diff --git a/README.adoc b/README.adoc
index 737f39d3..e8b1bd95 100644
--- a/README.adoc
+++ b/README.adoc
@@ -1,4 +1,4 @@
-= macOS Security Compliance Project
+image::templates/images/macOSSCP_Banner_3100x500.png[]
// settings:
:idprefix:
:idseparator: -
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
index 99dbfbd7..72eb2b0b 100644
--- a/baselines/800-171.yaml
+++ b/baselines/800-171.yaml
@@ -2,162 +2,164 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-171"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-171.
profile:
- - section: "Auditing"
+ - section: "authentication"
rules:
- - audit_acls_files_configure
- - audit_acls_folders_configure
- - audit_auditd_enabled
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_mode_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_ex_configure
- - audit_flags_fm_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_lo_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_folders_mode_configure
- - audit_settings_failure_notify
- - section: "Authentication"
+ - auth_pam_login_smartcard_enforce
+ - auth_pam_sudo_smartcard_enforce
+ - auth_ssh_smartcard_enforce
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "auditing"
rules:
- - auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- - auth_smartcard_enforce
- - auth_ssh_smartcard_enforce
- - section: "SystemPreferences"
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_flags_fr_configure
+ - audit_settings_failure_notify
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
rules:
- - sysprefs_ad_tracking_disable
- - sysprefs_afp_disable
- - sysprefs_apple_watch_unlock_disable
- - sysprefs_automatic_login_disable
- - sysprefs_bluetooth_disable
- - sysprefs_bluetooth_sharing_disable
- - sysprefs_content_caching_disable
- - sysprefs_diagnostics_reports_disable
- - sysprefs_filevault_enforce
- - sysprefs_find_my_disable
- - sysprefs_firewall_enable
- - sysprefs_firewall_stealth_mode_enable
- - sysprefs_gatekeeper_identified_developers_allowed
- - sysprefs_gatekeeper_override_disallow
- - sysprefs_hot_corners_disable
- - sysprefs_improve_siri_dictation_disable
- - sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
- - sysprefs_loginwindow_prompt_username_password_enforce
- - sysprefs_media_sharing_disabled
- - sysprefs_password_hints_disable
- - sysprefs_rae_disable
- - sysprefs_screensaver_ask_for_password_delay_enforce
- - sysprefs_screensaver_password_enforce
- - sysprefs_screensaver_timeout_enforce
- - sysprefs_screen_sharing_disable
- - sysprefs_siri_disable
- - sysprefs_smbd_disable
- - sysprefs_ssh_enable
- - sysprefs_time_server_configure
- - sysprefs_time_server_enforce
- - sysprefs_token_removal_enforce
- - sysprefs_touchid_unlock_disable
- - section: "iCloud"
+ - os_firewall_default_deny_require
+ - os_ssh_client_alive_count_max_configure
+ - os_firmware_password_require
+ - os_power_nap_disable
+ - os_gatekeeper_rearm
+ - os_root_disable
+ - os_guest_account_disable
+ - os_policy_banner_ssh_enforce
+ - os_password_proximity_disable
+ - os_mdm_require
+ - os_screensaver_loginwindow_enforce
+ - os_handoff_disable
+ - os_firewall_log_enable
+ - os_system_wide_preferences_configure
+ - os_tftpd_disable
+ - os_password_autofill_disable
+ - os_password_sharing_disable
+ - os_ssh_fips_140_ciphers
+ - os_ssh_login_grace_time_configure
+ - os_uucp_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_touchid_prompt_disable
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_parental_controls_enable
+ - os_nfsd_disable
+ - os_httpd_disable
+ - os_gatekeeper_enable
+ - os_sip_enable
+ - os_removable_media_disable
+ - os_guest_access_smb_disable
+ - os_policy_banner_ssh_configure
+ - os_time_server_enabled
+ - os_unlock_active_user_session_disable
+ - os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_ssh_fips_140_macs
+ - os_home_folders_secure
+ - os_facetime_app_disable
+ - os_guest_access_afp_disable
+ - os_icloud_storage_prompt_disable
+ - os_ir_support_disable
+ - os_mail_app_disable
+ - os_ssh_client_alive_interval_configure
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
rules:
- - icloud_addressbook_disable
- - icloud_appleid_prefpane_disable
- - icloud_bookmarks_disable
- - icloud_calendar_disable
- - icloud_drive_disable
- - icloud_keychain_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_photos_disable
