usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'big_sur' into main

Browse Source
This commit is contained in:
Bob Gendler
2021-03-18 12:08:23 -04:00
parent 3de0557546 9156125421
commit ebca093853
210 changed files with 1708 additions and 697 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
CHANGELOG.adoc
View File

@@ -2,6 +2,30 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
== [Big Sur, Revision 2] - 2021-03-18
* Rules
** Fixed Rules
* Baselines
** Added DISA-STIG
* Scripts
** generate_guidance
*** Bug fixes
*** Custom rules support added
*** Added ability to signed configuration profiles
*** Added plist generation for rules
*** Generates preferences files for compliance script
*** Compliance script enhancements
**** Exemption support
**** Modified plist behavior
**** Log rotation
*** Added Custom References
** yaml-to-oval
*** Bug fixes
== [Big Sur, Revision 1] - 2020-11-10
* Rules

3
README.adoc
View File

@@ -1,4 +1,4 @@
image::templates/images/mscp_banner.png[]
image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
@@ -50,7 +50,6 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
|Joshua Glemza|National Aeronautics and Space Administration
|Elyse Anderson|National Aeronautics and Space Administration
|Gary Gapinski|National Aeronautics and Space Administration
|Paige Ramsey|Los Alamos National Laboratory
|===
== Changelog

4
VERSION.yaml
View File

@@ -1,3 +1,3 @@
os: "11.0"
version: "Big Sur, Revision 1"
date: "2020-11-10"
version: "Big Sur, Revision 2"
date: "2021-03-18"

5
baselines/800-171.yaml
View File

@@ -68,7 +68,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -138,7 +137,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -147,7 +146,7 @@ profile:
- os_obscure_password
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- section: "Permanent"
rules:
- pwpolicy_50_percent

6
baselines/800-53_high.yaml
View File

@@ -75,7 +75,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -111,6 +110,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -144,7 +144,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_enforce_access_restrictions
@@ -161,7 +161,7 @@ profile:
- os_prevent_unauthorized_disclosure
- os_crypto_audit
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:

5
baselines/800-53_low.yaml
View File

@@ -50,6 +50,7 @@ profile:
- os_httpd_disable
- os_sip_enable
- os_authenticated_root_enable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
@@ -57,7 +58,6 @@ profile:
- os_appleid_prompt_disable
- os_ssh_fips_140_macs
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -92,6 +92,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -119,7 +120,7 @@ profile:
- os_obscure_password
- os_required_crypto_module
- os_store_encrypted_passwords
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- section: "Permanent"
rules:
- os_secure_name_resolution

7
baselines/800-53_moderate.yaml
View File

@@ -61,6 +61,7 @@ profile:
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
@@ -71,7 +72,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -107,6 +107,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -140,7 +141,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -152,7 +153,7 @@ profile:
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:

135
baselines/DISA-STIG.yaml Normal file
View File

@@ -0,0 +1,135 @@
title: "macOS 11.0: Security Configuration - DISA STIG"
description: |
This guide describes the actions to take when securing a macOS 11.0 system against the DISA STIG.
profile:
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- audit_flags_fd_configure
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_configure_capacity_notify
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- os_sshd_login_grace_time_configure
- os_firmware_password_require
- os_filevault_user_account
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_anti_virus_installed
- os_screensaver_loginwindow_enforce
- os_sshd_key_exchange_algorithm_configure
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_sshd_client_alive_interval_configure
- os_system_log_files_owner_group_configure
- os_sshd_client_alive_count_max_configure
- os_privacy_setup_prompt_disable
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_user_app_installation_prohibit
- os_system_log_files_permissions_configure
- os_hbss_installed
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_nfsd_disable
- os_sshd_permit_root_login_configure
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_directory_services_configured
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- os_certificate_authority_trust
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- os_icloud_storage_prompt_disable
- os_mail_app_disable
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_history_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_60_day_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_controls
- supplemental_smartcard

5
baselines/all_rules.yaml
View File

@@ -84,7 +84,6 @@ profile:
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_sshd_permit_root_login_configure
- os_ir_support_disable
@@ -160,7 +159,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_enforce_access_restrictions
@@ -198,7 +197,7 @@ profile:
- os_crypto_audit
- os_reauth_privilege
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:

7
baselines/cnssi-1253.yaml
View File

@@ -61,6 +61,7 @@ profile:
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
@@ -71,7 +72,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -107,6 +107,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -140,7 +141,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -153,7 +154,7 @@ profile:
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:

1
includes/supported_payloads.yaml
View File

@@ -111,3 +111,4 @@ payloads_types:
- com.apple.AppleFileServer
- com.apple.AdLib
- .GlobalPreferences
- com.apple.preferences.sharing.SharingPrefsExtension

5
rules/audit/audit_acls_files_configure.yaml
View File

@@ -26,7 +26,7 @@ references:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000206-GPOS-00084
disa_stig:
- AOSX-15-000030
- APPL-11-000030
800-171r2:
- 3.3.8
macOS:
@@ -37,6 +37,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/audit/audit_acls_folders_configure.yaml
View File

@@ -18,15 +18,12 @@ references:
- CCE-85252-5
cci:
- CCI-000162
- CCI-001314
800-53r4:
- AU-9
- SI-11
srg:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000206-GPOS-00084
disa_stig:
- AOSX-15-000030
- APPL-11-000031
800-171r2:
- 3.3.8
macOS:
@@ -37,6 +34,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

1
rules/audit/audit_alert_processing_fail.yaml
View File

@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- permanent
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_auditd_enabled.yaml
View File

@@ -57,7 +57,7 @@ references:
- SRG-OS-000358-GPOS-00145
- SRG-OS-000359-GPOS-00146
disa_stig:
- AOSX-15-001003
- APPL-11-001003
800-171r2:
- 3.3.1
- 3.3.2
@@ -70,6 +70,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_configure_capacity_notify.yaml
View File

@@ -23,11 +23,12 @@ references:
srg:
- SRG-OS-000343-GPOS-00134
disa_stig:
- AOSX-15-001030
- APPL-11-001030
macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

1
rules/audit/audit_enforce_dual_auth.yaml
View File

@@ -25,7 +25,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- permanent
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_failure_halt.yaml
View File

@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- AOSX-15-001010
- APPL-11-001010
800-171r2:
- 3.3.4
macOS:
@@ -34,6 +34,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_files_group_configure.yaml
View File

@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001014
- APPL-11-001014
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_files_mode_configure.yaml
View File

@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001016
- APPL-11-001016
800-171r2:
- 3.3.8
macOS:
@@ -32,6 +32,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_files_owner_configure.yaml
View File

@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001012
- APPL-11-001012
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/audit/audit_flags_aa_configure.yaml
View File

@@ -19,7 +19,7 @@ references:
cce:
- CCE-85261-6
cci:
- N/A
- CCI-000172
800-53r4:
- AU-2
- AU-12
@@ -30,7 +30,7 @@ references:
- SRG-OS-000473-GPOS-00218
- SRG-OS-000475-GPOS-00220
disa_stig:
- AOSX-15-001044
- APPL-11-001044
800-171r2:
- 3.3.1
- 3.3.2
@@ -42,6 +42,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

12
rules/audit/audit_flags_ad_configure.yaml
View File

@@ -40,18 +40,13 @@ references:
- SRG-OS-000240-GPOS-00090
- SRG-OS-000241-GPOS-00091
- SRG-OS-000327-GPOS-00127
- SRG-OS-000392-GPOS-00172
- SRG-OS-000392-GPOS-00172
- SRG-OS-000471-GPOS-00215
- SRG-OS-000471-GPOS-00216
- SRG-OS-000476-GPOS-00221
- SRG-OS-000477-GPOS-00222
- SRG-OS-000304-GPOS-00121
- SRG-OS-000277-GPOS-00107
- SRG-OS-000275-GPOS-00105
- SRG-OS-000276-GPOS-00106
- SRG-OS-000274-GPOS-00104
disa_stig:
- AOSX-15-001001
- APPL-11-001001
800-171r2:
- 3.1.7
- 3.3.1
@@ -64,6 +59,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

