mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 14:03:24 +00:00
800-53 changes, stig changes, elyse edits on perms
This commit is contained in:
Bob Gendler
@@ -21,7 +21,7 @@ references:
|
||||
- CCI-001314
|
||||
800-53r4:
|
||||
- AU-9
|
||||
- SI-11(b)
|
||||
- SI-11
|
||||
srg:
|
||||
- SRG-OS-000057-GPOS-00027
|
||||
- SRG-OS-000206-GPOS-00084
|
||||
|
||||
@@ -21,7 +21,7 @@ references:
|
||||
- CCI-001314
|
||||
800-53r4:
|
||||
- AU-9
|
||||
- SI-11(b)
|
||||
- SI-11
|
||||
srg:
|
||||
- SRG-OS-000057-GPOS-00027
|
||||
- SRG-OS-000206-GPOS-00084
|
||||
|
||||
@@ -12,18 +12,14 @@ references:
|
||||
cci:
|
||||
- CCI-000139
|
||||
800-53r4:
|
||||
- AU-5(a)
|
||||
- N/A
|
||||
disa_stig:
|
||||
- AOSX-15-200004
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000046-GPOS-00022
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- cnssi-1253
|
||||
- fisma-low
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
- STIG
|
||||
- permanent
|
||||
mobileconfig: false
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: audit_enforce_dual_auth
|
||||
title: "Enforce dual authorization for movement or deletion of audit information"
|
||||
title: "Enforce Dual Authorization for Movement and Deletion of Audit Information"
|
||||
discussion: |
|
||||
An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized.All bulk manipulation of audit information must be authorized via automatic processes. Any manual manipulation of audit information must require dual authorization. Dual authorization mechanisms require the approval of two authorized individuals to execute.
|
||||
All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed.
|
||||
|
||||
An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation.
|
||||
|
||||
To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -15,16 +19,12 @@ references:
|
||||
800-53r4:
|
||||
- AU-9(5)
|
||||
disa_stig:
|
||||
- AOSX-15-200018
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000360-GPOS-00147
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- cnssi-1253
|
||||
- fisma-low
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
- STIG
|
||||
- permanent
|
||||
mobileconfig: false
|
||||
|
||||
@@ -19,7 +19,7 @@ references:
|
||||
cci:
|
||||
- CCI-000140
|
||||
800-53r4:
|
||||
- AU-5(b)
|
||||
- AU-5
|
||||
srg:
|
||||
- SRG-OS-000047-GPOS-00023
|
||||
disa_stig:
|
||||
|
||||
@@ -21,7 +21,9 @@ references:
|
||||
cce:
|
||||
- CCE-84711-1
|
||||
800-53r4:
|
||||
- AU-12(c)
|
||||
- AU-2
|
||||
- AU-12
|
||||
- MA-4(1)
|
||||
srg:
|
||||
- SRG-OS-000470-GPOS-00214
|
||||
- SRG-OS-000472-GPOS-00217
|
||||
|
||||
@@ -29,10 +29,11 @@ references:
|
||||
- CCI-002234
|
||||
- CCI-002884
|
||||
800-53r4:
|
||||
- AU-2
|
||||
- AC-2(4)
|
||||
- AC-6(9)
|
||||
- AU-12(c)
|
||||
- MA-4(1)(a)
|
||||
- AU-12
|
||||
- MA-4(1)
|
||||
srg:
|
||||
- SRG-OS-000004-GPOS-00004
|
||||
- SRG-OS-000239-GPOS-00089
|
||||
|
||||
@@ -23,9 +23,11 @@ references:
|
||||
cci:
|
||||
- CCI-000162
|
||||
800-53r4:
|
||||
- AU-12(c)
|
||||
- AU-2
|
||||
- AU-12
|
||||
- AU-9
|
||||
- CM-5(1)
|
||||
- MA-4(1)
|
||||
srg:
|
||||
- SRG-OS-000365-GPOS-00152
|
||||
- SRG-OS-000458-GPOS-00203
|
||||
|
||||
@@ -23,9 +23,11 @@ references:
|
||||
cci:
|
||||
- CCI-000162
|
||||
800-53r4:
|
||||
- AU-12(c)
|
||||
- AU-2
|
||||
- AU-12
|
||||
- AU-9
|
||||
- CM-5(1)
|
||||
- MA-4(1)
|
||||
srg:
|
||||
- SRG-OS-000365-GPOS-00152
|
||||
- SRG-OS-000458-GPOS-00203
|
||||
|
||||
@@ -23,9 +23,11 @@ references:
|
||||
cci:
|
||||
- CCI-000162
|
||||
800-53r4:
|
||||
- AU-12(c)
|
||||
- AU-2
|
||||
- AU-12
|
||||
- AU-9
|
||||
- CM-5(1)
|
||||
- MA-4(1)
|
||||
srg:
|
||||
- SRG-OS-000365-GPOS-00152
|
||||
- SRG-OS-000458-GPOS-00203
|
||||
|
||||
@@ -22,8 +22,10 @@ references:
|
||||
- CCI-000067
|
||||
- CCI-000172
|
||||
800-53r4:
|
||||
- AU-2
|
||||
- AC-17(1)
|
||||
- AU-12(c)
|
||||
- AU-12
|
||||
- MA-4(1)
|
||||
srg:
|
||||
- SRG-OS-000032-GPOS-00013
|
||||
- SRG-OS-000064-GPOS-00033
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: audit_off_load_records
|
||||
title: "Off-load audit records"
|
||||
title: "Off-Load Audit Records"
|
||||
discussion: |
|
||||
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.