- - icloud_reminders_disable
- - icloud_sync_disable
- - section: "macOS"
+ - pwpolicy_account_inactivity_enforce
+ - pwpolicy_history_enforce
+ - pwpolicy_account_lockout_enforce
+ - pwpolicy_simple_sequence_disable
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_account_lockout_timeout_enforce
+ - pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
+ - pwpolicy_upper_case_character_enforce
+ - pwpolicy_60_day_enforce
+ - pwpolicy_minimum_lifetime_enforce
+ - section: "icloud"
rules:
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_bonjour_disable
- - os_calendar_app_disable
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- - os_firewall_default_deny_require
- - os_firewall_log_enable
- - os_firmware_password_require
- - os_gatekeeper_enable
- - os_gatekeeper_rearm
- - os_guest_access_afp_disable
- - os_guest_access_smb_disable
- - os_guest_account_disable
- - os_handoff_disable
- - os_home_folders_secure
- - os_httpd_disable
- - os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- - os_ir_support_disable
- - os_mail_app_disable
- - os_mdm_require
- - os_messages_app_disable
- - os_nfsd_disable
- - os_password_autofill_disable
- - os_password_proximity_disable
- - os_password_sharing_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_power_nap_disable
- - os_removable_media_disable
- - os_root_disable
- - os_screensaver_loginwindow_enforce
- - os_sip_enable
- - os_siri_prompt_disable
- - os_ssh_client_alive_count_max_configure
- - os_ssh_client_alive_interval_configure
- - os_ssh_fips_140_ciphers
- - os_ssh_fips_140_macs
- - os_ssh_login_grace_time_configure
- - os_system_wide_preferences_configure
- - os_tftpd_disable
- - os_time_server_enabled
- - os_touchid_prompt_disable
- - os_unlock_active_user_session_disable
- - os_uucp_disable
- - section: "PasswordPolicy"
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_sync_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
rules:
- - pwpolicy_60_day_enforce
- - pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- - pwpolicy_history_enforce
- - pwpolicy_lower_case_character_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
- - pwpolicy_simple_sequence_disable
- - pwpolicy_special_character_enforce
- - pwpolicy_upper_case_character_enforce
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_ad_tracking_disable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_ssh_enable
+ - sysprefs_media_sharing_disabled
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_gatekeeper_override_disallow
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_find_my_disable
+ - sysprefs_afp_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_location_services_disable
+ - sysprefs_time_server_configure
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_automatic_login_disable
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_token_removal_enforce
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_time_server_enforce
+ - sysprefs_touchid_unlock_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_siri_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- - os_implement_cryptography
- - os_logical_access
- - os_obscure_password
- - os_prevent_priv_functions
- - os_prevent_restricted_software
- - os_prevent_unauthorized_disclosure
- - os_separate_fuctionality
- - os_store_encrypted_passwords
- - os_terminate_session_inactivity
- - pwpolicy_force_password_change
+ - os_prevent_priv_functions
+ - os_logical_access
+ - os_implement_cryptography
+ - os_obscure_password
+ - os_terminate_session_inactivity
+ - os_store_encrypted_passwords
+ - os_prevent_unauthorized_disclosure
+ - os_separate_fuctionality
+ - pwpolicy_force_change_password_change
- section: "Permanent"
rules:
- - pwpolicy_50_percent
- - sysprefs_wifi_disable
+ - pwpolicy_50_percent
+ - sysprefs_wifi_disable
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- - supplemental_smartcard
\ No newline at end of file
+ - supplemental_smartcard
+ - supplemental_controls
+
diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml
index b377750f..b00b9509 100644
--- a/baselines/800-53_high.yaml
+++ b/baselines/800-53_high.yaml
@@ -2,192 +2,192 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 High"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 HIGH baseline.