2
rules/audit/audit_flags_ex_configure.yaml
View File

@@ -40,6 +40,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

53
rules/audit/audit_flags_fd_configure.yaml Normal file
View File

@@ -0,0 +1,53 @@
id: audit_flags_fd_configure
title: "Configure System to Audit All Deletions of Object Attributes"
discussion: |
The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/grep -Ec "^flags.*-fd" /etc/security/audit_control
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
----
references:
cce:
- CCE-85264-0
cci:
- CCI-000172
- CCI-001814
800-53r4:
- AU-2
- AU-12
- AU-9
- CM-5(1)
- MA-4(1)
srg:
- SRG-OS-000365-GPOS-00152
- SRG-OS-000458-GPOS-00203
- SRG-OS-000461-GPOS-00205
- SRG-OS-000463-GPOS-00207
- SRG-OS-000465-GPOS-00209
- SRG-OS-000466-GPOS-00210
- SRG-OS-000467-GPOS-00211
- SRG-OS-000468-GPOS-00212
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- APPL-11-001020
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/audit/audit_flags_fm_configure.yaml
View File

@@ -21,7 +21,8 @@ references:
cce:
- CCE-85264-0
cci:
- CCI-000162
- CCI-000172
- CCI-001814
800-53r4:
- AU-2
- AU-12
@@ -40,7 +41,7 @@ references:
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001016
- APPL-11-001020
800-171r2:
- 3.3.1
- 3.3.2
@@ -53,6 +54,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/audit/audit_flags_fr_configure.yaml
View File

@@ -21,7 +21,8 @@ references:
cce:
- CCE-85265-7
cci:
- CCI-000162
- CCI-000172
- CCI-001814
800-53r4:
- AU-2
- AU-12
@@ -40,7 +41,7 @@ references:
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001016
- APPL-11-001020
800-171r2:
- 3.3.1
- 3.3.2
@@ -53,6 +54,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_flags_fw_configure.yaml
View File

@@ -40,7 +40,7 @@ references:
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001016
- APPL-11-001020
800-171r2:
- 3.3.1
- 3.3.2
@@ -53,6 +53,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/audit/audit_flags_lo_configure.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk.
The information system monitors and login and logout events.
The information system monitors login and logout events.
check: |
/usr/bin/grep -Ec "^flags*.lo" /etc/security/audit_control
result:
@@ -28,10 +28,9 @@ references:
- MA-4(1)
srg:
- SRG-OS-000032-GPOS-00013
- SRG-OS-000064-GPOS-00033
- SRG-OS-000462-GPOS-00206
disa_stig:
- AOSX-15-001002
- APPL-11-001002
800-171r2:
- 3.1.12
- 3.3.1
@@ -44,6 +43,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

9
rules/audit/audit_folder_group_configure.yaml
View File

@@ -13,7 +13,7 @@ result:
fix: |
[source,bash]
----
/usr/sbin/chgrp wheel $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control)
/usr/bin/chgrp wheel $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control)
----
references:
cce:
@@ -23,9 +23,9 @@ references:
800-53r4:
- AU-9
srg:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000033-GPOS-00014
disa_stig:
- AOSX-15-001015
- APPL-11-001015
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_folder_owner_configure.yaml
View File

@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001013
- APPL-11-001013
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_folders_mode_configure.yaml
View File

@@ -27,7 +27,7 @@ references:
- SRG-OS-000059-GPOS-00029
- SRG-OS-000057-GPOS-00027
disa_stig:
- AOSX-15-001017
- APPL-11-001017
800-171r2:
- 3.3.8
macOS:
@@ -38,6 +38,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

1
rules/audit/audit_off_load_records.yaml
View File

@@ -25,7 +25,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- permanent
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_retention_configure.yaml
View File

@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- AOSX-15-001029
- APPL-11-001029
macOS:
- "11.0"
tags:
@@ -32,6 +32,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/audit/audit_settings_failure_notify.yaml
View File

@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000344-GPOS-00135
disa_stig:
- AOSX-15-001031
- APPL-11-001031
800-171r2:
- 3.3.4
macOS:
@@ -32,6 +32,7 @@ macOS:
tags:
- 800-171
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/auth/auth_pam_login_smartcard_enforce.yaml
View File

@@ -43,12 +43,9 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-003050
- AOSX-15-003051
- AOSX-15-003052
- APPL-11-003050
800-171r2:
- 3.5.3
macOS:
@@ -59,6 +56,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