|
||||
Audit records should be off-loaded onto a different system or media from the system being audited.
|
||||
|
||||
Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
|
||||
|
||||
To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,8 +18,8 @@ references:
|
||||
800-53r4:
|
||||
- AU-4(1)
|
||||
disa_stig:
|
||||
- AOSX-15-200023
|
||||
- AOSX-15-200017
|
||||
- N/A
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000479-GPOS-00224
|
||||
- SRG-OS-000342-GPOS-00133
|
||||
|
||||
@@ -19,6 +19,7 @@ references:
|
||||
cci:
|
||||
- CCI-001858
|
||||
800-53r4:
|
||||
- AU-5
|
||||
- AU-5(2)
|
||||
srg:
|
||||
- SRG-OS-000344-GPOS-00135
|
||||
|
||||
@@ -40,6 +40,7 @@ references:
|
||||
- CCI-000366
|
||||
800-53r4:
|
||||
- IA-2(3)
|
||||
- IA-2(4)
|
||||
srg:
|
||||
- SRG-OS-000107-GPOS-00054
|
||||
- SRG-OS-000480-GPOS-00227
|
||||
|
||||
@@ -35,6 +35,7 @@ references:
|
||||
- CCI-000366
|
||||
800-53r4:
|
||||
- IA-2(3)
|
||||
- IA-2(4)
|
||||
srg:
|
||||
- SRG-OS-000107-GPOS-00054
|
||||
- SRG-OS-000480-GPOS-00227
|
||||
|
||||
@@ -34,6 +34,7 @@ references:
|
||||
- CCI-000366
|
||||
800-53r4:
|
||||
- IA-2(3)
|
||||
- IA-2(4)
|
||||
srg:
|
||||
- SRG-OS-000107-GPOS-00054
|
||||
- SRG-OS-000480-GPOS-00227
|
||||
|
||||
@@ -1,72 +0,0 @@
|
||||
id: auth_smartcard_trusted_authorities_configure
|
||||
title: "Configure Smartcard Trusted Authorities"
|
||||
discussion: |
|
||||
Limit Trusted Authorities to authorized sources.
|
||||
Vendor Description: |
|
||||
It is possible to specify the Certificate Issuing Authorities used for the trust evaluation
|
||||
of smart card certificates. This trust works in conjunction with Certificate Trust settings
|
||||
(1, 2, or 3 required) and is also referred to as Certificate Pinning. Place SHA-256
|
||||
fingerprints of Certificate Authorities (as string values, comma delimited, and without spaces)
|
||||
in an array named TrustedAuthorities. Use the example /private/etc/SmartcardLogin.plist file
|
||||
below as guidance. When Certificate Pinning is used, only SmartCard certificates issued by
|
||||
Certificate Authorities in this list are evaluated as trusted. Please note that TrustedAuthorities
|
||||
are ignored when the checkCertificateTrust setting is set to 0 (off). Verify ownership is root
|
||||
and permissions are set to world readable after editing.