profile:
- - section: "Auditing"
- rules:
- - audit_auditd_enabled
- - audit_acls_files_configure
- - audit_files_mode_configure
- - audit_acls_folders_configure
- - audit_folders_mode_configure
- - audit_configure_capacity_notify
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_fm_configure
- - audit_flags_lo_configure
- - audit_flags_ex_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_retention_configure
- - audit_settings_failure_notify
- - section: "Authentication"
+ - section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- - auth_smartcard_enforce
- - auth_smartcard_certificate_trust_enforce_high
+ - auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- - section: "SystemPreferences"
+ - auth_smartcard_certificate_trust_enforce_high
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "auditing"
rules:
- - sysprefs_ad_tracking_disable
- - sysprefs_afp_disable
- - sysprefs_apple_watch_unlock_disable
- - sysprefs_automatic_login_disable
- - sysprefs_bluetooth_disable
- - sysprefs_bluetooth_sharing_disable
- - sysprefs_content_caching_disable
- - sysprefs_diagnostics_reports_disable
- - sysprefs_filevault_enforce
- - sysprefs_find_my_disable
- - sysprefs_firewall_enable
- - sysprefs_firewall_stealth_mode_enable
- - sysprefs_gatekeeper_identified_developers_allowed
- - sysprefs_gatekeeper_override_disallow
- - sysprefs_hot_corners_disable
- - sysprefs_improve_siri_dictation_disable
- - sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
- - sysprefs_loginwindow_prompt_username_password_enforce
- - sysprefs_password_hints_disable
- - sysprefs_rae_disable
- - sysprefs_screensaver_ask_for_password_delay_enforce
- - sysprefs_screensaver_password_enforce
- - sysprefs_screensaver_timeout_enforce
- - sysprefs_screen_sharing_disable
- - sysprefs_siri_disable
- - sysprefs_smbd_disable
- - sysprefs_ssh_enable
- - sysprefs_time_server_configure
- - sysprefs_time_server_enforce
- - sysprefs_token_removal_enforce
- - sysprefs_touchid_unlock_disable
- - section: "iCloud"
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_retention_configure
+ - audit_flags_fr_configure
+ - audit_settings_failure_notify
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_configure_capacity_notify
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
rules:
- - icloud_addressbook_disable
- - icloud_calendar_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_reminders_disable
- - icloud_appleid_prefpane_disable
- - icloud_bookmarks_disable
- - icloud_drive_disable
- - icloud_keychain_disable
- - icloud_photos_disable
- - icloud_sync_disable
- - section: "macOS"
- rules:
- - os_sip_enable
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_bonjour_disable
- - os_calendar_app_disable
- - os_camera_disable
- - os_certificate_authority_trust
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
+ - os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- - os_gatekeeper_enable
- - os_guest_access_afp_disable
- - os_guest_access_smb_disable
+ - os_power_nap_disable
+ - os_gatekeeper_rearm
+ - os_root_disable
- os_guest_account_disable
+ - os_policy_banner_ssh_enforce
+ - os_password_proximity_disable
+ - os_mdm_require
+ - os_screensaver_loginwindow_enforce
- os_handoff_disable
- - os_home_folders_secure
+ - os_firewall_log_enable
+ - os_system_wide_preferences_configure
+ - os_tftpd_disable
+ - os_password_autofill_disable
+ - os_password_sharing_disable
+ - os_ssh_fips_140_ciphers
+ - os_ssh_login_grace_time_configure
+ - os_secure_boot_verify
+ - os_uucp_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_touchid_prompt_disable
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_parental_controls_enable
+ - os_system_read_only
+ - os_nfsd_disable
- os_httpd_disable
- - os_icloud_storage_prompt_disable
+ - os_gatekeeper_enable
+ - os_sip_enable
+ - os_removable_media_disable
+ - os_guest_access_smb_disable
+ - os_policy_banner_ssh_configure
+ - os_time_server_enabled
+ - os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_certificate_authority_trust
+ - os_ssh_fips_140_macs
+ - os_home_folders_secure
