usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-03 17:02:01 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'v1.0_edits' into tag_search

Browse Source
This commit is contained in:
Dan Brodjieski
2020-09-24 11:12:02 -04:00
parent b751cf4590 f9a46b3753
commit f308146e40
29 changed files with 1025 additions and 992 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.adoc
View File

@@ -1,4 +1,4 @@
= macOS Security Compliance Project
image::templates/images/macOSSCP_Banner_3100x500.png[]
// settings:
:idprefix:
:idseparator: -

292
baselines/800-171.yaml
View File

@@ -2,162 +2,164 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-171"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-171.
profile:
- section: "Auditing"
- section: "authentication"
rules:
- audit_acls_files_configure
- audit_acls_folders_configure
- audit_auditd_enabled
- audit_failure_halt
- audit_files_group_configure
- audit_files_mode_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_flags_fm_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_folders_mode_configure
- audit_settings_failure_notify
- section: "Authentication"
- auth_pam_login_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_media_sharing_disabled
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- section: "iCloud"
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- os_power_nap_disable
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_nfsd_disable
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- icloud_addressbook_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- section: "macOS"
- pwpolicy_account_inactivity_enforce
- pwpolicy_history_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
- pwpolicy_60_day_enforce
- pwpolicy_minimum_lifetime_enforce
- section: "icloud"
rules:
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- os_gatekeeper_rearm
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_guest_account_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_mdm_require
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_sip_enable
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_special_character_enforce
- pwpolicy_upper_case_character_enforce
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_media_sharing_disabled
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- os_implement_cryptography
- os_logical_access
- os_obscure_password
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session_inactivity
- pwpolicy_force_password_change
- os_prevent_priv_functions
- os_logical_access
- os_implement_cryptography
- os_obscure_password
- os_terminate_session_inactivity
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- os_separate_fuctionality
- pwpolicy_force_change_password_change
- section: "Permanent"
rules:
- pwpolicy_50_percent
- sysprefs_wifi_disable
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_smartcard
- supplemental_controls

288
baselines/800-53_high.yaml
View File

@@ -2,192 +2,192 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 High"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 HIGH baseline.
profile:
- section: "Auditing"
rules:
- audit_auditd_enabled
- audit_acls_files_configure
- audit_files_mode_configure
- audit_acls_folders_configure
- audit_folders_mode_configure
- audit_configure_capacity_notify
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_fm_configure
- audit_flags_lo_configure
- audit_flags_ex_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_configure
- audit_settings_failure_notify
- section: "Authentication"
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_high
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- section: "iCloud"
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_configure_capacity_notify
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "macOS"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_enable
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_power_nap_disable
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_home_folders_secure
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_secure_boot_verify
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_system_read_only
- os_nfsd_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_gatekeeper_enable
- os_sip_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_certificate_authority_trust
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_removable_media_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_ssh_max_sessions_configure
- os_ssh_permit_root_login_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_mdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
- pwpolicy_60_day_enforce
- pwpolicy_minimum_lifetime_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- os_crypto_audit
- os_enforce_access_restrictions
- os_limit_gui_sessions
- os_prevent_priv_functions
- os_logical_access
- os_fail_secure_state
- os_implement_memory_protection
- os_implement_cryptography
- os_implement_random_address_space
- os_isolate_security_functions
- os_limit_gui_sessions
- os_logical_access
- os_obscure_password
- os_peripherals_identify
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session_inactivity
- pwpolicy_emergency_accounts_disable
- pwpolicy_force_password_change
- os_isolate_security_functions
- os_required_crypto_module
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- os_separate_fuctionality
- os_crypto_audit
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- audit_enforce_dual_auth
- os_auth_peripherals
- os_notify_account_created
- os_notify_account_disabled
- os_request_verification_name_resolution
- os_notify_account_enable
- os_provide_automated_account_management
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_auth_peripherals
- os_continuous_monitoring
- os_notify_account_disabled
- os_protect_dos_attacks
- os_provide_automated_account_management
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
rules:
rules:
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls

208
baselines/800-53_low.yaml
View File

@@ -2,144 +2,138 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Low"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 LOW baseline.
profile:
- section: "Auditing"
rules:
- audit_auditd_enabled
- audit_acls_files_configure
- audit_files_mode_configure
- audit_acls_folders_configure
- audit_folders_mode_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_fm_configure
- audit_flags_lo_configure
- audit_flags_ex_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_configure
- section: "Authentication"
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_improve_siri_dictation_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- section: "iCloud"
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "macOS"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_power_nap_disable
- os_root_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_handoff_disable
- os_home_folders_secure
- os_firewall_log_enable
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_nfsd_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_sip_enable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_ssh_fips_140_macs
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_removable_media_disable
- os_root_disable
- os_ssh_permit_root_login_configure
- os_siri_prompt_disable
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_sudoers_tty_configure
- os_touchid_prompt_disable
- os_mdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
- pwpolicy_60_day_enforce
- pwpolicy_minimum_lifetime_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- os_implement_cryptography
- os_logical_access
- os_implement_cryptography
- os_obscure_password
- os_terminate_session_inactivity
- os_required_crypto_module
- os_store_encrypted_passwords
- pwpolicy_force_password_change
- pwpolicy_force_change_password_change
- section: "Permanent"
rules:
- audit_enforce_dual_auth
- os_request_verification_name_resolution
- os_protect_dos_attacks
- pwpolicy_50_percent
- section: "not_applicable"
rules:
rules:
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls

275
baselines/800-53_moderate.yaml
View File

@@ -2,182 +2,183 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Moderate"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline.
profile:
- section: "Auditing"
rules:
- audit_auditd_enabled
- audit_acls_files_configure
- audit_files_mode_configure
- audit_acls_folders_configure
- audit_folders_mode_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_fm_configure
- audit_flags_lo_configure
- audit_flags_ex_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_configure
- section: "Authentication"
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_moderate
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- section: "iCloud"
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "macOS"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_power_nap_disable
- os_gatekeeper_rearm
- os_root_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_home_folders_secure
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_system_read_only
- os_nfsd_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_gatekeeper_enable
- os_sip_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_certificate_authority_trust
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_removable_media_disable
- os_root_disable
- os_ssh_permit_root_login_configure
- os_screensaver_loginwindow_enforce
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_mdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
- pwpolicy_60_day_enforce
- pwpolicy_minimum_lifetime_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- os_prevent_priv_functions
- os_logical_access
- os_implement_memory_protection
- os_implement_cryptography
- os_logical_access
- os_obscure_password
- os_peripherals_identify
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session_inactivity
- pwpolicy_emergency_accounts_disable
- pwpolicy_force_password_change
- os_required_crypto_module
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- os_separate_fuctionality
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- audit_enforce_dual_auth
- os_auth_peripherals
- os_notify_account_created
- os_notify_account_disabled
- os_request_verification_name_resolution
- os_notify_account_enable
- os_provide_automated_account_management
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_auth_peripherals
- os_continuous_monitoring
- os_notify_account_disabled
- os_protect_dos_attacks
- os_provide_automated_account_management
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
rules:
rules:
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls
- supplemental_controls