|
||||
[source,xml]
|
||||
----
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>AttributeMapping</key>
|
||||
<dict>
|
||||
<key>dsAttributeString</key>
|
||||
<string>dsAttrTypeStandard:AltSecurityIdentities</string>
|
||||
<key>fields</key>
|
||||
<array>
|
||||
<string>NT Principal Name</string>
|
||||
</array>
|
||||
<key>formatString</key>
|
||||
<string>Kerberos:$1</string>
|
||||
</dict>
|
||||
<key>TrustedAuthorities</key>
|
||||
<array>
|
||||
<string>SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2</string>
|
||||
</array>
|
||||
</dict>
|
||||
</plist>
|
||||
----
|
||||
Citation: link:https://support.apple.com/guide/deployment-reference-macos/advanced-smart-card-options-apd2969ad2d7/1/web/1[Apple]
|
||||
Vendor Description content Copyright 2020 Apple Inc. All rights reserved.
|
||||
check: |
|
||||
/usr/bin/defaults read /etc/SmartcardLogin.plist TrustedAuthorities
|
||||
result:
|
||||
string: "If this list does not contain approved SHA-256 hashes, this is a finding."
|
||||
fix: |
|
||||
To implement accepting smartcard credentials from only authorized sources
|
||||
[source,bash]
|
||||
----
|
||||
/usr/bin/defaults write /etc/SmartcardLogin.plist TrustedAuthorities -array-add "[TRUSTED AUTHORITY]"
|
||||
----
|
||||
NOTE: allowSmartCard will apply to the whole system. Users from a non trusted authority will not be able to login
|
||||
references:
|
||||
cce:
|
||||
- CCE-84728-5
|
||||
cci:
|
||||
- N/A
|
||||
800-53r4:
|
||||
- IA-2(12)
|
||||
- IA-5(2)(d)
|
||||
srg:
|
||||
- SRG-OS-000384-GPOS-00167
|
||||
disa_stig:
|
||||
- N/A
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- fisma-low
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
- manual
|
||||
mobileconfig: false
|
||||
mobileconfig_info:
|
||||
@@ -17,6 +17,7 @@ references:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- CM-7
|
||||
- AC-3
|
||||
- AC-18
|
||||
- AC-20
|
||||
srg:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-3(4)
|
||||
disa_stig:
|
||||
- AOSX-15-100024
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000312-GPOS-00122
|
||||
macOS:
|
||||
|
||||
@@ -16,8 +16,7 @@ references:
|
||||
cci:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- CM-6(b)
|
||||
- CM-7(a)
|
||||
- AC-20
|
||||
srg:
|
||||
- SRG-OS-000480-GPOS-00227
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-3
|
||||
disa_stig:
|
||||
- AOSX-15-300002
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000378-GPOS-00163
|
||||
macOS:
|
||||
|
||||
@@ -14,8 +14,7 @@ references:
|
||||
cci:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- CM-7(b)
|
||||
- CM-7
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
disa_stig:
|
||||
|
||||
@@ -15,7 +15,6 @@ references:
|
||||
- CCI-000185
|
||||
- CCI-002450
|
||||
800-53r4:
|
||||
- IA-5(2)(a)
|
||||
- SC-17
|
||||
disa_stig:
|
||||
- AOSX-14-003001
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-3(4)
|
||||
disa_stig:
|
||||
- AOSX-15-100026
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000312-GPOS-00124
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AU-9(3)
|
||||
disa_stig:
|
||||
- AOSX-15-100018
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000278-GPOS-00108
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- CM-5(1)
|
||||
disa_stig:
|
||||
- AOSX-15-100029
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000364-GPOS-00151
|
||||
macOS:
|
||||
|
||||
@@ -1,30 +0,0 @@
|
||||
id: os_enforce_login_attempt_delay
|
||||
title: "Enforce deal of 4 second delay between login attempts"
|
||||
discussion: |
|
||||
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
|
||||
references:
|
||||
cce:
|
||||
- CCE-84907-5
|
||||
cci:
|
||||
- CCI-000366
|
||||
800-53r4:
|
||||
- AC-7
|
||||
disa_stig:
|
||||
- AOSX-15-200025
|
||||
srg:
|
||||
- SRG-OS-000480-GPOS-00226
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- cnssi-1253
|
||||
- fisma-low
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
- STIG
|
||||
- permanent
|
||||
mobileconfig: false
|
||||
mobileconfig_info:
|
||||
@@ -12,9 +12,9 @@ references:
|
||||
cci:
|
||||
- CCI-001312
|
||||
800-53r4:
|
||||
- SI-11(a)
|
||||
- SI-11
|
||||
disa_stig:
|
||||
- AOSX-15-100016
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000205-GPOS-00083
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-24
|
||||
disa_stig:
|
||||
- AOSX-15-100015
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000184-GPOS-00078
|
||||
macOS:
|
||||
|
||||
@@ -22,6 +22,7 @@ references:
|
||||
- CCI-002080
|
||||
800-53r4:
|
||||
- SC-7(5)
|
||||
- AC-4
|
||||
srg:
|
||||
- SRG-OS-000480-GPOS-00231
|
||||
disa_stig:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-3(4)
|
||||
disa_stig:
|
||||
- AOSX-15-100025