+ - os_facetime_app_disable
+ - os_guest_access_afp_disable
+ - os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- - os_messages_app_disable
- - os_nfsd_disable
- - os_password_autofill_disable
- - os_password_proximity_disable
- - os_password_sharing_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_power_nap_disable
- - os_removable_media_disable
- - os_screensaver_loginwindow_enforce
- - os_secure_boot_verify
- - os_siri_prompt_disable
- - os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- - os_ssh_fips_140_ciphers
- - os_ssh_fips_140_macs
- - os_ssh_login_grace_time_configure
- - os_ssh_max_sessions_configure
- - os_ssh_permit_root_login_configure
- - os_sudoers_tty_configure
- - os_system_wide_preferences_configure
- - os_time_server_enabled
- - os_touchid_prompt_disable
- - os_mdm_require
- - os_unlock_active_user_session_disable
- - os_uucp_disable
- - section: "PasswordPolicy"
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
rules:
- - pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- - pwpolicy_lower_case_character_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
+ - pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
+ - pwpolicy_60_day_enforce
+ - pwpolicy_minimum_lifetime_enforce
+ - section: "icloud"
+ rules:
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_sync_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_ad_tracking_disable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_ssh_enable
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_gatekeeper_override_disallow
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_find_my_disable
+ - sysprefs_afp_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_location_services_disable
+ - sysprefs_time_server_configure
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_automatic_login_disable
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_token_removal_enforce
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_time_server_enforce
+ - sysprefs_touchid_unlock_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_siri_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- - os_crypto_audit
- os_enforce_access_restrictions
+ - os_limit_gui_sessions
+ - os_prevent_priv_functions
+ - os_logical_access
- os_fail_secure_state
- os_implement_memory_protection
- os_implement_cryptography
- - os_implement_random_address_space
- - os_isolate_security_functions
- - os_limit_gui_sessions
- - os_logical_access
- os_obscure_password
- - os_peripherals_identify
- - os_prevent_priv_functions
- - os_prevent_restricted_software
- - os_prevent_unauthorized_disclosure
- - os_required_crypto_module
- - os_separate_fuctionality
- - os_store_encrypted_passwords
- os_terminate_session_inactivity
- - pwpolicy_emergency_accounts_disable
- - pwpolicy_force_password_change
+ - os_isolate_security_functions
+ - os_required_crypto_module
+ - os_store_encrypted_passwords
+ - os_prevent_unauthorized_disclosure
+ - os_separate_fuctionality
+ - os_crypto_audit
- pwpolicy_temporary_accounts_disable
+ - pwpolicy_force_change_password_change
+ - pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- - audit_enforce_dual_auth
- - os_auth_peripherals
- - os_notify_account_created
- - os_notify_account_disabled
+ - os_request_verification_name_resolution
- os_notify_account_enable
+ - os_provide_automated_account_management
+ - os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
+ - os_auth_peripherals
+ - os_continuous_monitoring
+ - os_notify_account_disabled
- os_protect_dos_attacks
- - os_provide_automated_account_management
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
- rules:
+ rules:
- os_identify_non-org_users
- - os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
+ - supplemental_controls
+
diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml
index 2db9800e..1ee38f21 100644
--- a/baselines/800-53_low.yaml
+++ b/baselines/800-53_low.yaml
@@ -2,144 +2,138 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Low"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 LOW baseline.