377
baselines/all_rules.yaml
View File

@@ -2,229 +2,230 @@ title: "macOS 10.15 (Catalina): Security Configuration - All Rules"
description: |
This guide describes the actions to take when securing a macOS 10.15 system using every available rule.
profile:
- section: "Auditing"
rules:
- audit_auditd_enabled
- audit_acls_files_configure
- audit_files_mode_configure
- audit_acls_folders_configure
- audit_folders_mode_configure
- audit_configure_capacity_notify
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_fm_configure
- audit_flags_lo_configure
- audit_flags_ex_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_configure
- audit_settings_failure_notify
- section: "Authentication"
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "srg"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_media_sharing_disabled
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- section: "iCloud"
- srg_filevault_user_account
- srg_anti_virus_installed
- section: "auditing"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "macOS"
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_configure_capacity_notify
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_enable
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_power_nap_disable
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_home_folders_secure
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_privacy_setup_prompt_disable
- os_secure_boot_verify
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_user_app_installation_prohibit
- os_touchid_prompt_disable
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_system_read_only
- os_nfsd_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_gatekeeper_enable
- os_sip_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_certificate_authority_trust
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ssh_permit_root_login_configure
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_parental_controls_enable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_privacy_setup_prompt_disable
- os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_ssh_max_sessions_configure
- os_ssh_permit_root_login_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_mdm_require
- os_unlock_active_user_session_disable
- os_user_app_installation_prohibit
- os_uucp_disable
- section: "PasswordPolicy"
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
- pwpolicy_60_day_enforce
- pwpolicy_minimum_lifetime_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_media_sharing_disabled
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- os_enforce_access_restrictions
- os_limit_gui_sessions
- os_prevent_priv_functions
- os_logical_access
- os_verify_remote_disconnection
- os_logoff_capability_and_message
- os_fail_secure_state
- os_limit_auditable_events
- os_prevent_priv_execution
- os_allow_info_passed
- os_mfa_network_non-priv
- os_remove_software_components_after_updates
- os_implement_memory_protection
- os_implement_cryptography
- os_remote_access_methods
- os_obscure_password
- os_terminate_session_inactivity
- os_predictable_behavior
- os_reauth_users_change_authenticators
- os_map_pki_identity
- os_unique_identification
- os_provide_disconnect_remote_access
- os_isolate_security_functions
- os_required_crypto_module
- os_grant_privs
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- os_terminate_session
- os_change_security_attributes
- os_mfa_network_access
- os_peripherals_identify
- os_error_message
- os_separate_fuctionality
- os_crypto_audit
- os_reauth_privilege
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- audit_alert_processing_fail
- audit_enforce_dual_auth
- audit_off_load_records
- os_enforce_login_attempt_delay
- os_limit_dos_attacks
- os_limit_invalid_logons
- os_notify_account_created
- os_notify_account_disabled
- audit_enforce_dual_auth
- audit_alert_processing_fail
- os_request_verification_name_resolution
- os_reauth_devices_change_authenticators
- os_notify_account_enable
- os_provide_automated_account_management
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_notify_unauthorized_baseline_change
- os_auth_peripherals
- os_limit_dos_attacks
- os_continuous_monitoring
- os_notify_account_disabled
- os_protect_dos_attacks
- os_provide_automated_account_management
- os_reauth_devices_change_authenticators
- os_notify_unauthorized_baseline_change
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- sysprefs_wifi_disable
- section: "Not_Applicable"
rules:
- os_auth_peripherals
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_prohibit_cached_authenticators
- os_react_security_anomalies
- os_request_verification_name_resolution
- os_verify_security_functions
- section: "Inherent"
rules:
- os_allow_info_passed
- os_change_security_attributes
- os_crypto_audit
- os_enforce_access_restrictions
- os_error_message
- os_fail_secure_state
- os_grant_privs
- os_implement_memory_protection
- os_implement_cryptography
- os_implement_random_address_space
- os_isolate_security_functions
- os_limit_auditable_events
- os_limit_gui_sessions
- os_logical_access
- os_logoff_capability_and_message
- os_map_pki_identity
- os_mfa_network_access
- os_mfa_network_non-priv
- os_obscure_password
- os_peripherals_identify
- os_predictable_behavior
- os_preserve_information_on_crash
- os_prevent_priv_execution
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_provide_disconnect_remote_access
- os_reauth_privilege
- os_reauth_users_change_authenticators
- os_remote_access_methods
- os_remove_software_components_after_updates
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session
- os_terminate_session_inactivity
- os_unique_identification
- os_verify_remote_disconnection
- pwpolicy_emergency_accounts_disable
- pwpolicy_force_password_change
- pwpolicy_temporary_accounts_disable
- section: "Supplemental"
rules:
- supplemental_smartcard
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_controls