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000312-GPOS-00123
|
||||
macOS:
|
||||
|
||||
@@ -14,6 +14,7 @@ references:
|
||||
cce:
|
||||
- CCE-84763-2
|
||||
800-53r4:
|
||||
- AC-3
|
||||
- AC-20
|
||||
- CM-7
|
||||
disa_stig:
|
||||
|
||||
@@ -17,7 +17,7 @@ references:
|
||||
cci:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- AC-3
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
disa_stig:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
cci:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- AC-20
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
disa_stig:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-8
|
||||
disa_stig:
|
||||
- AOSX-15-300001
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000121-GPOS-00062
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-13
|
||||
disa_stig:
|
||||
- AOSX-15-100035
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000396-GPOS-00176
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SI-16
|
||||
disa_stig:
|
||||
- AOSX-15-100037
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000433-GPOS-00192
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SI-16
|
||||
disa_stig:
|
||||
- AOSX-15-100038
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000433-GPOS-00193
|
||||
macOS:
|
||||
|
||||
@@ -14,8 +14,7 @@ references:
|
||||
cci:
|
||||
- CCI-001774
|
||||
800-53r4:
|
||||
- CM-7(5)(b)
|
||||
- CM-7(a)
|
||||
- AC-20
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
- SRG-OS-000370-GPOS-00155
|
||||
|
||||
@@ -19,6 +19,7 @@ references:
|
||||
- CCI-000366
|
||||
800-53r4:
|
||||
- CM-7
|
||||
- AC-18
|
||||
srg:
|
||||
- SRG-OS-000480-GPOS-00227
|
||||
disa_stig:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-3
|
||||
disa_stig:
|
||||
- AOSX-15-100013
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000134-GPOS-00068
|
||||
macOS:
|
||||
|
||||
@@ -12,9 +12,9 @@ references:
|
||||
cci:
|
||||
- CCI-000171
|
||||
800-53r4:
|
||||
- AU-12(b)
|
||||
- AU-12
|
||||
disa_stig:
|
||||
- AOSX-15-100002
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000063-GPOS-00032
|
||||
macOS:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_limit_dos_attacks
|
||||
title: "Limit effects of Denial of Service (DoS) attacks"
|
||||
title: "Limit Impact of Denial of Service Attacks"
|
||||
discussion: |
|
||||
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
|
||||
The macOS should be configured to limit the impact of Denial of Service (DoS) attacks.
|
||||
|
||||
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
|
||||
|
||||
To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems’ susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-5(2)
|
||||
disa_stig:
|
||||
- AOSX-15-200010
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000142-GPOS-00071
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-10
|
||||
disa_stig:
|
||||
- AOSX-15-100001
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000027-GPOS-00008
|
||||
macOS:
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
id: os_limit_invalid_logons
|
||||
title: "Limit 3 consecutive invalid logon attempts in 15 minutes"
|
||||
discussion: |
|
||||
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Setting a lockout expiration of 15 minutes is an effective deterrent against brute forcing that also makes allowances for legitimate mistakes by users.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
|
||||
references:
|
||||
cce:
|
||||
- CCE-84903-4
|
||||
cci:
|
||||
- CCI-000044
|
||||
- CCI-002238
|
||||
800-53r4:
|
||||
- AC-7
|
||||
disa_stig:
|
||||
- AOSX-15-200026
|
||||
- AOSX-15-200016
|
||||
srg:
|
||||
- SRG-OS-000021-GPOS-00005
|
||||
- SRG-OS-000329-GPOS-00128
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- cnssi-1253
|
||||
- fisma-low
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
- STIG
|
||||
- permanent
|
||||
mobileconfig: false
|
||||
mobileconfig_info:
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-3
|
||||
disa_stig:
|
||||
- AOSX-15-100006
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000080-GPOS-00048
|
||||
macOS:
|
||||
|
||||
@@ -17,8 +17,8 @@ references:
|
||||
800-53r4:
|
||||
- AC-12(1)
|
||||
disa_stig:
|
||||
- AOSX-15-100020
|
||||
- AOSX-15-100021
|
||||
- N/A
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000280-GPOS-00110
|
||||
- SRG-OS-000281-GPOS-00111
|
||||
|
||||
@@ -17,8 +17,8 @@ references:
|
||||
- CCI-000381
|
||||
- CCI-001774
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- CM-7(5)(b)
|
||||
- CM-7
|
||||
- AC-20
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
- SRG-OS-000370-GPOS-00155
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-5(2)(c)
|
||||
disa_stig:
|
||||
- AOSX-15-100003
