 +26,7 @@ references: controls v8: - 1.2 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_moderate @@ -38,7 +38,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_files_usb_drive_access_disable.yaml b/rules/os/os_files_usb_drive_access_disable.yaml index 94a66121..335c6ad5 100644 --- a/rules/os/os_files_usb_drive_access_disable.yaml +++ b/rules/os/os_files_usb_drive_access_disable.yaml @@ -1,25 +1,25 @@ id: os_files_usb_drive_access_disable -title: "Ensure Allow USB Drive Access in Files App is Set to Disabled" +title: Ensure Allow USB Drive Access in Files App is Set to Disabled discussion: | USB drive access in Files app _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000097 - CCI-000370 800-53r5: - AC-20(2) - 800-53r4: + 800-53r4: - N/A sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-013300 indigo: - ANNEX K cis: @@ -28,7 +28,7 @@ references: controls v8: - 1.2 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_moderate @@ -40,7 +40,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_find_my_friends_disable.yaml b/rules/os/os_find_my_friends_disable.yaml index 9b632aea..9013e3f2 100644 --- a/rules/os/os_find_my_friends_disable.yaml +++ b/rules/os/os_find_my_friends_disable.yaml @@ -1,10 +1,10 @@ id: os_find_my_friends_disable -title: "Disable Find My Friends Service" +title: Disable Find My Friends Service discussion: | The Find My Friends service _MUST_ be disabled. Sharing the location of a device may be an violation to an organization and potentially put users at risk. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -19,9 +19,9 @@ references: - CM-7 - CM-7(1) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-013100 indigo: - ANNEX K cis: @@ -30,7 +30,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -40,6 +40,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: low supervised: true mobileconfig: true diff --git a/rules/os/os_force_encrypted_backups_enable.yaml b/rules/os/os_force_encrypted_backups_enable.yaml index a675a916..bbcde068 100644 --- a/rules/os/os_force_encrypted_backups_enable.yaml +++ b/rules/os/os_force_encrypted_backups_enable.yaml @@ -1,8 +1,8 @@ id: os_force_encrypted_backups_enable -title: "Ensure Force Encrypted Backups is Enabled" +title: Ensure Force Encrypted Backups is Enabled discussion: | iOS and iPadOS backups _MUST_ be encrypted. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -18,11 +18,11 @@ references: - CP-09(8) - SC-28 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-010700 indigo: - - ANNEX D (Section 5.3 - Description of security/key management) + - ANNEX D (Section 5.3 - Description of security/key management) - ANNEX K cis: benchmark: @@ -31,7 +31,7 @@ references: controls v8: - 11.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -47,7 +47,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_genmoji_disable.yaml b/rules/os/os_genmoji_disable.yaml index baa39b67..ca3914a6 100644 --- a/rules/os/os_genmoji_disable.yaml +++ b/rules/os/os_genmoji_disable.yaml @@ -1,32 +1,33 @@ id: os_genmoji_disable -title: "Ensure the Ability to Create Genmojis is Set to Disabled" +title: Ensure the Ability to Create Genmojis is Set to Disabled discussion: | Use of Genmojis _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95480-0 + - CCE-95480-0 cci: - - N/A + - CCI-000366 800-53r5: - - CM-7 - - CM-7(1) + - CM-7 + - CM-7(1) sfr: - - N/A + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-017400 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 3ec206b9..5a4460b4 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -1,16 +1,16 @@ id: os_handoff_disable -title: "Disable Handoff" +title: Disable Handoff discussion: | - Handoff _MUST_ be disabled. + Handoff _MUST_ be disabled. Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000370 - CCI-000381 @@ -20,9 +20,9 @@ references: - CM-7 - CM-7(1) disa_stig: - - N/A + - AIOS-26-010800 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' indigo: - ANNEX K cis: @@ -32,7 +32,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -46,7 +46,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "low" + - ios_stig +severity: low supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_hide_apps_disable.yaml b/rules/os/os_hide_apps_disable.yaml new file mode 100644 index 00000000..674cc213 --- /dev/null +++ b/rules/os/os_hide_apps_disable.yaml @@ -0,0 +1,31 @@ +id: os_hide_apps_disable +title: Disable Ability to Hide Apps +discussion: | + Hidden apps cannot be seen by enterprise management applications (e.g., MDM server), and therefore, unauthorized apps or apps with embedded malware could be installed and hidden from the MDM or mobile threat detection (MTD) apps. Hidden apps may lead to the compromise of sensitive data. +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-7 + - CM-7(1) + - SC-07(10) + sfr: + - 'FMT_SMF.1.1 #47' + disa_stig: + - 'AIOS-26-015600' +iOS: + - "26.0" +tags: + - ios + - ios_stig +severity: medium +supervised: true +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAppsToBeHidden: false diff --git a/rules/os/os_ibeacon_airprint_disable.yaml b/rules/os/os_ibeacon_airprint_disable.yaml new file mode 100644 index 00000000..629a8aaa --- /dev/null +++ b/rules/os/os_ibeacon_airprint_disable.yaml @@ -0,0 +1,33 @@ +id: os_ibeacon_airprint_disable +title: Disable Discovery of AirPrint Printers using iBeacons +discussion: | + iBeacon discovery _MUST_ be disabled to prevent AirPrint Bluebooth beacons from being potentially exploited for network phishing. +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-6 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016700 + indigo: + - N/A +iOS: + - '26.0' +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +supervised: true +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowAirPrintiBeaconDiscovery: false diff --git a/rules/os/os_image_playground_disable.yaml b/rules/os/os_image_playground_disable.yaml index 6da7ac7c..38b4f4c6 100644 --- a/rules/os/os_image_playground_disable.yaml +++ b/rules/os/os_image_playground_disable.yaml @@ -1,32 +1,33 @@ id: os_image_playground_disable -title: "Ensure the Ability to Use AI Image Generation is Set to Disabled" +title: Ensure the Ability to Use AI Image Generation is Set to Disabled discussion: | AI image generation _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95482-6 + - CCE-95482-6 cci: - - N/A + - CCI-000366 800-53r5: - - CM-7 - - CM-7(1) + - CM-7 + - CM-7(1) sfr: - - N/A + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-017300 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_image_wand_disable.yaml b/rules/os/os_image_wand_disable.yaml index 5ca84969..86953b33 100644 --- a/rules/os/os_image_wand_disable.yaml +++ b/rules/os/os_image_wand_disable.yaml @@ -1,37 +1,38 @@ id: os_image_wand_disable -title: "Disable Apple Intelligence ImageWand" +title: Disable Apple Intelligence ImageWand discussion: | Apple Intelligence features such as Apple ImageWand _MUST_ be disabled. -check: " " +check: ' ' result: string: 'false' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95483-4 + - CCE-95483-4 cci: - - N/A + - CCI-000366 800-53r5: - - CM-7 - - CM-7(1) + - CM-7 + - CM-7(1) sfr: - - N/A + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-017200 indigo: - - ANNEX K + - ANNEX K iOS: -- "26.0" + - '26.0' tags: -- ios -- indigo_high -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - indigo_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_install_configuration_profile_disable.yaml b/rules/os/os_install_configuration_profile_disable.yaml index e19689cc..29154be7 100644 --- a/rules/os/os_install_configuration_profile_disable.yaml +++ b/rules/os/os_install_configuration_profile_disable.yaml @@ -1,44 +1,45 @@ id: os_install_configuration_profile_disable -title: "Ensure Allow Installing Configuration Profiles is Set to Disabled" +title: Ensure Allow Installing Configuration Profiles is Set to Disabled discussion: | Configuration profiles _MUST_ be installed via an organization's MDM. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95484-2 + - CCE-95484-2 cci: - - N/A + - N/A 800-53r5: - - CM-6 - - CM-7 - - CM-7(1) + - CM-6 + - CM-7 + - CM-7(1) 800-53r4: - - N/A + - N/A sfr: - - N/A + - N/A disa_stig: - - N/A + - AIOS-26-015500 indigo: - ANNEX K cis: benchmark: - - 3.2.1.15 (level 1 - Institutionally-Owned Devices) + - 3.2.1.15 (level 1 - Institutionally-Owned Devices) controls v8: - - 4.1 + - 4.1 iOS: -- "26.0" + - '26.0' tags: -- ios -- cis_lvl1_enterprise -- cis_lvl2_enterprise -- cisv8 -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - cis_lvl1_enterprise + - cis_lvl2_enterprise + - cisv8 + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_install_vpn_configuration_disable.yaml b/rules/os/os_install_vpn_configuration_disable.yaml index 869ad849..25e4be70 100644 --- a/rules/os/os_install_vpn_configuration_disable.yaml +++ b/rules/os/os_install_vpn_configuration_disable.yaml @@ -1,14 +1,14 @@ id: os_install_vpn_configuration_disable -title: "Ensure Allow Adding VPN Configurations is Set to Disabled" +title: Ensure Allow Adding VPN Configurations is Set to Disabled discussion: | VPN configurations _MUST_ be installed via an organization's MDM. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000370 - CCI-000066 @@ -16,12 +16,12 @@ references: - AC-17 - AC-17(1) - AC-17(3) - 800-53r4: + 800-53r4: - N/A sfr: - - "FMT_SMF_EXT.1.1 #3" + - 'FMT_SMF_EXT.1.1 #3' disa_stig: - - N/A + - AIOS-26-001000 indigo: - ANNEX D (Section 5.10.3 - Manual VPN) cis: @@ -30,7 +30,7 @@ references: controls v8: - 12.7 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -44,7 +44,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "low" + - ios_stig +severity: low supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_iphone_mirroring_disable.yaml b/rules/os/os_iphone_mirroring_disable.yaml index dbf03f02..22b7e03d 100644 --- a/rules/os/os_iphone_mirroring_disable.yaml +++ b/rules/os/os_iphone_mirroring_disable.yaml @@ -20,11 +20,12 @@ references: indigo: - ANNEX K disa_stig: - - N/A + - AIOS-26-015800 iOS: - "26.0" tags: - ios + - ios_stig - indigo_base - indigo_high - cnssi-1253_moderate diff --git a/rules/os/os_iphone_widgets_on_mac_disable.yaml b/rules/os/os_iphone_widgets_on_mac_disable.yaml index 0c2a2af3..7d100545 100644 --- a/rules/os/os_iphone_widgets_on_mac_disable.yaml +++ b/rules/os/os_iphone_widgets_on_mac_disable.yaml @@ -1,34 +1,35 @@ id: os_iphone_widgets_on_mac_disable -title: "Disable Use of iPhone Widgets on Mac" +title: Disable Use of iPhone Widgets on Mac discussion: | iPhone widgets on Mac _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95487-5 + - CCE-95487-5 cci: - - CCI-000366 + - CCI-000366 800-53r5: - - CM-7 - - CM-7(1) + - CM-7 + - CM-7(1) sfr: - - "FMT_SMF_EXT.1.1 #8b" + - 'FMT_SMF_EXT.1.1 #8b' disa_stig: - - N/A + - AIOS-26-010850 cis: benchmark: - - N/A + - N/A controls v8: - - N/A + - N/A iOS: -- "26.0" + - '26.0' tags: -- ios -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: low supervised: true mobileconfig: true diff --git a/rules/os/os_limit_ad_tracking_enable.yaml b/rules/os/os_limit_ad_tracking_enable.yaml index 48d1166d..2713ba5b 100644 --- a/rules/os/os_limit_ad_tracking_enable.yaml +++ b/rules/os/os_limit_ad_tracking_enable.yaml @@ -1,10 +1,10 @@ id: os_limit_ad_tracking_enable -title: "Enable Limit Ad Tracking" +title: Enable Limit Ad Tracking discussion: | Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -20,9 +20,9 @@ references: - CM-7(1) - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-010500 indigo: - ANNEX K cis: @@ -31,7 +31,7 @@ references: controls v8: - 4.8 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -42,6 +42,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: low supervised: false mobileconfig: true diff --git a/rules/os/os_mail_maildrop_disable.yaml b/rules/os/os_mail_maildrop_disable.yaml index 581ee266..514b4bf9 100644 --- a/rules/os/os_mail_maildrop_disable.yaml +++ b/rules/os/os_mail_maildrop_disable.yaml @@ -1,14 +1,14 @@ id: os_mail_maildrop_disable -title: "Ensure Allow Mail Drop is Set to Disabled" +title: Ensure Allow Mail Drop is Set to Disabled discussion: | Mail Drop _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000370 - CCI-002314 @@ -19,11 +19,11 @@ references: - CM-7(1) - SC-07(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-011000 indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - 2.7.2 (level 2 - End-User Owned Devices) @@ -31,7 +31,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -45,7 +45,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_mail_move_messages_disable.yaml b/rules/os/os_mail_move_messages_disable.yaml index 8272f116..6ec49d6c 100644 --- a/rules/os/os_mail_move_messages_disable.yaml +++ b/rules/os/os_mail_move_messages_disable.yaml @@ -1,14 +1,14 @@ id: os_mail_move_messages_disable -title: "Ensure Allow User to Move Messages from This Account is Set to Disabled" +title: Ensure Allow User to Move Messages from This Account is Set to Disabled discussion: | - Mail from institutionally configured mail accounts _MUST_ not be allowed to move to personal mail accounts. -check: " " + Mail from institutionally configured mail accounts _MUST_ not be allowed to move to personal mail accounts to prevent data leakage. +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000370 - CCI-000764 @@ -19,11 +19,11 @@ references: - SC-4 - SC-07(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-011400 indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - 2.7.1 (level 1 - End-User Owned Devices) @@ -31,7 +31,7 @@ references: controls v8: - 3.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -47,9 +47,10 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: com.apple.mail.managed: - PreventMove: false + PreventMove: true diff --git a/rules/os/os_marketplace_prevent.yaml b/rules/os/os_marketplace_prevent.yaml index c6f29e02..c566d008 100644 --- a/rules/os/os_marketplace_prevent.yaml +++ b/rules/os/os_marketplace_prevent.yaml @@ -1,35 +1,36 @@ id: os_marketplace_prevent -title: "Prevent Third Party Marketplaces" +title: Prevent Third Party Marketplaces discussion: | The iOS device _MUST_ be configured to prevent third party marketplaces from being installed. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95495-8 + - CCE-95495-8 cci: - - CCI-000366 + - CCI-000366 sfr: - - "FMT_MOF_EXT.1.2 #47" + - 'FMT_MOF_EXT.1.2 #47' 800-53r5: - - CM-11 + - CM-11 disa_stig: - - N/A + - AIOS-26-014900 indigo: - - ANNEX K + - ANNEX K iOS: -- "26.0" + - '26.0' tags: -- ios -- indigo_base -- indigo_high -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - indigo_base + - indigo_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_movie_content_allowed.yaml b/rules/os/os_movie_content_allowed.yaml new file mode 100644 index 00000000..db7d79c2 --- /dev/null +++ b/rules/os/os_movie_content_allowed.yaml @@ -0,0 +1,47 @@ +id: os_movie_content_allowed +title: Disable Movie Content +discussion: | + Movie Rating content _MUST_ be set to $ODV on the device. + + Possible values, with the U.S. description of the rating level: + + - `1000`: All + - `500`: NC-17 + - `400`: R + - `300`: PG-13 + - `200`: PG + - `100`: G + - `0`: None +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-7 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-017000 + indigo: + - N/A +iOS: + - '26.0' +odv: + hint: Ratings Level + recommended: 0 + ios_stig: 0 +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +supervised: false +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + ratingMovies: $ODV diff --git a/rules/os/os_new_device_proximity_disable.yaml b/rules/os/os_new_device_proximity_disable.yaml index a27f0ebb..414aae06 100644 --- a/rules/os/os_new_device_proximity_disable.yaml +++ b/rules/os/os_new_device_proximity_disable.yaml @@ -1,14 +1,14 @@ id: os_new_device_proximity_disable -title: "Ensure Allow Setting Up New Nearby Devices is Set to Disabled" +title: Ensure Allow Setting Up New Nearby Devices is Set to Disabled discussion: | The setting up of new nearby devices _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000097 - CCI-000370 @@ -17,9 +17,9 @@ references: - CM-7 - CM-7(1) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-012800 indigo: - ANNEX K cis: @@ -28,7 +28,7 @@ references: controls v8: - 3.13 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -42,7 +42,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index 18a3b1d5..94088443 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -1,10 +1,10 @@ id: os_on_device_dictation_enforce -title: "Ensure On Device Dictation is Enforced" +title: Ensure On Device Dictation is Enforced discussion: | The device _MUST_ be configured for on device dictation. By enforcing on device dictation this will mitigate the risk of unwanted data being sent to Apple. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -19,9 +19,9 @@ references: - AC-20 - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-014400 indigo: - ANNEX K cis: @@ -30,7 +30,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -41,6 +41,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_on_device_translation_enforce.yaml b/rules/os/os_on_device_translation_enforce.yaml index e4bbd9e3..60f83d9a 100644 --- a/rules/os/os_on_device_translation_enforce.yaml +++ b/rules/os/os_on_device_translation_enforce.yaml @@ -1,10 +1,10 @@ id: os_on_device_translation_enforce -title: "Ensure On Device Translation is Enforced" +title: Ensure On Device Translation is Enforced discussion: | The device _MUST_ be configured for on device translation. By enforcing on device translation this will mitigate the risk of unwanted data being sent to Apple. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -19,9 +19,9 @@ references: - AC-20 - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-014500 indigo: - ANNEX K cis: @@ -30,7 +30,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -41,6 +41,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_pairing_non_configurator_hosts_disable.yaml b/rules/os/os_pairing_non_configurator_hosts_disable.yaml index ef95a1b6..a7acc911 100644 --- a/rules/os/os_pairing_non_configurator_hosts_disable.yaml +++ b/rules/os/os_pairing_non_configurator_hosts_disable.yaml @@ -1,44 +1,45 @@ id: os_pairing_non_configurator_hosts_disable -title: "Ensure Allow Pairing with Non-Configurator Hosts is Set to Disabled" +title: Ensure Allow Pairing with Non-Configurator Hosts is Set to Disabled discussion: | Host pairing with a non-Configurator host _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95503-9 + - CCE-95503-9 cci: - - N/A + - CCI-000366 800-53r5: - - CM-6 - - CM-7 - - CM-7(1) + - CM-6 + - CM-7 + - CM-7(1) sfr: - - N/A + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-016500 indigo: - ANNEX K cis: benchmark: - - 3.2.1.20 (level 2 - Institutionally-Owned Devices) + - 3.2.1.20 (level 2 - Institutionally-Owned Devices) controls v8: - - 4.8 + - 4.8 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cis_lvl2_enterprise -- cisv8 -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl2_enterprise + - cisv8 + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 748b3228..6115bde3 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -1,10 +1,10 @@ id: os_password_autofill_disable -title: "Disable Password Autofill" +title: Disable Password Autofill discussion: | - Password Autofill _MUST_ be disabled. + Password Autofill _MUST_ be disabled. iOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the device, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -21,16 +21,16 @@ references: - IA-11 - IA-5 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-012700 cis: benchmark: - N/A controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -39,6 +39,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 26d881bc..7add4361 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -1,10 +1,10 @@ id: os_password_proximity_disable -title: "Disable Proximity Based Password Sharing Requests" +title: Disable Proximity Based Password Sharing Requests discussion: | - Proximity based password sharing requests _MUST_ be disabled. - + Proximity based password sharing requests _MUST_ be disabled. + The default behavior of iOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -15,11 +15,11 @@ references: - CCI-000097 - CCI-000370 800-53r5: - - IA-5 + - IA-5 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-012900 indigo: - ANNEX K cis: @@ -28,7 +28,7 @@ references: controls v8: - 13.5 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -42,7 +42,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 0ec16553..72ba26bb 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -1,10 +1,10 @@ id: os_password_sharing_disable -title: "Disable Password Sharing" +title: Disable Password Sharing discussion: | - Password Sharing _MUST_ be disabled. - + Password Sharing _MUST_ be disabled. + The default behavior of iOS/iPadOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -17,9 +17,9 @@ references: 800-53r5: - IA-5 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-013000 indigo: - ANNEX K cis: @@ -28,7 +28,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -39,6 +39,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: true mobileconfig: true diff --git a/rules/os/os_require_managed_pasteboard_enforce.yaml b/rules/os/os_require_managed_pasteboard_enforce.yaml index 70f17f62..dc857951 100644 --- a/rules/os/os_require_managed_pasteboard_enforce.yaml +++ b/rules/os/os_require_managed_pasteboard_enforce.yaml @@ -1,10 +1,10 @@ id: os_require_managed_pasteboard_enforce -title: "Ensure Copy/Paste of Data from Managed to Unmanaged Applications is Disabled" +title: Ensure Copy/Paste of Data from Managed to Unmanaged Applications is Disabled discussion: | The device _MUST_ be configured to disable copy/paste of data from managed to unmanaged applications. - If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' and 'allowOpenFromUnmanagedToManaged' restrictions. -check: " " + If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' and 'allowOpenFromUnmanagedToManaged' restrictions. +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -18,9 +18,9 @@ references: - AC-23 - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-014600 indigo: - ANNEX K cis: @@ -29,7 +29,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base @@ -37,6 +37,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_safari_password_autofill_disable.yaml b/rules/os/os_safari_password_autofill_disable.yaml index 2c4fcd03..737aa2cb 100644 --- a/rules/os/os_safari_password_autofill_disable.yaml +++ b/rules/os/os_safari_password_autofill_disable.yaml @@ -1,14 +1,14 @@ id: os_safari_password_autofill_disable -title: "Disable Automatic Completion of Safari Browser Passcodes" +title: Disable Automatic Completion of Safari Browser Passcodes discussion: | The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone or iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining additional information about the device's user or compromising other systems is significantly mitigated. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000370 - CCI-000381 @@ -19,9 +19,9 @@ references: - IA-11 - IA-5 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-010600 cis: benchmark: - N/A @@ -29,7 +29,7 @@ references: - 4.1 - 4.8 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -39,7 +39,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "low" + - ios_stig +severity: low supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screenshots_disable.yaml b/rules/os/os_screenshots_disable.yaml index 63d249d9..c9b10b15 100644 --- a/rules/os/os_screenshots_disable.yaml +++ b/rules/os/os_screenshots_disable.yaml @@ -7,38 +7,39 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95521-1 + - CCE-95521-1 cci: - - N/A + - CCI-000366 800-53r5: - - CM-7 - - CM-7(1) - - SC-07(10) + - CM-7 + - CM-7(1) + - SC-07(10) sfr: - - N/A + - 'FMT_MOF_EXT.1.2 #47' disa_stig: - - N/A + - AIOS-26-018000 indigo: - ANNEX K cis: benchmark: - - 3.2.1.1 (level 2 - Institutionally-Owned Devices) + - 3.2.1.1 (level 2 - Institutionally-Owned Devices) controls v8: - - 3.3 + - 3.3 iOS: -- "26.0" + - "26.0" tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- cis_lvl2_enterprise -- cisv8 -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cis_lvl2_enterprise + - cisv8 + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_show_calendar_lock_screen_disable.yaml b/rules/os/os_show_calendar_lock_screen_disable.yaml index b90e93f8..38d8c30f 100644 --- a/rules/os/os_show_calendar_lock_screen_disable.yaml +++ b/rules/os/os_show_calendar_lock_screen_disable.yaml @@ -1,8 +1,8 @@ id: os_show_calendar_lock_screen_disable -title: "Ensure Calendar Notifications When the Device is Locked is Set to Disabled" +title: Ensure Calendar Notifications When the Device is Locked is Set to Disabled discussion: | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -13,16 +13,16 @@ references: 800-53r5: - AC-11(1) sfr: - - "FMT_SMF_EXT.1.1 #18" + - 'FMT_SMF_EXT.1.1 #18' disa_stig: - - N/A + - AIOS-26-007600 cis: benchmark: - N/A controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_moderate @@ -30,6 +30,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_show_notification_center_lock_screen_disable.yaml b/rules/os/os_show_notification_center_lock_screen_disable.yaml index df876bf1..99890b2b 100644 --- a/rules/os/os_show_notification_center_lock_screen_disable.yaml +++ b/rules/os/os_show_notification_center_lock_screen_disable.yaml @@ -1,21 +1,21 @@ id: os_show_notification_center_lock_screen_disable -title: "Ensure Show Notification Center in Lock Screen is Set to Disabled" +title: Ensure Show Notification Center in Lock Screen is Set to Disabled discussion: | Notification Center _MUST_ be disabled in the lock screen. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000060 800-53r5: - AC-11(1) sfr: - - "FMT_SMF_EXT.1.1 #18" + - 'FMT_SMF_EXT.1.1 #18' disa_stig: - - N/A + - AIOS-26-007500 indigo: - ANNEX K cis: @@ -25,9 +25,10 @@ references: controls v8: - 4.3 iOS: - - "26.0" + - '26.0' tags: - ios + - ios_stig - 800-53r5_moderate - 800-53r5_high - cis_lvl1_byod @@ -40,7 +41,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_siri_assistant_disable.yaml b/rules/os/os_siri_assistant_disable.yaml index 50cc540d..11e42b44 100644 --- a/rules/os/os_siri_assistant_disable.yaml +++ b/rules/os/os_siri_assistant_disable.yaml @@ -1,10 +1,10 @@ id: os_siri_assistant_disable -title: "Disable Siri service" +title: Disable Siri service discussion: | The iOS built-in Siri service _MUST_ be disabled to prevent organizational data from being synchronized to Apple servers. Apple's Siri service does not provide an organization with enough control over the storage and access of data, and, therefore, automated synchronization _MUST_ be controlled by an organization approved service. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -17,21 +17,28 @@ references: - SC-7(10) indigo: - ANNEX K + cci: + - CCI-000366 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016100 iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base - indigo_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "high" + - ios_stig +severity: high supervised: false mobileconfig: true -mobileconfig_info: +mobileconfig_info: com.apple.applicationaccess: allowAssistant: false diff --git a/rules/os/os_siri_user_generated_content_disable.yaml b/rules/os/os_siri_user_generated_content_disable.yaml index cc328024..6822050d 100644 --- a/rules/os/os_siri_user_generated_content_disable.yaml +++ b/rules/os/os_siri_user_generated_content_disable.yaml @@ -9,18 +9,25 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95528-6 + - CCE-95528-6 + cci: + - CCI-000366 800-53r5: - - AC-20 - - CM-7 - - CM-7(1) - - SC-7(10) + - AC-20 + - CM-7 + - CM-7(1) + - SC-7(10) indigo: - - ANNEX K + - ANNEX K + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-016200 iOS: - "26.0" tags: - ios +- ios_stig - indigo_base - indigo_high - 800-53r5_low diff --git a/rules/os/os_siri_when_locked_disabled.yaml b/rules/os/os_siri_when_locked_disabled.yaml index 824cd9b7..a707e642 100644 --- a/rules/os/os_siri_when_locked_disabled.yaml +++ b/rules/os/os_siri_when_locked_disabled.yaml @@ -1,8 +1,8 @@ id: os_siri_when_locked_disabled -title: "Ensure Allow Siri While Device is Locked is Set to Disabled" +title: Ensure Allow Siri While Device is Locked is Set to Disabled discussion: | Accessing Siri while the device is locked _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -16,9 +16,9 @@ references: - CM-7(1) - SC-7(10) sfr: - - "FMT_SMF_EXT.1.1 #8b" + - 'FMT_SMF_EXT.1.1 #8b' disa_stig: - - N/A + - AIOS-26-007200 indigo: - ANNEX K cis: @@ -28,7 +28,7 @@ references: controls v8: - 4.3 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -44,7 +44,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_ssl_for_exchange_activesync_enable.yaml b/rules/os/os_ssl_for_exchange_activesync_enable.yaml index 79e1d85e..56f01a6b 100644 --- a/rules/os/os_ssl_for_exchange_activesync_enable.yaml +++ b/rules/os/os_ssl_for_exchange_activesync_enable.yaml @@ -1,8 +1,8 @@ id: os_ssl_for_exchange_activesync_enable -title: "Ensure SSL for Exchange ActiveSync" +title: Ensure SSL for Exchange ActiveSync discussion: | Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SSL), also referred to as Transport Layer Security (TLS), provides encryption and authentication services that mitigate the risk of breach. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -13,22 +13,23 @@ references: 800-53r5: - N/A sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-011300 indigo: - - ANNEX D (Section 5.6.1 - Mail) + - ANNEX D (Section 5.6.1 - Mail) cis: benchmark: - N/A controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base - indigo_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/os/os_supervised_mdm_require.yaml b/rules/os/os_supervised_mdm_require.yaml index bd605d0b..076d3240 100644 --- a/rules/os/os_supervised_mdm_require.yaml +++ b/rules/os/os_supervised_mdm_require.yaml @@ -1,8 +1,8 @@ id: os_supervised_mdm_require -title: "Enforce Supervised Enrollment in Mobile Device Management" +title: Enforce Supervised Enrollment in Mobile Device Management discussion: | iOS/iPadOS _MUST_ be supervised by a Mobile Device Management (MDM) software. -check: " " +check: ' ' fix: | Enroll the iOS/iPadOS device in a supervised MDM. references: @@ -16,16 +16,16 @@ references: - CM-2 - CM-6 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-013200 cis: benchmark: - N/A controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - manual - ios @@ -35,6 +35,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: medium mobileconfig: false -mobileconfig_info: +mobileconfig_info: null diff --git a/rules/os/os_system_settings_find_my_friends_modification_disable.yaml b/rules/os/os_system_settings_find_my_friends_modification_disable.yaml index 8d418e2b..a95bfd24 100644 --- a/rules/os/os_system_settings_find_my_friends_modification_disable.yaml +++ b/rules/os/os_system_settings_find_my_friends_modification_disable.yaml @@ -7,17 +7,22 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95534-4 + - CCE-95534-4 800-53r5: - - AC-20 - - CM-7 - - CM-7(1) + - AC-20 + - CM-7 + - CM-7(1) + sfr: + - 'FMT_SMF.1.1 #47' + disa_stig: + - AIOS-26-013100 indigo: - ANNEX K iOS: - "26.0" tags: - ios +- ios_stig - indigo_high - 800-53r5_low - 800-53r5_moderate diff --git a/rules/os/os_tv_content_allowed.yaml b/rules/os/os_tv_content_allowed.yaml new file mode 100644 index 00000000..68094350 --- /dev/null +++ b/rules/os/os_tv_content_allowed.yaml @@ -0,0 +1,48 @@ +id: os_tv_content_allowed +title: Disable TV Content +discussion: | + TV Rating content _MUST_ be set to $ODV on the device. + + Possible values, with the U.S. description of the rating level: + + - `1000`: All + - `600`: TV-MA + - `500`: TV-14 + - `400`: TV-PG + - `300`: TV-G + - `200`: TV-Y7 + - `100`: TV-Y + - `0`: None +check: ' ' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - CM-7 + sfr: + - 'FMT_MOF_EXT.1.2 #47' + disa_stig: + - AIOS-26-017100 + indigo: + - N/A +iOS: + - '26.0' +odv: + hint: Ratings Level + recommended: 0 + ios_stig: 0 +tags: + - ios + - ios_stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high +supervised: false +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + ratingTVShows: $ODV diff --git a/rules/os/os_usb_accessories_when_locked_disable.yaml b/rules/os/os_usb_accessories_when_locked_disable.yaml index acdfb199..3859476b 100644 --- a/rules/os/os_usb_accessories_when_locked_disable.yaml +++ b/rules/os/os_usb_accessories_when_locked_disable.yaml @@ -1,14 +1,14 @@ id: os_usb_accessories_when_locked_disable -title: "Ensure Allow USB Accessories While the Device is Locked is Set to Disabled" +title: Ensure Allow USB Accessories While the Device is Locked is Set to Disabled discussion: | USB devices _MUST_ not be allowed to connect while the device is locked. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 - CCI-000097 - CCI-000370 @@ -18,9 +18,9 @@ references: - SC-7(10) - SC-41 sfr: - - "FMT_SMF_EXT.1.1 #47" + - 'FMT_SMF_EXT.1.1 #47' disa_stig: - - N/A + - AIOS-26-012200 indigo: - ANNEX K cis: @@ -29,7 +29,7 @@ references: controls v8: - 1.2 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -43,7 +43,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: true mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_web_distribution_app_installation_disable.yaml b/rules/os/os_web_distribution_app_installation_disable.yaml index 6cdd725f..a32d6abf 100644 --- a/rules/os/os_web_distribution_app_installation_disable.yaml +++ b/rules/os/os_web_distribution_app_installation_disable.yaml @@ -2,34 +2,35 @@ id: os_web_distribution_app_installation_disable title: Ensure the Ability to Install Apps Directly from the Web is Set to Disabled discussion: | Web distrubtion of app installation _MUST_ be disabled. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95544-3 + - CCE-95544-3 cci: - - CCI-000366 + - CCI-000366 800-53r5: - - CM-11 + - CM-11 indigo: - - ANNEX K + - ANNEX K sfr: - - "FMT_SMF_EXT.1.1 #3" + - 'FMT_SMF_EXT.1.1 #3' disa_stig: - - N/A + - AIOS-26-015000 iOS: -- "26.0" + - '26.0' tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: medium supervised: false mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index d4b8d87d..38fc909b 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -1,10 +1,10 @@ id: pwpolicy_account_lockout_enforce -title: "Limit Consecutive Failed Login Attempts to $ODV" +title: Limit Consecutive Failed Login Attempts to $ODV discussion: | The iOS _MUST_ be configured to limit the number of failed login attempts to a maximum of $ODV. - This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. -check: " " + This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. +check: ' ' fix: | This is implemented by a Configuration Profile. references: @@ -15,10 +15,10 @@ references: 800-53r5: - AC-7 sfr: - - "FMT_SMF_EXT.1.1 #2c" - - 'FIA_AFL_EXT.1.5' + - 'FMT_SMF_EXT.1.1 #2c' + - FIA_AFL_EXT.1.5 disa_stig: - - N/A + - AIOS-26-006900 indigo: - ANNEX D (Section 5.9.1 - Device-Code) - ANNEX K @@ -29,14 +29,14 @@ references: controls v8: - 4.3 iOS: - - "26.0" + - '26.0' odv: - hint: "Number of failed attempts." + hint: Number of failed attempts. recommended: 6 cis_lvl1_byod: 6 cis_lvl2_byod: 6 cis_lvl1_enterprise: 6 - cis_lvl2_enterprise: 6 + cis_lvl2_enterprise: 6 ios_stig: 10 ios_stig_byoad: 10 indigo_base: 10 @@ -56,7 +56,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_force_pin_enable.yaml b/rules/pwpolicy/pwpolicy_force_pin_enable.yaml index a08dff41..c11cd99d 100644 --- a/rules/pwpolicy/pwpolicy_force_pin_enable.yaml +++ b/rules/pwpolicy/pwpolicy_force_pin_enable.yaml @@ -1,10 +1,10 @@ id: pwpolicy_force_pin_enable -title: "Ensure Force Pin is Set to Enabled" +title: Ensure Force Pin is Set to Enabled discussion: | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile references: @@ -15,9 +15,9 @@ references: 800-53r5: - SC-28 sfr: - - 'FIA_UAU_EXT.1.1' + - FIA_UAU_EXT.1.1 disa_stig: - - N/A + - AIOS-26-010400 indigo: - ANNEX D (Section 5.9.1 - Device-Code) cis: @@ -26,7 +26,7 @@ references: controls v8: - N/A iOS: - - "26.0" + - '26.0' tags: - ios - indigo_base @@ -34,6 +34,7 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - ios_stig severity: high mobileconfig: 'true' mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index bd393bc9..77cb450c 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -2,40 +2,41 @@ id: pwpolicy_history_enforce title: Prohibit Password Reuse for a Minimum of $ODV Generations discussion: | The iOS _MUST_ be configured to enforce a password history of at least $ODV previous passwords when a password is created. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-95549-2 + - CCE-95549-2 800-53r5: - - IA-5(1) + - IA-5(1) indigo: - - ANNEX D (Section 5.9.1 - Device-Code) - - ANNEX K + - ANNEX D (Section 5.9.1 - Device-Code) + - ANNEX K cci: - - CCI-004061 + - CCI-004061 sfr: - - "FMT_SMF.1.1 #47" + - 'FMT_SMF.1.1 #47' disa_stig: - - N/A + - AIOS-26-006950 iOS: -- "26.0" + - '26.0' odv: hint: Number of previous passwords. recommended: 2 indigo_base: 2 indigo_high: 2 tags: -- ios -- 800-53r5_low -- 800-53r5_moderate -- 800-53r5_high -- indigo_base -- indigo_high -- cnssi-1253_moderate -- cnssi-1253_low -- cnssi-1253_high + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - indigo_base + - indigo_high + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high + - ios_stig severity: high supervised: false mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_max_grace_period_enforce.yaml b/rules/pwpolicy/pwpolicy_max_grace_period_enforce.yaml index fe74f3e0..6525a929 100644 --- a/rules/pwpolicy/pwpolicy_max_grace_period_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_grace_period_enforce.yaml @@ -1,24 +1,24 @@ id: pwpolicy_max_grace_period_enforce -title: "Ensure Maximum Grace Period for Device Lock is Set to Immediately" +title: Ensure Maximum Grace Period for Device Lock is Set to Immediately discussion: | The iOS grace period for device lock _MUST_ be configured to immediately. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000057 800-53r5: - AC-11 - IA-11 sfr: - - "FMT_SMF_EXT.1.1 #2a" + - 'FMT_SMF_EXT.1.1 #2a' disa_stig: - - N/A + - AIOS-26-006800 indigo: - - ANNEX D (Section 5.9.1 - Device-Code) + - ANNEX D (Section 5.9.1 - Device-Code) cis: benchmark: - 2.4.5 (level 1 - End-User Owned Devices) @@ -26,9 +26,9 @@ references: controls v8: - 4.3 iOS: - - "26.0" + - '26.0' odv: - hint: "Maximum Grace Period in Minutes." + hint: Maximum Grace Period in Minutes. recommended: 0 cis_lvl1_byod: 0 cis_lvl2_byod: 0 @@ -53,7 +53,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_max_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_max_inactivity_enforce.yaml index e4e164ea..10d11323 100644 --- a/rules/pwpolicy/pwpolicy_max_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_inactivity_enforce.yaml @@ -1,24 +1,24 @@ id: pwpolicy_max_inactivity_enforce -title: "Ensure Maximum Auto-Lock is Set to $ODV Minutes or Less" +title: Ensure Maximum Auto-Lock is Set to $ODV Minutes or Less discussion: | The iOS _MUST_ be configured to auto-lock after $ODV minutes. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000057 800-53r5: - AC-11 - IA-11 sfr: - - "FMT_SMF_EXT.1.1 #2b" + - 'FMT_SMF_EXT.1.1 #2b' disa_stig: - - N/A + - AIOS-26-006800 indigo: - - ANNEX D (Section 5.9.1 - Device-Code) + - ANNEX D (Section 5.9.1 - Device-Code) - ANNEX K cis: benchmark: @@ -27,9 +27,9 @@ references: controls v8: - 4.3 iOS: - - "26.0" + - '26.0' odv: - hint: "Maximum Auto-Lock in Minutes." + hint: Maximum Auto-Lock in Minutes. recommended: 2 cis_lvl1_byod: 2 cis_lvl2_byod: 2 @@ -54,7 +54,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index db34d318..a394fb20 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -1,23 +1,23 @@ id: pwpolicy_minimum_length_enforce -title: "Require a Minimum Passcode Length of $ODV Characters" +title: Require a Minimum Passcode Length of $ODV Characters discussion: | The iOS _MUST_ be configured to require a minimum of $ODV characters be used when a passcode is created. - This rule enforces passcode complexity by requiring users to set passcode that are less vulnerable to malicious users. -check: " " + This rule enforces passcode complexity by requiring users to set passcode that are less vulnerable to malicious users. +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000205 800-53r5: - IA-5(1) sfr: - - "FMT_SMF_EXT.1.1 #1a" + - 'FMT_SMF_EXT.1.1 #1a' disa_stig: - - N/A + - AIOS-26-006500 indigo: - ANNEX D (Section 5.9 - Device authentication) - ANNEX K @@ -28,9 +28,9 @@ references: controls v8: - 5.2 iOS: - - "26.0" + - '26.0' odv: - hint: "Minimum passcode length." + hint: Minimum passcode length. recommended: 6 cis_lvl1_byod: 6 cis_lvl2_byod: 6 @@ -55,7 +55,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index e701c354..38b93d3a 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -1,23 +1,23 @@ id: pwpolicy_simple_sequence_disable -title: "Prohibit Repeating, Ascending, and Descending Character Sequences" +title: Prohibit Repeating, Ascending, and Descending Character Sequences discussion: | The iOS device _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a passcode is created. This rule enforces password complexity by requiring users to set passcodes that are less vulnerable to malicious users. -check: " " +check: ' ' fix: | This is implemented by a Configuration Profile. references: cce: - N/A - cci: + cci: - CCI-000366 800-53r5: - IA-5(1) sfr: - - "FMT_SMF_EXT.1.1 #1b" + - 'FMT_SMF_EXT.1.1 #1b' disa_stig: - - N/A + - AIOS-26-006600 indigo: - ANNEX D (Section 5.9 - Device authentication) - ANNEX K @@ -28,7 +28,7 @@ references: controls v8: - 5.2 iOS: - - "26.0" + - '26.0' tags: - ios - 800-53r5_low @@ -44,7 +44,8 @@ tags: - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high -severity: "medium" + - ios_stig +severity: medium supervised: false mobileconfig: true mobileconfig_info: diff --git a/rules/supplemental/supplemental_bsi.yaml b/rules/supplemental/supplemental_bsi.yaml index 3a6c8d56..94fe8174 100644 --- a/rules/supplemental/supplemental_bsi.yaml +++ b/rules/supplemental/supplemental_bsi.yaml @@ -48,4 +48,3 @@ tags: - supplemental mobileconfig: false mobileconfig_info: - diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index d4b23496..d40d4eab 