281
baselines/cnssi-1253.yaml
View File

@@ -2,181 +2,184 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Moderate"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline.
profile:
- section: "Auditing"
rules:
- audit_auditd_enabled
- audit_acls_files_configure
- audit_files_mode_configure
- audit_acls_folders_configure
- audit_folders_mode_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_fm_configure
- audit_flags_lo_configure
- audit_flags_ex_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_retention_configure
- section: "Authentication"
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_moderate
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- section: "SystemPreferences"
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- sysprefs_ad_tracking_disable
- sysprefs_afp_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
- sysprefs_find_my_disable
- sysprefs_firewall_enable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_password_hints_disable
- sysprefs_rae_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_screen_sharing_disable
- sysprefs_siri_disable
- sysprefs_smbd_disable
- sysprefs_ssh_enable
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- section: "iCloud"
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- icloud_addressbook_disable
- icloud_calendar_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_bookmarks_disable
- icloud_drive_disable
- icloud_keychain_disable
- icloud_photos_disable
- icloud_sync_disable
- section: "macOS"
rules:
- os_sip_enable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_bonjour_disable
- os_calendar_app_disable
- os_camera_disable
- os_certificate_authority_trust
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_firewall_log_enable
- os_firmware_password_require
- os_guest_access_afp_disable
- os_guest_access_smb_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_messages_app_disable
- os_nfsd_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_power_nap_disable
- os_removable_media_disable
- os_root_disable
- os_ssh_permit_root_login_configure
- os_screensaver_loginwindow_enforce
- os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- os_firmware_password_require
- os_power_nap_disable
- os_gatekeeper_rearm
- os_root_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
- os_handoff_disable
- os_firewall_log_enable
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_sudoers_tty_configure
- os_system_wide_preferences_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_mdm_require
- os_unlock_active_user_session_disable
- os_uucp_disable
- section: "PasswordPolicy"
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_parental_controls_enable
- os_nfsd_disable
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_certificate_authority_trust
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
- pwpolicy_lower_case_character_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
- pwpolicy_60_day_enforce
- pwpolicy_minimum_lifetime_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_sync_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_find_my_disable
- sysprefs_afp_disable
- sysprefs_content_caching_disable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_time_server_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- os_prevent_priv_functions
- os_logical_access
- os_implement_memory_protection
- os_implement_cryptography
- os_logical_access
- os_obscure_password
- os_peripherals_identify
- os_prevent_priv_functions
- os_prevent_restricted_software
- os_prevent_unauthorized_disclosure
- os_required_crypto_module
- os_separate_fuctionality
- os_store_encrypted_passwords
- os_terminate_session_inactivity
- pwpolicy_emergency_accounts_disable
- pwpolicy_force_password_change
- os_map_pki_identity
- os_required_crypto_module
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- os_separate_fuctionality
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- audit_enforce_dual_auth
- os_auth_peripherals
- os_notify_account_created
- os_notify_account_disabled
- os_request_verification_name_resolution
- os_notify_account_enable
- os_provide_automated_account_management
- os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- os_auth_peripherals
- os_continuous_monitoring
- os_notify_account_disabled
- os_protect_dos_attacks
- os_provide_automated_account_management
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
rules:
rules:
- os_identify_non-org_users
- os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- supplemental_smartcard
- supplemental_controls

29
rules/os/os_continuous_monitoring.yaml Normal file
View File

@@ -0,0 +1,29 @@
id: os_continuous_monitoring
title: "Configure Automated Flaw Remediation"
discussion: |
The macOS system _MUST_ be configured to determine the state of system components with regard to flaw remediation.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- CCE-84892-9
cci:
- CCI-001233
800-53r4:
- SI-2(2)
srg:
- SRG-OS-000191-GPOS-00080
disa_stig:
- AOSX-14-000015
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- permanent
- STIG
mobileconfig: false
mobileconfig_info:

1
rules/os/os_implement_cryptography.yaml
View File

@@ -8,6 +8,7 @@ discussion: |
macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST).
link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[]
link:https://support.apple.com/en-us/HT201159[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules.

2
rules/os/os_implement_memory_protection.yaml
View File

@@ -8,7 +8,9 @@ discussion: |
macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection.
link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[]
link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[]
link:https://www.apple.com/macos/security/[]
check: |

8
rules/os/os_logical_access.yaml
View File

@@ -1,7 +1,11 @@
id: os_logical_access
title: "Enforce approved authorization for logical access"
title: "Enforce Approved Authorization for Logical Access"
discussion: |
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
The information system _IS_ configured to enforce an approved authorization process before granting users logical access.
The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

8
rules/os/os_obscure_password.yaml
View File

@@ -1,7 +1,11 @@
id: os_obscure_password
title: "Obscure passwords"
title: "Obscure Passwords"
discussion: |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
The information system _IS_ configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals.
The inherent configuration of a macOS uses NSSecureTextField for any text field that receives a password, which automatically obscures text which is entered.
link:https://developer.apple.com/documentation/appkit/nssecuretextfield[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

13
rules/os/os_parental_controls_enable.yaml
View File

@@ -3,6 +3,8 @@ title: "Enable Parental Controls"
discussion: |
Parental Controls _MUST_ be enabled.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
Parental Controls on macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'familyControlsEnabled = 1'
@@ -15,16 +17,25 @@ references:
- CCE-84773-1
cci:
- CCI-001812
- CCI-001764
800-53r4:
- CM-11(2)
- CM-7(2)
srg:
- SRG-OS-000362-GPOS-00149
- SRG-OS-000368-GPOS-00154
disa_stig:
- N/A
800-171r2:
- 3.4.7
macOS:
- "10.15"
tags:
- STIG
- 800-171
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:

8
rules/os/os_peripherals_identify.yaml
View File

@@ -14,20 +14,16 @@ references:
cci:
- CCI-000778
800-53r4:
- IA-3
- N/A
srg:
- SRG-OS-000114-GPOS-00059
disa_stig:
- AOSX-14-002069
800-171r2:
- 3.5.1
- 3.5.2
- N/A
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false

6
rules/os/os_prevent_priv_execution.yaml
View File

@@ -1,7 +1,11 @@
id: os_prevent_priv_execution
title: "Prevent all software from executing at higher privilege levels than users executing the software"
title: "Prevent Software From Executing at Higher Privilege Levels than Users Executing The Software"
discussion: |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

10
rules/os/os_prevent_priv_functions.yaml
View File

@@ -1,7 +1,13 @@
id: os_prevent_priv_functions
title: "Preventing non-privileged users from executing privileged functions"
title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions"
discussion: |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
The information system _IS_ configured to block standard users from executing privileged functions.
Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures.
The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

32
rules/os/os_prevent_restricted_software.yaml
View File

@@ -1,32 +0,0 @@
id: os_prevent_restricted_software
title: "Prevent program execution in accordance with policy"
discussion: |
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level.Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-84886-1
cci:
- CCI-001764
800-53r4:
- CM-7(2)
disa_stig:
- N/A
srg:
- SRG-OS-000368-GPOS-00154
800-171r2:
- 3.4.7
macOS:
- "10.15"
tags:
- 800-171
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
- inherent
mobileconfig: false
mobileconfig_info:

8
rules/os/os_prevent_unauthorized_disclosure.yaml
View File

@@ -1,7 +1,11 @@
id: os_prevent_unauthorized_disclosure
title: "Prevent unauthorized disclosure of data via shared resources"
title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources"
discussion: |
The information system prevents unauthorized and unintended information transfer via shared system resources.
The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared.
The inherent configuration of the macOS does not allow for resources to be shared between users without authorization.
link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

4
rules/os/os_provide_disconnect_remote_access.yaml
View File

@@ -1,7 +1,7 @@
id: os_provide_disconnect_remote_access
title: "Provide ability to disconnect or disable remote access"
title: "Provide Ability to Disconnect or Disable Remote Access"
discussion: |
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., SSH) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

1
rules/os/os_required_crypto_module.yaml
View File

@@ -6,6 +6,7 @@ discussion: |
macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST).
link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[]
link:https://support.apple.com/en-us/HT201159[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.

12
rules/os/os_separate_functionality.yaml
View File

@@ -1,7 +1,13 @@
id: os_separate_functionality
title: "Must separate user and system functionality"
id: os_separate_fuctionality
title: "Configure the System to Separate User and System Functionality"
discussion: |
Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges.Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate.An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls.
The information system _IS_ configured to separate user and system functionality.
Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.
The inherent configuration of the macOS allows only privileged users to access operating system management functionalities.
link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

6
rules/os/os_store_encrypted_passwords.yaml
View File

@@ -1,7 +1,11 @@
id: os_store_encrypted_passwords
title: "Store passwords encrypted"
title: "Encrypt Stored Passwords"
discussion: |
The information system _IS_ configured to encrypt stored passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
link:https://developer.apple.com/documentation/opendirectory/kodattributetypeauthenticationauthority[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |

2
rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
View File

@@ -1,7 +1,7 @@
id: pwpolicy_emergency_accounts_disable
title: "Automatically Remove or Disable Emergency Accounts within 72 Hours"
discussion: |
The macOS MUST be configured to automatically remove or disable emergency accounts within 72 hours or less.
The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.

0
rules/pwpolicy/pwpolicy_force_password_change.yaml → rules/pwpolicy/pwpolicy_force_change_password_change.yaml
View File

2
rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
View File

@@ -1,7 +1,7 @@
id: pwpolicy_temporary_accounts_disable
title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours"
discussion: |
An automated termination _MUST_ be set for 72 hours or less for all temporary accounts upon account creation.
The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created.