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000068-GPOS-00036
|
||||
macOS:
|
||||
|
||||
@@ -18,6 +18,7 @@ references:
|
||||
- CCE-84803-6
|
||||
800-53r4:
|
||||
- CM-2
|
||||
- CM-6
|
||||
disa_stig:
|
||||
- N/A
|
||||
srg:
|
||||
|
||||
@@ -17,8 +17,8 @@ references:
|
||||
- CCI-000381
|
||||
- CCI-001774
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- CM-7(5)(b)
|
||||
- CM-7
|
||||
- AC-20
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
- SRG-OS-000370-GPOS-00155
|
||||
|
||||
@@ -15,7 +15,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-2(1)
|
||||
disa_stig:
|
||||
- AOSX-15-100008
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000105-GPOS-00052
|
||||
macOS:
|
||||
|
||||
@@ -15,7 +15,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-2(2)
|
||||
disa_stig:
|
||||
- AOSX-15-100009
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000106-GPOS-00053
|
||||
macOS:
|
||||
|
||||
@@ -18,7 +18,7 @@ references:
|
||||
cci:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- AC-3
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
disa_stig:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_notify_account_created
|
||||
title: "Notify of account created actions"
|
||||
title: "Configure the System to Notify upon Account Created Actions"
|
||||
discussion: |
|
||||
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of operating system user accounts and notifies System Administrators and ISSOs that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.To address access requirements, many operating systems can be integrated with enterprise-level authentication_access/auditing mechanisms that meet or exceed access control policy requirements.
|
||||
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created.
|
||||
|
||||
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
|
||||
|
||||
To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-2(4)
|
||||
disa_stig:
|
||||
- AOSX-15-200011
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000274-GPOS-00104
|
||||
macOS:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_notify_account_disabled
|
||||
title: "Notify of account disabling actions"
|
||||
title: "Configure the System to Notify upon Account Disabled Actions"
|
||||
discussion: |
|
||||
When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves.To detect and respond to events that affect user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify System Administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.To address access requirements, many operating systems can be integrated with enterprise-level authentication_access/auditing mechanisms that meet or exceed access control policy requirements.
|
||||
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are disabled.
|
||||
|
||||
When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
|
||||
|
||||
To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-2(4)
|
||||
disa_stig:
|
||||
- AOSX-15-200013
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000276-GPOS-00106
|
||||
macOS:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_notify_account_enable
|
||||
title: "Notify of account enabling actions"
|
||||
title: "Configure the System to Notify upon Account Enabled Actions "
|
||||
discussion: |
|
||||
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of operating system user accounts and notifies System Administrators and ISSOs that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. To detect and respond to events that affect user accessibility and application processing, operating systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication_access/auditing mechanisms that meet or exceed access control policy requirements.
|
||||
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled.
|
||||
|
||||
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.
|
||||
|
||||
To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-2(4)
|
||||
disa_stig:
|
||||
- AOSX-15-200015
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000304-GPOS-00121
|
||||
macOS:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_notify_account_modified
|
||||
title: "Notify of account modified actions"
|
||||
title: "Configure the System to Notify upon Account Modified Actions"
|
||||
discussion: |
|
||||
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of operating system user accounts and notifies System Administrators and ISSOs that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.To address access requirements, many operating systems can be integrated with enterprise-level authentication_access/auditing mechanisms that meet or exceed access control policy requirements.
|
||||
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified.