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -140,7 +140,7 @@ discussion: | [cols="15%h, 85%a"] |=== |Section - |Additional Reccomendations + |Additional Recommendations |Recommendations |4.1.1 Review Manage Sharing & Access + diff --git a/rules/supplemental/supplemental_stig.yaml b/rules/supplemental/supplemental_stig.yaml index 7099dec7..f98ab6a6 100644 --- a/rules/supplemental/supplemental_stig.yaml +++ b/rules/supplemental/supplemental_stig.yaml @@ -1,35 +1,48 @@ id: supplemental_stig title: "DISA STIG Supplemental" discussion: | - These controls are controls that require additional considerations for your environment. + These are controls that require additional considerations for your environment. [cols="20%h, 80%a"] |=== |STIG ID |Rule Title - |AIOS-18-007400 + - AIOS-18-707400| Apple iOS/iPadOS 18 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers. - |AIOS-18-008400 + - AIOS-18-708400| Apple iOS/iPadOS 18 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device. - |AIOS-18-009200 + - AIOS-18-709200| Apple iOS/iPadOS 18 must be configured to not allow backup of [all applications, configuration data] to locally connected systems. - |AIOS-18-009800| Apple iOS/iPadOS 18 must be configured to disable multi-user modes. - |AIOS-18-009900 + - AIOS-18-709900| Apple iOS/iPadOS 18 must be configured to [selection: wipe protected data, wipe sensitive data] upon un-enrollment from MDM. - |AIOS-18-010000| Apple iOS/iPadOS 18 must be configured to [selection: remove Enterprise applications, remove all non-core applications (any non-factory installed application)] upon un-enrollment from MDM. - |AIOS-18-011200 + - AIOS-18-711200| iPhone and iPad must have the latest available iOS/iPadOS operating system installed. - |AIOS-18-011600| Apple iOS/iPadOS 18 must implement the management setting: Not have any Family Members in Family Sharing. - |AIOS-18-011700| Apple iOS/iPadOS 18 must implement the management setting: not share location data through iCloud. - |AIOS-18-011900 + - AIOS-18-711900| Apple iOS/iPadOS 18 users must complete required training. - |AIOS-18-012000 + - AIOS-18-712000| A managed photo app must be used to take and store work-related photos. - |AIOS-18-012650| Apple iOS/iPadOS 18 must implement the management setting: approved Apple Watches must be managed by an MDM. - |AIOS-18-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements. - |AIOS-18-014700| Apple iOS/iPadOS 18 must have DOD root and intermediate PKI certificates installed. - |AIOS-18-015500| Apple iOS/iPadOS 18 must disable the download of iOS/iPadOS beta updates. + |AIOS-26-001000| Apple iOS/iPadOS 26 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis]. + |AIOS-26-007400| Apple iOS/iPadOS 26 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers. + |AIOS-26-008400| Apple iOS/iPadOS 26 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device. + |AIOS-26-009200| Apple iOS/iPadOS 26 must be configured to not allow backup of [all applications, configuration data] to locally connected systems. + |AIOS-26-009800| Apple iOS/iPadOS 26 must be configured to disable multi-user modes. + |AIOS-26-009900| Apple iOS/iPadOS 26 must be configured to [selection: wipe protected data, wipe sensitive data] upon un-enrollment from MDM. + |AIOS-26-010000| Apple iOS/iPadOS 26 must be configured to [selection: remove Enterprise applications, remove all non-core applications (any non-factory installed application)] upon un-enrollment from MDM. + |AIOS-26-011200| iPhone and iPad must have the latest available iOS/iPadOS operating system installed. + |AIOS-26-011600| Apple iOS/iPadOS 26 must implement the management setting: Not have any Family Members in Family Sharing. + |AIOS-26-011700| Apple iOS/iPadOS 26 must implement the management setting: not share location data through iCloud. + |AIOS-26-011900| Apple iOS/iPadOS 26 users must complete required training. + |AIOS-26-012000| A managed photo app must be used to take and store work-related photos. + |AIOS-26-012650| Apple iOS/iPadOS 26 must implement the management setting: approved Apple Watches must be managed by an MDM. + |AIOS-26-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements. + |AIOS-26-014700| Apple iOS/iPadOS 26 must have DOD root and intermediate PKI certificates installed. + |AIOS-26-015500| Apple iOS/iPadOS 26 must disable the download of iOS/iPadOS beta updates. + |AIOS-26-017700| Apple iOS/iPadOS 26 must have Mobile Threat Detection app installed. + |AIOS-26-018300| Apple iOS/iPadOS 26 must be configurated to disable Wi-Fi Aware. + |=== + + These are controls that will not be configurable if the following are applied. + + - `AIOS-26-016100` Apple iOS/iPadOS 26 must disable the use voice assistant (Siri) unless required to meet Section 508 compliance requirements. + - `AIOS-26-016600` Apple iOS/iPadOS 26 must disable AirPrint. + + [cols="20%h, 80%a"] + |=== + |STIG ID + |Rule Title + + |AIOS-26-016200| Apple iOS/iPadOS 26 must disable the use voice assistant (Show user-generated content in Siri) unless required to meet Section 508 compliance requirements. + |AIOS-26-016300| Apple iOS/iPadOS 26 must disable the use voice assistant (Siri suggestions) unless required to meet Section 508 compliance requirements. + |AIOS-26-016700| Apple iOS/iPadOS 26 must disable AirPrint: Allow discovery of AirPrint printers using iBeacons. + |AIOS-26-016800| Apple iOS/iPadOS 26 must disable AirPrint: Allow storage of AirPrint credentials in Keychain. + |AIOS-26-016900| Apple iOS/iPadOS 26 must allow AirPrint feature: Disallow AirPrint to destinations with untrusted certificates. |=== check: | fix: | @@ -48,5 +61,6 @@ iOS: - "26.0" tags: - supplemental + - ios_stig mobileconfig: false mobileconfig_info: diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 53579b26..12533ff5 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_18_V1R3_STIG.zip[STIG Ver 1, Rel 3]|_Apple iOS/iPadOS 18 STIG - Ver 1, Rel 3_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_26_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1_ |=== [%header, cols=2*a]