usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-16 22:12:08 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'dev_ventura' into ventura

Browse Source
This commit is contained in:
Bob Gendler
2022-10-19 20:20:54 -04:00
parent 694a3618f2 8b3bdac7c2
commit e34ae8b5be
13 changed files with 62 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
baselines/all_rules.yaml
View File

@@ -205,7 +205,6 @@ profile:
- system_settings_install_macos_updates_enforce
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
- system_settings_location_services_audit
- system_settings_location_services_disable
- system_settings_location_services_enable
- system_settings_location_services_menu_enforce

1
baselines/cis_lvl1.yaml
View File

@@ -40,7 +40,6 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_install_log_retention_configure
- os_library_validation_enabled
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_password_hint_remove

2
baselines/cis_lvl2.yaml
View File

@@ -51,7 +51,6 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_install_log_retention_configure
- os_library_validation_enabled
- os_mobile_file_integrity_enable
- os_nfsd_disable
- os_password_hint_remove
@@ -97,7 +96,6 @@ profile:
- system_settings_hot_corners_secure
- system_settings_install_macos_updates_enforce
- system_settings_internet_sharing_disable
- system_settings_location_services_audit
- system_settings_location_services_enable
- system_settings_location_services_menu_enforce
- system_settings_loginwindow_loginwindowtext_enable

4
rules/os/os_library_validation_enabled.yaml
View File

@@ -28,15 +28,13 @@ references:
- N/A
cis:
benchmark:
- 5.1.4 (level 1)
- N/A
controls v8:
- 2.3
- 2.6
macOS:
- "13.0"
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:

2
rules/os/os_safari_open_safe_downloads_disable.yaml
View File

@@ -23,7 +23,7 @@ references:
- N/A
cis:
benchmark:
- 6.3 (level 1)
- 6.3.1 (level 1)
controls v8:
- 9
macOS:

2
rules/os/os_terminal_secure_keyboard_enable.yaml
View File

@@ -20,7 +20,7 @@ references:
- N/A
cis:
benchmark:
- 2.10 (level 1)
- 6.4.1 (level 1)
controls v8:
- 4.8
macOS:

6
rules/supplemental/supplemental_cis_manual.yaml
View File

@@ -9,7 +9,7 @@ discussion: |
|System Settings
|Recommendations
| 2.1.1.1 Audit iCloud Keychain +
|2.1.1.1 Audit iCloud Keychain +
2.1.1.2 Audit iCloud Drive +
2.1.2 Audit App Store Password Settings +
2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +
@@ -42,7 +42,9 @@ discussion: |
5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +
5.2.5 Ensure Complex Password Must Contain Special Character Is Configured +
5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured +
5.5 Ensure login keychain is locked when the computer sleeps +
5.3.1 Ensure All User Storage APFS Volumes are Encrypted +
5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted +
5.5 Ensure Login Keychain is Locked when the Computer Sleeps +
|===
[cols="15%h, 85%a"]

2
rules/system_settings/system_settings_firewall_enable.yaml
View File

@@ -46,7 +46,7 @@ references:
- 3.13.5
cis:
benchmark:
- 2.3.2.1 (level 1)
- 2.2.1 (level 1)
controls v8:
- 4.1
- 4.5

38
rules/system_settings/system_settings_location_services_audit.yaml
View File

@@ -1,38 +0,0 @@
id: system_settings_location_services_audit
title: "Audit Location Services"
discussion: |
The organization _MUST_ audit which applications have access to location services.
check: |
sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }'
result:
string: "a list containing approved applications."
fix: |
Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services.
references:
cce:
- CCE-91961-3
cci:
- N/A
800-53r5:
- N/A
800-53r4:
- N/A
disa_stig:
- N/A
srg:
- N/A
cis:
benchmark:
- 2.5.4 (level 2)
controls v8:
- 2.3
- 4.1
macOS:
- "13.0"
tags:
- cis_lvl2
- cisv8
- cis_manual
- manual
mobileconfig: false
mobileconfig_info:

2
rules/system_settings/system_settings_remote_management_disable.yaml
View File

@@ -30,7 +30,7 @@ references:
- N/A
cis:
benchmark:
- 2.4.3 (level 1)
- 2.3.3.6 (level 1)
controls v8:
- 4.1
- 4.8

2
rules/system_settings/system_settings_system_wide_preferences_configure.yaml
View File

@@ -8,7 +8,7 @@ check: |
authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine")
result="1"
for section in $authDBs; do
if [[ $(/usr/bin/security authorizationdb read "$section" 2> /dev/null | /usr/bin/grep -A 1 "<key>shared</key>" | /usr/bin/grep -c "<false/>") -ne 1 ]]; then
if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-sibling::*[1])' -) != "false" ]]; then
result="0"
fi
done

2
rules/system_settings/system_settings_time_server_configure.yaml
View File

@@ -31,7 +31,7 @@ references:
- 3.3.7
cis:
benchmark:
- 2.2.1 (level 1)
- 2.3.2.1 (level 1)
controls v8:
- 8.4
macOS:

52
scripts/generate_scap.py
View File

@@ -2254,7 +2254,57 @@ def generate_scap(all_rules, all_baselines, args):
<authorizationdb_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="{}_test" id="oval:mscp:ste:{}" version="1">
<value_of>{}</value_of>
</authorizationdb_state>'''.format(rule_yaml['id'] + "_" + odv_label,x,key)
x += 1
else:
if "authorizationdb" in rule_yaml['check']:
regex = r"=\(.*.\)"
matchy_match = []
matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE)
for matchNum, match in enumerate(matches, start=1):
matchy_match = match.group().replace('=(',"").replace(")","").replace('"','').split()
oval_definition = oval_definition + '''
<definition id="oval:mscp:def:{}" version="1" class="compliance">
<metadata>
<title>{}</title>
<reference source="CCE" ref_id="{}"/>
<reference source="macos_security" ref_id="{}"/>
<description>{}</description>
</metadata>
<criteria operator="AND">'''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'])
for match in matchy_match:
oval_definition = oval_definition + '''
<criterion comment="{}" test_ref="oval:mscp:tst:{}" />
'''.format(rule_yaml['id'] + "+" + match, x)
oval_test = oval_test + '''
<authorizationdb_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="{}_test" id="oval:mscp:tst:{}" version="2">
<object object_ref="oval:mscp:obj:{}" />
<state state_ref="oval:mscp:ste:{}" />
</authorizationdb_test>'''.format(match,x,x,x)
key="shared"
value=""
if "false" in rule_yaml["check"]:
value="false"
else:
value="true"
oval_object = oval_object + '''
<authorizationdb_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="{}_object" id="oval:mscp:obj:{}" version="1">
<right_name>{}</right_name>
<xpath>boolean(//key[text()="{}"]/following-sibling::{})</xpath>
</authorizationdb_object> '''.format(match,x,match,key,value)
oval_state = oval_state + '''
<authorizationdb_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="{}_state" id="oval:mscp:ste:{}" version="1">
<value_of datatype="boolean" operation="equals">true</value_of>
</authorizationdb_state>'''.format(match,x)
x += 1
oval_definition = oval_definition + "</criteria></definition>"
continue
if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']:
oval_definition = oval_definition + '''