8
rules/auth/auth_pam_su_smartcard_enforce.yaml
View File

@@ -38,12 +38,9 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-003050
- AOSX-15-003051
- AOSX-15-003052
- APPL-11-003051
800-171r2:
- 3.5.3
macOS:
@@ -54,6 +51,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/auth/auth_pam_sudo_smartcard_enforce.yaml
View File

@@ -40,9 +40,7 @@ references:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-003050
- AOSX-15-003051
- AOSX-15-003052
- APPL-11-003052
800-171r2:
- 3.5.3
macOS:
@@ -53,6 +51,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

3
rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
View File

@@ -25,12 +25,11 @@ references:
srg:
- SRG-OS-000067-GPOS-00035
disa_stig:
- AOSX-15-003002
- APPL-11-003002
macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

14
rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
View File

@@ -19,18 +19,28 @@ references:
- CCE-85279-8
cci:
- CCI-000186
- CCI-002470
- CCI-001991
- CCI-001953
- CCI-001954
800-53r4:
- IA-2(12)
- IA-5(2)
srg:
- SRG-OS-000067-GPOS-00035
- SRG-OS-000376-GPOS-00161
- SRG-OS-000377-GPOS-00162
- SRG-OS-000384-GPOS-00167
- SRG-OS-000403-GPOS-00182
- SRG-OS-000067-GPOS-00035
disa_stig:
- AOSX-15-003002
- APPL-11-001060
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r4_moderate
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

16
rules/auth/auth_smartcard_enforce.yaml
View File

@@ -21,12 +21,8 @@ references:
- CCE-85280-6
cci:
- CCI-000187
- CCI-000765
- CCI-000766
- CCI-000767
- CCI-000768
- CCI-000877
- CCI-001948
800-53r4:
- IA-2
- IA-2(1)
@@ -39,17 +35,10 @@ references:
- IA-5(11)
srg:
- SRG-OS-000068-GPOS-00036
- SRG-OS-000105-GPOS-00052
- SRG-OS-000106-GPOS-00053
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
- SRG-OS-000125-GPOS-00065
- SRG-OS-000375-GPOS-00160
disa_stig:
- AOSX-15-003020
- AOSX-15-003024
- AOSX-15-003005
- AOSX-15-003025
- APPL-11-003020
800-171r2:
- 3.5.1
- 3.5.2
@@ -62,7 +51,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:

23
rules/auth/auth_ssh_smartcard_enforce.yaml
View File

@@ -20,13 +20,7 @@ references:
cce:
- CCE-85281-4
cci:
- CCI-000187
- CCI-000765
- CCI-000766
- CCI-000767
- CCI-000768
- CCI-000877
- CCI-001948
- N/A
800-53r4:
- IA-2
- IA-2(1)
@@ -39,18 +33,9 @@ references:
- IA-5(11)
- MA-4
srg:
- SRG-OS-000068-GPOS-00036
- SRG-OS-000105-GPOS-00052
- SRG-OS-000106-GPOS-00053
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
- SRG-OS-000125-GPOS-00065
- SRG-OS-000375-GPOS-00160
- N/A
disa_stig:
- AOSX-15-003020
- AOSX-15-003024
- AOSX-15-003005
- AOSX-15-003025
- N/A
800-171r2:
- 3.5.1
- 3.5.2
@@ -59,6 +44,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- none
mobileconfig: false
mobileconfig_info:

5
rules/icloud/icloud_addressbook_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002014
- APPL-11-002014
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

6
rules/icloud/icloud_appleid_prefpane_disable.yaml
View File

@@ -14,17 +14,15 @@ references:
cce:
- CCE-85283-0
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7
- AC-20
- AC-20(1)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002018
- APPL-11-002031
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,6 +34,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:

5
rules/icloud/icloud_bookmarks_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002042
- APPL-11-002042
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/icloud/icloud_calendar_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002012
- APPL-11-002012
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

6
rules/icloud/icloud_drive_disable.yaml
View File

@@ -24,8 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002041
- AOSX-15-002049
- APPL-11-002041
800-171r2:
- 3.1.20
- 3.4.6
@@ -37,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/icloud/icloud_keychain_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002040
- APPL-11-002040
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/icloud/icloud_mail_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002015
- APPL-11-002015
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/icloud/icloud_notes_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002016
- APPL-11-002016
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/icloud/icloud_photos_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002043
- APPL-11-002043
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/icloud/icloud_reminders_disable.yaml
View File