profile:
- - section: "Auditing"
- rules:
- - audit_auditd_enabled
- - audit_acls_files_configure
- - audit_files_mode_configure
- - audit_acls_folders_configure
- - audit_folders_mode_configure
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_fm_configure
- - audit_flags_lo_configure
- - audit_flags_ex_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_retention_configure
- - section: "Authentication"
+ - section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- - auth_smartcard_enforce
+ - auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- - section: "SystemPreferences"
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "auditing"
rules:
- - sysprefs_ad_tracking_disable
- - sysprefs_afp_disable
- - sysprefs_automatic_login_disable
- - sysprefs_bluetooth_sharing_disable
- - sysprefs_content_caching_disable
- - sysprefs_diagnostics_reports_disable
- - sysprefs_find_my_disable
- - sysprefs_firewall_enable
- - sysprefs_firewall_stealth_mode_enable
- - sysprefs_gatekeeper_identified_developers_allowed
- - sysprefs_gatekeeper_override_disallow
- - sysprefs_improve_siri_dictation_disable
- - sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
- - sysprefs_loginwindow_prompt_username_password_enforce
- - sysprefs_password_hints_disable
- - sysprefs_rae_disable
- - sysprefs_screen_sharing_disable
- - sysprefs_siri_disable
- - sysprefs_smbd_disable
- - section: "iCloud"
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_retention_configure
+ - audit_flags_fr_configure
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
rules:
- - icloud_addressbook_disable
- - icloud_calendar_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_reminders_disable
- - icloud_appleid_prefpane_disable
- - icloud_bookmarks_disable
- - icloud_drive_disable
- - icloud_keychain_disable
- - icloud_photos_disable
- - icloud_sync_disable
- - section: "macOS"
- rules:
- - os_sip_enable
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_bonjour_disable
- - os_calendar_app_disable
- - os_camera_disable
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- - os_firewall_default_deny_require
- - os_firewall_log_enable
- - os_firmware_password_require
- - os_guest_access_afp_disable
- - os_guest_access_smb_disable
+ - os_power_nap_disable
+ - os_root_disable
+ - os_policy_banner_ssh_enforce
+ - os_password_proximity_disable
+ - os_mdm_require
- os_handoff_disable
- - os_home_folders_secure
+ - os_firewall_log_enable
+ - os_tftpd_disable
+ - os_password_autofill_disable
+ - os_password_sharing_disable
+ - os_ssh_fips_140_ciphers
+ - os_uucp_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_touchid_prompt_disable
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_nfsd_disable
- os_httpd_disable
- - os_icloud_storage_prompt_disable
+ - os_sip_enable
+ - os_guest_access_smb_disable
+ - os_policy_banner_ssh_configure
+ - os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_ssh_fips_140_macs
+ - os_facetime_app_disable
+ - os_guest_access_afp_disable
+ - os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- - os_messages_app_disable
- - os_nfsd_disable
- - os_password_autofill_disable
- - os_password_proximity_disable
- - os_password_sharing_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_power_nap_disable
- - os_removable_media_disable
- - os_root_disable
- - os_ssh_permit_root_login_configure
- - os_siri_prompt_disable
- - os_ssh_fips_140_ciphers
- - os_ssh_fips_140_macs
- - os_sudoers_tty_configure
- - os_touchid_prompt_disable
- - os_mdm_require
- - os_unlock_active_user_session_disable
- - os_uucp_disable
- - section: "PasswordPolicy"
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
rules:
- - pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- - pwpolicy_lower_case_character_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
+ - pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
+ - pwpolicy_60_day_enforce
+ - pwpolicy_minimum_lifetime_enforce
+ - section: "icloud"
+ rules:
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_sync_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_ad_tracking_disable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_firewall_enable
+ - sysprefs_find_my_disable
+ - sysprefs_afp_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_location_services_disable
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_automatic_login_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_siri_disable
+ - sysprefs_password_hints_disable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
- - os_implement_cryptography
- os_logical_access
+ - os_implement_cryptography
- os_obscure_password
+ - os_terminate_session_inactivity
- os_required_crypto_module
- os_store_encrypted_passwords
- - pwpolicy_force_password_change
+ - pwpolicy_force_change_password_change
- section: "Permanent"
rules:
- - audit_enforce_dual_auth
+ - os_request_verification_name_resolution
- os_protect_dos_attacks
- pwpolicy_50_percent
- section: "not_applicable"
- rules:
+ rules:
- os_identify_non-org_users
- - os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
+ - supplemental_controls
+
diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml
index 399d1fb1..93e30a79 100644
--- a/baselines/800-53_moderate.yaml
+++ b/baselines/800-53_moderate.yaml
@@ -2,182 +2,183 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Moderate"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline.