|
||||
|
||||
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
|
||||
|
||||
To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-2(4)
|
||||
disa_stig:
|
||||
- AOSX-15-200012
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000275-GPOS-00105
|
||||
macOS:
|
||||
|
||||
@@ -1,8 +1,11 @@
|
||||
id: os_notify_account_removal
|
||||
title: "Notify of account removal actions"
|
||||
title: "The macOS system must notify system administrators and Information System Security Officers (ISSOs) when accounts are removed."
|
||||
title: "Configure the System to Notify upon Account Removed Actions"
|
||||
discussion: |
|
||||
When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves.To detect and respond to events that affect user accessibility and system processing, operating systems must audit account removal actions and, as required, notify System Administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.To address access requirements, many operating systems can be integrated with enterprise-level authentication_access/auditing mechanisms that meet or exceed access control policy requirements.
|
||||
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed.
|
||||
|
||||
When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
|
||||
|
||||
To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -15,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-2(4)
|
||||
disa_stig:
|
||||
- AOSX-15-200014
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000277-GPOS-00107
|
||||
macOS:
|
||||
|
||||
@@ -1,8 +1,11 @@
|
||||
id: os_notify_unauthorized_baseline_change
|
||||
title: "The macOS system must notify designated personnel if baseline configurations are changed in an unauthorized manner."
|
||||
title: "Notify if baseline configurations changed in unauthorized manner"
|
||||
title: "Configure the System to Notify upon Baseline Configuration Changes"
|
||||
discussion: |
|
||||
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
|
||||
The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified.
|
||||
|
||||
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system.
|
||||
|
||||
To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -15,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- CM-3(5)
|
||||
disa_stig:
|
||||
- AOSX-15-200019
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000363-GPOS-00150
|
||||
macOS:
|
||||
|
||||
@@ -12,9 +12,10 @@ references:
|
||||
cci:
|
||||
- CCI-000206
|
||||
800-53r4:
|
||||
- IA-5
|
||||
- IA-6
|
||||
disa_stig:
|
||||
- AOSX-15-100005
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000079-GPOS-00047
|
||||
macOS:
|
||||
|
||||
@@ -14,8 +14,10 @@ references:
|
||||
cce:
|
||||
- CCE-84774-9
|
||||
800-53r4:
|
||||
- IA-5
|
||||
- IA-5(13)
|
||||
- IA-11
|
||||
- CM-7
|
||||
disa_stig:
|
||||
- N/A
|
||||
srg:
|
||||
|
||||
@@ -14,8 +14,7 @@ references:
|
||||
cce:
|
||||
- CCE-84775-6
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- CM-7(5)(b)
|
||||
- IA-5
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
- SRG-OS-000370-GPOS-00155
|
||||
|
||||
@@ -14,8 +14,7 @@ references:
|
||||
cce:
|
||||
- CCE-84776-4
|
||||
800-53r4:
|
||||
- CM-7(a)
|
||||
- CM-7(5)(b)
|
||||
- IA-5
|
||||
srg:
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
disa_stig:
|
||||
|
||||
@@ -36,11 +36,7 @@ references:
|
||||
- CCI-001387
|
||||
- CCI-001388
|
||||
800-53r4:
|
||||
- AC-8(a)
|
||||
- AC-8(b)
|
||||
- AC-8(c)(1)
|
||||
- AC-8(c)(2)
|
||||
- AC-8(c)(3)
|
||||
- AC-8
|
||||
srg:
|
||||
- SRG-OS-000023-GPOS-00006
|
||||
- SRG-OS-000024-GPOS-00007
|
||||
|
||||
@@ -23,7 +23,7 @@ references:
|
||||
cci:
|
||||
- CCI-000048
|
||||
800-53r4:
|
||||
- AC-8(a)
|
||||
- AC-8
|
||||
srg:
|
||||
- SRG-OS-000023-GPOS-00006
|
||||
disa_stig:
|
||||
|
||||
@@ -24,8 +24,7 @@ references:
|
||||
- CCI-000048
|
||||
- CCI-000050
|
||||
800-53r4:
|
||||
- AC-8(a)
|
||||
- AC-8(b)
|
||||
- AC-8
|
||||
srg:
|
||||
- SRG-OS-000023-GPOS-00006
|
||||
- SRG-OS-000024-GPOS-00007
|
||||
|
||||
@@ -26,7 +26,7 @@ references:
|
||||
cce:
|
||||
- CCE-84780-6
|
||||
800-53r4:
|
||||
- CM-6(b)
|
||||
- CM-7
|
||||
disa_stig:
|
||||
- N/A
|
||||
srg:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SI-10(3)
|
||||
disa_stig:
|
||||
- AOSX-15-100036
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000432-GPOS-00191