@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002013
- APPL-11-002013
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

5
rules/os/os_airdrop_disable.yaml
View File

@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- AOSX-15-002009
- APPL-11-002009
800-171r2:
- 3.1.1
- 3.1.2
@@ -38,7 +38,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

1
rules/os/os_allow_info_passed.yaml
View File

@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

6
rules/os/os_anti_virus_installed.yaml
View File

@@ -19,10 +19,12 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-002070
- APPL-11-002070
macOS:
- "11.0"
tags:
- STIG
- manual
- stig
severity: "high"
mobileconfig: false
mobileconfig_info:

6
rules/os/os_appleid_prompt_disable.yaml
View File

@@ -18,10 +18,9 @@ references:
800-53r4:
- AC-20
srg:
- SRG-OS-000480-GPOS-00227
- SRG-OS-000095-GPOS-00049
disa_stig:
- AOSX-15-002035
- APPL-11-002035
800-171r2:
- 3.1.20
macOS:
@@ -32,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:

1
rules/os/os_auth_peripherals.yaml
View File

@@ -26,7 +26,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
- permanent
mobileconfig: false
mobileconfig_info:

2
rules/os/os_authenticated_root_enable.yaml
View File

@@ -41,6 +41,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

5
rules/os/os_bonjour_disable.yaml
View File

@@ -18,7 +18,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- AOSX-15-002005
- APPL-11-002005
800-171r2:
- 3.4.6
macOS:
@@ -29,7 +29,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mDNSResponder:

7
rules/os/os_calendar_app_disable.yaml
View File

@@ -18,15 +18,13 @@ references:
- CCE-85300-2
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7
- AC-20
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002023
- APPL-11-002023
800-171r2:
- 3.1.20
- 3.4.6
@@ -38,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:

8
rules/os/os_camera_disable.yaml
View File

@@ -13,18 +13,20 @@ references:
- CCE-85301-0
cci:
- CCI-000381
- CCI-001774
- CCI-001150
- CCI-001153
800-53r4:
- N/A
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002017
- APPL-11-002017
macOS:
- "11.0"
tags:
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

7
rules/os/os_certificate_authority_trust.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
check: |
/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/grep labl | awk -F'"' '{ print $4 }'
result:
string: "If this list does not contain approved root certificates, this is a finding."
string: "a list containing approved root certificates"
fix: |
Obtain the approved certificates from the appropriate authority and install them to the System Keychain.
references:
@@ -17,7 +17,7 @@ references:
800-53r4:
- SC-17
disa_stig:
- AOSX-15-003001
- APPL-11-003001
srg:
- SRG-OS-000066-GPOS-00034
- SRG-OS-000478-GPOS-00223
@@ -27,7 +27,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
- manual
severity: "high"
mobileconfig: false
mobileconfig_info:

1
rules/os/os_change_security_attributes.yaml
View File

@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

4
rules/os/os_continuous_monitoring.yaml
View File

@@ -16,7 +16,7 @@ references:
srg:
- SRG-OS-000191-GPOS-00080
disa_stig:
- AOSX-15-000015
- APPL-11-000015
macOS:
- "11.0"
tags:
@@ -24,6 +24,6 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- permanent
- STIG
mobileconfig: false
mobileconfig_info:

1
rules/os/os_crypto_audit.yaml
View File

@@ -27,7 +27,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

31
rules/os/os_directory_services_configured.yaml Normal file
View File

@@ -0,0 +1,31 @@
id: os_directory_services_configured
title: The macOS system must be integrated into a directory services infrastructure.
discussion: |
Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords.
check: |
If the system is using a mandatory Smart Card Policy, this is Not Applicable.
To determine if the system is integrated to a directory service, ask the System Administrator (SA) or Information System Security Officer (ISSO) or run the following command:
/usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)'
If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding.
fix: |
Integrate the system into an existing directory services infrastructure.
references:
cci:
- CCI-000366
800-53r4:
- CM-6(b)
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-11-000016
macOS:
- 11.0
tags:
- manual
- stig
severity: "high"
mobileconfig:
mobileconfig_info:

1
rules/os/os_enforce_access_restrictions.yaml
View File

@@ -25,7 +25,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_error_message.yaml
View File