profile:
- - section: "Auditing"
- rules:
- - audit_auditd_enabled
- - audit_acls_files_configure
- - audit_files_mode_configure
- - audit_acls_folders_configure
- - audit_folders_mode_configure
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_fm_configure
- - audit_flags_lo_configure
- - audit_flags_ex_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_retention_configure
- - section: "Authentication"
+ - section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- - auth_smartcard_enforce
- - auth_smartcard_certificate_trust_enforce_moderate
+ - auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- - section: "SystemPreferences"
+ - auth_smartcard_certificate_trust_enforce_moderate
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "auditing"
rules:
- - sysprefs_ad_tracking_disable
- - sysprefs_afp_disable
- - sysprefs_apple_watch_unlock_disable
- - sysprefs_automatic_login_disable
- - sysprefs_bluetooth_disable
- - sysprefs_bluetooth_sharing_disable
- - sysprefs_content_caching_disable
- - sysprefs_diagnostics_reports_disable
- - sysprefs_filevault_enforce
- - sysprefs_find_my_disable
- - sysprefs_firewall_enable
- - sysprefs_firewall_stealth_mode_enable
- - sysprefs_gatekeeper_identified_developers_allowed
- - sysprefs_gatekeeper_override_disallow
- - sysprefs_hot_corners_disable
- - sysprefs_improve_siri_dictation_disable
- - sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
- - sysprefs_loginwindow_prompt_username_password_enforce
- - sysprefs_password_hints_disable
- - sysprefs_rae_disable
- - sysprefs_screensaver_ask_for_password_delay_enforce
- - sysprefs_screensaver_password_enforce
- - sysprefs_screensaver_timeout_enforce
- - sysprefs_screen_sharing_disable
- - sysprefs_siri_disable
- - sysprefs_smbd_disable
- - sysprefs_ssh_enable
- - sysprefs_time_server_configure
- - sysprefs_time_server_enforce
- - sysprefs_token_removal_enforce
- - sysprefs_touchid_unlock_disable
- - section: "iCloud"
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_retention_configure
+ - audit_flags_fr_configure
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
rules:
- - icloud_addressbook_disable
- - icloud_calendar_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_reminders_disable
- - icloud_appleid_prefpane_disable
- - icloud_bookmarks_disable
- - icloud_drive_disable
- - icloud_keychain_disable
- - icloud_photos_disable
- - icloud_sync_disable
- - section: "macOS"
- rules:
- - os_sip_enable
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_bonjour_disable
- - os_calendar_app_disable
- - os_camera_disable
- - os_certificate_authority_trust
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
+ - os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- - os_guest_access_afp_disable
- - os_guest_access_smb_disable
+ - os_power_nap_disable
+ - os_gatekeeper_rearm
+ - os_root_disable
+ - os_policy_banner_ssh_enforce
+ - os_password_proximity_disable
+ - os_mdm_require
+ - os_screensaver_loginwindow_enforce
- os_handoff_disable
- - os_home_folders_secure
+ - os_firewall_log_enable
+ - os_system_wide_preferences_configure
+ - os_tftpd_disable
+ - os_password_autofill_disable
+ - os_password_sharing_disable
+ - os_ssh_fips_140_ciphers
+ - os_ssh_login_grace_time_configure
+ - os_uucp_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_touchid_prompt_disable
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_parental_controls_enable
+ - os_system_read_only
+ - os_nfsd_disable
- os_httpd_disable
- - os_icloud_storage_prompt_disable
+ - os_gatekeeper_enable
+ - os_sip_enable
+ - os_removable_media_disable
+ - os_guest_access_smb_disable
+ - os_policy_banner_ssh_configure
+ - os_time_server_enabled
+ - os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_certificate_authority_trust
+ - os_ssh_fips_140_macs
+ - os_home_folders_secure
+ - os_facetime_app_disable
+ - os_guest_access_afp_disable
+ - os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- - os_messages_app_disable
- - os_nfsd_disable
- - os_password_autofill_disable
- - os_password_proximity_disable
- - os_password_sharing_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_power_nap_disable
- - os_removable_media_disable
- - os_root_disable
- - os_ssh_permit_root_login_configure
- - os_screensaver_loginwindow_enforce
- - os_siri_prompt_disable
- - os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- - os_ssh_fips_140_ciphers
- - os_ssh_fips_140_macs
- - os_ssh_login_grace_time_configure
- - os_sudoers_tty_configure
- - os_system_wide_preferences_configure