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-24
|
||||
disa_stig:
|
||||
- AOSX-15-100017
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000269-GPOS-00103
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-6(8)
|
||||
disa_stig:
|
||||
- AOSX-15-100028
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000326-GPOS-00126
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-6(10)
|
||||
disa_stig:
|
||||
- AOSX-15-100027
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000324-GPOS-00125
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- CM-7(2)
|
||||
disa_stig:
|
||||
- AOSX-15-100030
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000368-GPOS-00154
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-4
|
||||
disa_stig:
|
||||
- AOSX-15-100014
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000138-GPOS-00069
|
||||
macOS:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
cci:
|
||||
- CCI-000381
|
||||
800-53r4:
|
||||
- AC-20
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000480-GPOS-00227
|
||||
- SRG-OS-000095-GPOS-00049
|
||||
@@ -26,9 +26,6 @@ macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- cnssi-1253
|
||||
- fisma-low
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
- STIG
|
||||
mobileconfig: true
|
||||
mobileconfig_info:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-5(13)
|
||||
disa_stig:
|
||||
- AOSX-15-300004
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000383-GPOS-00166
|
||||
macOS:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_protect_dos_attacks
|
||||
title: "Protect or limit effects of Denial of Service (DoS) attacks by ensuring rate-limiting measures on network interfaces"
|
||||
title: "Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces"
|
||||
discussion: |
|
||||
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
|
||||
The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces.
|
||||
|
||||
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
|
||||
|
||||
To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls that meet or exceed this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-5
|
||||
disa_stig:
|
||||
- AOSX-15-200022
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000420-GPOS-00186
|
||||
macOS:
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
id: os_provide_automated_account_management
|
||||
title: "Provide automated mechanisms for account management functions"
|
||||
title: "Employ Automated Mechanisms for Account Management Functions"
|
||||
discussion: |
|
||||
The organization employs automated mechanisms to support the management of information system accounts.
|
||||
The organization should employ automated mechanisms to support the management of information system accounts.
|
||||
|
||||
The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management.
|
||||
|
||||
To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +18,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-2(1)
|
||||
disa_stig:
|
||||
- AOSX-15-200001
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000001-GPOS-00001
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-17(9)
|
||||
disa_stig:
|
||||
- AOSX-15-100023
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000298-GPOS-00116
|
||||
macOS:
|
||||
|
||||
@@ -12,15 +12,14 @@ references:
|
||||
cci:
|
||||
- CCI-002702
|
||||
800-53r4:
|
||||
- SI-6(d)
|
||||
- N/A
|
||||
disa_stig:
|
||||
- AOSX-15-300011
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000447-GPOS-00201
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- fisma-high
|
||||
- STIG
|
||||
- n_a
|
||||
mobileconfig: false
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
id: os_reauth_devices_change_authenticators
|
||||
title: "Require devices to reauthenticate when changing authenticators"
|
||||
title: "Require Devices to Reauthenticate when Changing Authenticators"
|
||||
discussion: |
|
||||
Without reauthentication, devices may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate.
|
||||
The macOS should be configured to require users to reauthenticate when the device authenticator is changed.
|
||||
|
||||
Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate.
|
||||
check: |
|
||||
The technology does not support this requirement. This is an applicable-does not meet finding.