@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

3
rules/os/os_facetime_app_disable.yaml
View File

@@ -35,7 +35,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:

1
rules/os/os_fail_secure_state.yaml
View File

@@ -29,7 +29,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

9
rules/os/os_filevault_autologin_disable.yaml
View File

@@ -14,14 +14,15 @@ references:
cce:
- CCE-85310-1
800-53r4:
- AC-2(11)
- AC-3
- IA-5(13)
srg:
- SRG-OS-000480-GPOS-00229
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-002066
- APPL-11-000033
cci:
- CCI-000366
- CCI-002143
800-171r2:
- 3.1.1
- 3.1.2
@@ -33,6 +34,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.loginwindow:

9
rules/os/os_filevault_user_account.yaml
View File

@@ -46,16 +46,17 @@ references:
cce:
- CCE-85311-9
cci:
- CCI-000014
- CCI-002143
800-53r4:
- N/A
- AC-2(11)
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-000032
- APPL-11-000032
macOS:
- "11.0"
tags:
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

4
rules/os/os_firewall_default_deny_require.yaml
View File

@@ -31,7 +31,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00231
disa_stig:
- AOSX-15-005051
- APPL-11-005051
800-171r2:
- 3.1.3
- 3.13.6
@@ -42,6 +42,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

7
rules/os/os_firewall_log_enable.yaml
View File

@@ -19,14 +19,14 @@ references:
cce:
- CCE-85313-5
cci:
- CCI-000366
- N/A
800-53r4:
- SC-7
- AU-12
srg:
- SRG-OS-000480-GPOS-00232
- N/A
disa_stig:
- AOSX-15-005050
- N/A
800-171r2:
- 3.3.1
- 3.3.2
@@ -41,6 +41,5 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

5
rules/os/os_firmware_password_require.yaml
View File

@@ -30,7 +30,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- AOSX-15-003013
- APPL-11-003013
800-171r2:
- 3.1.5
macOS:
@@ -40,6 +40,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/os/os_gatekeeper_enable.yaml
View File

@@ -28,7 +28,7 @@ references:
srg:
- SRG-OS-000366-GPOS-00153
disa_stig:
- AOSX-15-002064
- APPL-11-002064
800-171r2:
- 3.4.5
macOS:
@@ -38,7 +38,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.systempolicy.control:

1
rules/os/os_grant_privs.yaml
View File

@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

38
rules/os/os_guest_access_afp_disable.yaml
View File

@@ -1,38 +0,0 @@
id: os_guest_access_afp_disable
title: "Disable Guest Access to Shared Apple File Protocol Folders"
discussion: |
Guest access to shared Apple File Protocol (AFP) folders _MUST_ be disabled.
Turning off guest access prevents anonymous users from accessing files shared via AFP.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'guestAccess = 0'
result:
integer: 1
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-85318-4
800-53r4:
- IA-2
disa_stig:
- N/A
srg:
- N/A
cci:
- N/A
800-171r2:
- 3.5.1
- 3.5.2
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
mobileconfig: true
mobileconfig_info:
com.apple.AppleFileServer:
guestAccess: false

3
rules/os/os_guest_access_smb_disable.yaml
View File

@@ -14,7 +14,8 @@ references:
cce:
- CCE-85319-2
800-53r4:
- IA-2
- AC-2
- AC-2(9)
disa_stig:
- N/A
srg:

17
rules/os/os_guest_account_disable.yaml
View File

@@ -16,12 +16,12 @@ references:
cci:
- CCI-001813
800-53r4:
- CM-5(1)
- IA-2
- AC-2
- AC-2(9)
srg:
- SRG-OS-000364-GPOS-00151
disa_stig:
- AOSX-15-002063
- APPL-11-002063
800-171r2:
- 3.5.1
- 3.5.2
@@ -29,10 +29,13 @@ macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:
com.apple.MCX:
DisableGuestAccount: true
com.apple.MCX:
DisableGuestAccount: true