- - os_time_server_enabled
- - os_touchid_prompt_disable
- - os_mdm_require
- - os_unlock_active_user_session_disable
- - os_uucp_disable
- - section: "PasswordPolicy"
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
rules:
- - pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- - pwpolicy_lower_case_character_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
+ - pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
+ - pwpolicy_60_day_enforce
+ - pwpolicy_minimum_lifetime_enforce
+ - section: "icloud"
+ rules:
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_sync_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_ad_tracking_disable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_ssh_enable
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_gatekeeper_override_disallow
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_find_my_disable
+ - sysprefs_afp_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_location_services_disable
+ - sysprefs_time_server_configure
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_automatic_login_disable
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_token_removal_enforce
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_time_server_enforce
+ - sysprefs_touchid_unlock_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_siri_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
+ - os_prevent_priv_functions
+ - os_logical_access
- os_implement_memory_protection
- os_implement_cryptography
- - os_logical_access
- os_obscure_password
- - os_peripherals_identify
- - os_prevent_priv_functions
- - os_prevent_restricted_software
- - os_prevent_unauthorized_disclosure
- - os_required_crypto_module
- - os_separate_fuctionality
- - os_store_encrypted_passwords
- os_terminate_session_inactivity
- - pwpolicy_emergency_accounts_disable
- - pwpolicy_force_password_change
+ - os_required_crypto_module
+ - os_store_encrypted_passwords
+ - os_prevent_unauthorized_disclosure
+ - os_separate_fuctionality
- pwpolicy_temporary_accounts_disable
+ - pwpolicy_force_change_password_change
+ - pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- - audit_enforce_dual_auth
- - os_auth_peripherals
- - os_notify_account_created
- - os_notify_account_disabled
+ - os_request_verification_name_resolution
- os_notify_account_enable
+ - os_provide_automated_account_management
+ - os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
+ - os_auth_peripherals
+ - os_continuous_monitoring
+ - os_notify_account_disabled
- os_protect_dos_attacks
- - os_provide_automated_account_management
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
- rules:
+ rules:
- os_identify_non-org_users
- - os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard
- - supplemental_controls
\ No newline at end of file
+ - supplemental_controls
+
\ No newline at end of file
diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml
index bcb2be34..6ed66e25 100644
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -2,229 +2,230 @@ title: "macOS 10.15 (Catalina): Security Configuration - All Rules"
description: |
This guide describes the actions to take when securing a macOS 10.15 system using every available rule.
profile:
- - section: "Auditing"
- rules:
- - audit_auditd_enabled
- - audit_acls_files_configure
- - audit_files_mode_configure
- - audit_acls_folders_configure
- - audit_folders_mode_configure
- - audit_configure_capacity_notify
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_fm_configure
- - audit_flags_lo_configure
- - audit_flags_ex_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_retention_configure
- - audit_settings_failure_notify
- - section: "Authentication"
+ - section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- - auth_smartcard_enforce
+ - auth_pam_sudo_smartcard_enforce
+ - auth_ssh_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_certificate_trust_enforce_moderate
- - auth_ssh_smartcard_enforce
- - section: "SystemPreferences"
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "srg"
rules:
- - sysprefs_ad_tracking_disable
- - sysprefs_afp_disable
- - sysprefs_apple_watch_unlock_disable
- - sysprefs_automatic_login_disable
- - sysprefs_bluetooth_disable
- - sysprefs_bluetooth_sharing_disable
- - sysprefs_content_caching_disable
- - sysprefs_diagnostics_reports_disable
- - sysprefs_filevault_enforce
- - sysprefs_find_my_disable
- - sysprefs_firewall_enable
- - sysprefs_firewall_stealth_mode_enable
- - sysprefs_gatekeeper_identified_developers_allowed