34
rules/srg/srg_hbss_installed.yaml
View File

@@ -1,34 +0,0 @@
id: srg_hbss_installed
title: The macOS system must utilize an HBSS solution and implement all DoD required modules.
discussion: |
The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNet.
check: |
Verify that there is an approved HBSS solution installed on the system.
If there is not an approved HBSS solution installed, this is a finding.
Verify that all installed components of the HBSS Solution are at the DoD approved minimal version.
If the installed components are not at the DoD approved minimal versions, this is a finding.
fix: |
Install an approved HBSS solution onto the system and ensure that all components are at least updated to their DoD approved minimal versions.
references:
cce:
- CCE-84892-9
cci:
- CCI-001233
800-53r4:
- SI-2(2)
srg:
- SRG-OS-000191-GPOS-00080
disa_stig:
- AOSX-14-000015
macOS:
- "10.15"
tags:
- cnssi-1253
- fisma-moderate
- fisma-high
- STIG
mobileconfig: false
mobileconfig_info:

63
rules/supplemental/supplemental_filevault.yaml Normal file
View File

@@ -0,0 +1,63 @@
id: supplemental_filevault
title: "FileVault Supplemental"
discussion: |
In macOS 10.15 the internal APFS volume (System & Data) can be protected by FileVault. On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes on internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip.
FileVault2 is described in link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[]
FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault, the user name and password must be a local OpenDirectory account with a valid SecureToken password.
Using the command line in the Terminal application you can run the following command.
[source,bash]
----
/usr/bin/fdesetup enable
----
This will enable FileVault after prompting for a user name and password, and return the personal recovery key.
There are a number of management features available when managing FileVault using the command line instead of a configuration profile. These are available in the manpage for fdesetup.
NOTE: Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS.
When managing FileVault with a configuration profile you must deploy a profile with the payload type of com.apple.MCX.FileVault2. When using the key enable to enable FileVault with a configuration profile, you must include 1 of the following:
[source,xml]
----
<key>Enable</key>
<string>On</string>
<key>Defer</key>
<true />
----
[source,xml]
----
<key>Enable</key>
<string>On</string>
<key>UserEntersMissingInfo</key>
<true/>
----
If using the Defer key it will prompt for the user name and password at logout.
If using the key UserEntersMissingInfo it will only work if installed through manual installation and will prompt for the user name and password.
When using a configuration profile you can escrow the Recovery Key to an MDM Server. Documentation for that can be found on link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[Apple's Developer site].
It's recommended that you use a Personal Recovery Key instead of an Institutional Key as it will generate a specific key for each device.
NOTE: FileVault currently only uses password based authentication and can not use a smartcard or any other type of multi-factor authentication.
check: |
fix: |
references:
cci:
- N/A
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
macOS:
- "10.15"
tags:
- supplemental
mobileconfig: false
mobileconfig_info:

43
rules/sysprefs/sysprefs_filevault_enforce.yaml
View File

@@ -1,52 +1,15 @@
id: sysprefs_filevault_enforce
title: "Enforce FileVault"
discussion: |
FileVault _MUST_ be enforced.
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
FileVault2 is described in https://support.apple.com/en-us/HT204837
FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault, the user name and password must be a local OpenDirectory account with a valid Secure Token password.
Using the command line in the Terminal application you can run the following command.
[source,bash]
----
/usr/bin/fdesetup enable
----
This will enable FileVault after prompting for a user name and password, and return the personal recovery key.
There are a number of management features available when managing FileVault using the command line instead of a configuration profile. These are available in the manpage for fdesetup. Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS.
When managing FileVault with a configuration profile you must deploy a profile with the payload type of com.apple.MCX.FileVault2. When using the key enable to enable FileVault with a configuration profile, you must include 1 of the following
[source,xml]
----
<key>Enable</key>
<string>On</string>
<key>Defer</key>
<true />
----
[source,xml]
----
<key>Enable</key>
<string>On</string>
<key>UserEntersMissingInfo</key>
<true/>
----
If using the key UserEntersMissingInfo it will only work if installed through manual installation and will prompt for the user name and password.
If using the Defer key it will prompt for the user name and password at logout.
If using a configuration profile you can escrow the Recovery Key to an MDM Server. Documentation for that can be found on link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[Apple's Developer site].
It's recommended that you use a Personal Recovery Key instead of an Institutional Key as it will generate a specific key for each device.
Important to note, FileVault also only uses password based authentication and can not use a smartcard or any other multi factor authentication.
check: |
/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On."
result:
integer: 1
fix: |
NOTE: See discussion on remediation and how to enable FileVault.
NOTE: See the FileVault supplemental to implement this rule.
references:
cce:
- CCE-84830-9

2
scripts/generate_guidance.py
View File

@@ -956,7 +956,7 @@ def main():
if args.logo:
logo = args.logo
else:
logo = "../../templates/images/nist.png"
logo = "../../templates/images/macOSSCP_Banner_3100x500.png"
build_path = os.path.join(parent_dir, 'build', f'{baseline_name}')
if not (os.path.isdir(build_path)):