30
rules/os/os_hbss_installed.yaml Normal file
View File

@@ -0,0 +1,30 @@
id: os_hbss_installed
title: "Must Use HBSS"
discussion: |
The approved HBSS solution _MUST_ be installed and configured to run.
The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNET.
check: |
Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved HBSS solution is loaded on the system.
If the installed components of the HBSS solution are not at the DoD approved minimal versions, this is a finding.
fix: |
Install the approved HBSS solution onto the system.
references:
cce:
- N/A
cci:
- CCI-001233
800-53r4:
- SI-2(2)
srg:
- SRG-OS-000191-GPOS-00080
disa_stig:
- APPL-11-000015
macOS:
- "11.0"
tags:
- manual
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

7
rules/os/os_home_folders_secure.yaml
View File

@@ -25,10 +25,10 @@ references:
800-53r4:
- AC-6
srg:
- SRG-OS-000480-GPOS-00228
- SRG-OS-000480-GPOS-00230
disa_stig:
- AOSX-15-002065
- AOSX-15-002068
- APPL-11-002068
800-171r2:
- 3.1.5
macOS:
@@ -38,6 +38,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/os/os_httpd_disable.yaml
View File

@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- AOSX-15-002008
- APPL-11-002008
800-171r2:
- 3.1.1
- 3.1.2
@@ -33,6 +33,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

5
rules/os/os_icloud_storage_prompt_disable.yaml
View File

@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- AOSX-15-002037
- APPL-11-002037
800-171r2:
- 3.1.20
macOS:
@@ -31,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:

1
rules/os/os_identify_non-org_users.yaml
View File

@@ -24,7 +24,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- n_a
mobileconfig: false
mobileconfig_info:

1
rules/os/os_implement_cryptography.yaml
View File

@@ -35,7 +35,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_implement_memory_protection.yaml
View File

@@ -35,7 +35,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

7
rules/os/os_internet_accounts_prefpane_disable.yaml
View File

@@ -18,13 +18,15 @@ references:
- CCE-85328-3
cci:
- CCI-001774
- CCI-000381
800-53r4:
- AC-20
- CM-7(5)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002032
- APPL-11-002032
800-171r2:
- 3.1.20
macOS:
@@ -35,7 +37,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:

1
rules/os/os_isolate_security_functions.yaml
View File

@@ -23,7 +23,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_limit_auditable_events.yaml
View File

@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_limit_dos_attacks.yaml
View File

@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- permanent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_limit_gui_sessions.yaml
View File

@@ -23,7 +23,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_logical_access.yaml
View File

@@ -32,7 +32,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_logoff_capability_and_message.yaml
View File

@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

6
rules/os/os_mail_app_disable.yaml
View File

@@ -20,7 +20,6 @@ references:
- CCE-85336-6
cci:
- CCI-000381
- CCI-001774
800-53r4:
- CM-7
- AC-20
@@ -28,7 +27,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002019
- APPL-11-002019
800-171r2:
- 3.1.20
- 3.4.6
@@ -40,7 +39,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:

1
rules/os/os_map_pki_identity.yaml
View File

@@ -21,7 +21,6 @@ macOS:
- "11.0"
tags:
- cnssi-1253
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

17
rules/os/os_mdm_require.yaml
View File

@@ -1,14 +1,25 @@
id: os_mdm_require
title: "Enforce Enrollment in Mobile Devicement Management"
title: "Enforce Enrollment in Mobile Device Management"
discussion: |
You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include:
* Whitlisting Approved Kernel Extensions
* Allowed Kernel Extensions
* Allowed Approved System Extensions
* Privacy Preferences Policy Control Payload
* ExtensibleSingleSignOn
* FDEFileVault
In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM:
* Activation Lock Bypass
* Access to Bootstrap Tokens
* Scheduling Software Updates
* Query list and delete local users
check: |
/usr/bin/profiles status -type enrollment | /usr/bin/awk -F': ' 'END{print $2}' | /usr/bin/grep -c "Yes"
/usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"
result:
integer: 1
fix: |

5
rules/os/os_messages_app_disable.yaml
View File

@@ -23,7 +23,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- AOSX-15-002011
- APPL-11-002011
800-171r2:
- 3.1.20
- 3.4.6
@@ -35,7 +35,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- STIG
- stig
severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:

1
rules/os/os_mfa_network_access.yaml
View File

@@ -21,7 +21,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

1
rules/os/os_mfa_network_non-priv.yaml
View File

@@ -21,7 +21,6 @@ references:
macOS:
- "11.0"
tags:
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

Some files were not shown because too many files have changed in this diff Show More