|
||||
fix: |
|
||||
@@ -14,7 +16,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-11
|
||||
disa_stig:
|
||||
- AOSX-15-200020
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000374-GPOS-00159
|
||||
macOS:
|
||||
|
||||
@@ -14,8 +14,8 @@ references:
|
||||
800-53r4:
|
||||
- IA-11
|
||||
disa_stig:
|
||||
- AOSX-15-100031
|
||||
- AOSX-15-100032
|
||||
- N/A
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000373-GPOS-00156
|
||||
- SRG-OS-000373-GPOS-00157
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-11
|
||||
disa_stig:
|
||||
- AOSX-15-100033
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000373-GPOS-00158
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-17(1)
|
||||
disa_stig:
|
||||
- AOSX-15-100022
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000297-GPOS-00115
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SI-2(6)
|
||||
disa_stig:
|
||||
- AOSX-15-100039
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000437-GPOS-00194
|
||||
macOS:
|
||||
|
||||
@@ -17,10 +17,10 @@ references:
|
||||
800-53r4:
|
||||
- SC-21
|
||||
disa_stig:
|
||||
- AOSX-15-300005
|
||||
- AOSX-15-300006
|
||||
- AOSX-15-300007
|
||||
- AOSX-15-300008
|
||||
- N/A
|
||||
- N/A
|
||||
- N/A
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000399-GPOS-00178
|
||||
- SRG-OS-000400-GPOS-00179
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- IA-7
|
||||
disa_stig:
|
||||
- AOSX-15-100010
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000120-GPOS-00061
|
||||
macOS:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
cci:
|
||||
- CCI-000056
|
||||
800-53r4:
|
||||
- AC-11(b)
|
||||
- AC-11
|
||||
srg:
|
||||
- SRG-OS-000028-GPOS-00009
|
||||
disa_stig:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
cci:
|
||||
- CCI-000056
|
||||
800-53r4:
|
||||
- AC-11(b)
|
||||
- AC-11
|
||||
srg:
|
||||
- SRG-OS-000028-GPOS-00009
|
||||
disa_stig:
|
||||
|
||||
@@ -16,7 +16,7 @@ references:
|
||||
cci:
|
||||
- CCI-000057
|
||||
800-53r4:
|
||||
- AC-11(a)
|
||||
- AC-11
|
||||
srg:
|
||||
- SRG-OS-000029-GPOS-00010
|
||||
disa_stig:
|
||||
|
||||
@@ -16,9 +16,7 @@ references:
|
||||
cce:
|
||||
- CCE-84789-7
|
||||
800-53r4:
|
||||
- SI-6(a)
|
||||
- SI-6(b)
|
||||
- SI-6(d)
|
||||
- SI-6
|
||||
srg:
|
||||
- SRG-OS-000446-GPOS-00200
|
||||
disa_stig:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- SC-2
|
||||
disa_stig:
|
||||
- AOSX-15-100012
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000132-GPOS-00067
|
||||
macOS:
|
||||
|
||||
@@ -33,9 +33,8 @@ references:
|
||||
- CCI-001880
|
||||
- CCI-001881
|
||||
- CCI-001882
|
||||
800-53r4:
|
||||
- AU-12
|
||||
- AU-12(a)
|
||||
800-53r4:
|
||||
- AC-3
|
||||
- AU-6(4)
|
||||
- AU-7(1)
|
||||
- AU-7
|
||||
|
||||
@@ -27,6 +27,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-17(2)
|
||||
- IA-7
|
||||
- SC-8(1)
|
||||
- SC-13
|
||||
srg:
|
||||
- SRG-OS-000163-GPOS-00072
|
||||
|
||||
@@ -27,6 +27,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-17(2)
|
||||
- IA-7
|
||||
- SC-8(1)
|
||||
- SC-13
|
||||
srg:
|
||||
- SRG-OS-000163-GPOS-00072
|
||||
|
||||
@@ -21,7 +21,7 @@ references:
|
||||
cci:
|
||||
- CCI-000054
|
||||
800-53r4:
|
||||
- AC-10
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000027-GPOS-00008
|
||||
disa_stig:
|
||||
@@ -29,7 +29,6 @@ references:
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- fisma-high
|
||||
- STIG
|
||||
mobileconfig: false
|
||||
mobileconfig_info:
|
||||
@@ -12,9 +12,9 @@ references:
|
||||
cci:
|
||||
- CCI-000196
|
||||
800-53r4:
|
||||
- IA-5(1)(c)
|
||||
- IA-5(1)
|
||||
disa_stig:
|
||||
- AOSX-15-100004
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000073-GPOS-00041
|
||||
macOS:
|
||||
|
||||
@@ -21,6 +21,7 @@ references:
|
||||
macOS:
|
||||
- "10.15"
|
||||
tags:
|
||||
- N/A
|
||||
- fisma-moderate
|
||||
- fisma-high
|
||||
mobileconfig: false
|
||||
mobileconfig_info:
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- MA-4(e)
|
||||
disa_stig:
|
||||
- AOSX-15-100011
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000126-GPOS-00066
|
||||
macOS:
|
||||
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
800-53r4:
|
||||
- AC-12
|
||||
disa_stig:
|
||||
- AOSX-15-100019
|
||||
- N/A
|
||||
srg:
|
||||
- SRG-OS-000279-GPOS-00109
|
||||
macOS:
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user