- - sysprefs_gatekeeper_override_disallow
- - sysprefs_hot_corners_disable
- - sysprefs_improve_siri_dictation_disable
- - sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
- - sysprefs_loginwindow_prompt_username_password_enforce
- - sysprefs_media_sharing_disabled
- - sysprefs_password_hints_disable
- - sysprefs_rae_disable
- - sysprefs_screensaver_ask_for_password_delay_enforce
- - sysprefs_screensaver_password_enforce
- - sysprefs_screensaver_timeout_enforce
- - sysprefs_screen_sharing_disable
- - sysprefs_siri_disable
- - sysprefs_smbd_disable
- - sysprefs_ssh_enable
- - sysprefs_time_server_configure
- - sysprefs_time_server_enforce
- - sysprefs_token_removal_enforce
- - sysprefs_touchid_unlock_disable
- - section: "iCloud"
+ - srg_filevault_user_account
+ - srg_anti_virus_installed
+ - section: "auditing"
rules:
- - icloud_addressbook_disable
- - icloud_calendar_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_reminders_disable
- - icloud_appleid_prefpane_disable
- - icloud_bookmarks_disable
- - icloud_drive_disable
- - icloud_keychain_disable
- - icloud_photos_disable
- - icloud_sync_disable
- - section: "macOS"
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_retention_configure
+ - audit_flags_fr_configure
+ - audit_settings_failure_notify
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_configure_capacity_notify
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
rules:
- - os_sip_enable
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_bonjour_disable
- - os_calendar_app_disable
- - os_camera_disable
- - os_certificate_authority_trust
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
+ - os_ssh_client_alive_count_max_configure
- os_firmware_password_require
- - os_gatekeeper_enable
- - os_guest_access_afp_disable
- - os_guest_access_smb_disable
+ - os_power_nap_disable
+ - os_gatekeeper_rearm
+ - os_root_disable
- os_guest_account_disable
+ - os_policy_banner_ssh_enforce
+ - os_password_proximity_disable
+ - os_mdm_require
+ - os_screensaver_loginwindow_enforce
- os_handoff_disable
- - os_home_folders_secure
+ - os_firewall_log_enable
+ - os_system_wide_preferences_configure
+ - os_tftpd_disable
+ - os_password_autofill_disable
+ - os_password_sharing_disable
+ - os_ssh_fips_140_ciphers
+ - os_ssh_login_grace_time_configure
+ - os_privacy_setup_prompt_disable
+ - os_secure_boot_verify
+ - os_sudoers_tty_configure
+ - os_uucp_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_user_app_installation_prohibit
+ - os_touchid_prompt_disable
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_parental_controls_enable
+ - os_system_read_only
+ - os_nfsd_disable
- os_httpd_disable
- - os_icloud_storage_prompt_disable
+ - os_gatekeeper_enable
+ - os_sip_enable
+ - os_removable_media_disable
+ - os_guest_access_smb_disable
+ - os_policy_banner_ssh_configure
+ - os_time_server_enabled
+ - os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_certificate_authority_trust
+ - os_ssh_fips_140_macs
+ - os_home_folders_secure
+ - os_facetime_app_disable
+ - os_camera_disable
+ - os_guest_access_afp_disable
+ - os_icloud_storage_prompt_disable
+ - os_ssh_permit_root_login_configure
- os_ir_support_disable
- os_mail_app_disable
- - os_messages_app_disable
- - os_nfsd_disable
- - os_parental_controls_enable
- - os_password_autofill_disable
- - os_password_proximity_disable
- - os_password_sharing_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_power_nap_disable
- - os_privacy_setup_prompt_disable
- - os_removable_media_disable
- - os_root_disable
- - os_screensaver_loginwindow_enforce
- - os_secure_boot_verify
- - os_siri_prompt_disable
- - os_ssh_client_alive_count_max_configure
- os_ssh_client_alive_interval_configure
- - os_ssh_fips_140_ciphers
- - os_ssh_fips_140_macs
- - os_ssh_login_grace_time_configure
- - os_ssh_max_sessions_configure
- - os_ssh_permit_root_login_configure
- - os_sudoers_tty_configure
- - os_system_wide_preferences_configure
- - os_time_server_enabled
- - os_touchid_prompt_disable
- - os_mdm_require
- - os_unlock_active_user_session_disable
- - os_user_app_installation_prohibit
- - os_uucp_disable
- - section: "PasswordPolicy"
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
rules:
- - pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- - pwpolicy_lower_case_character_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
+ - pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
+ - pwpolicy_60_day_enforce
+ - pwpolicy_minimum_lifetime_enforce
+ - section: "icloud"
+ rules:
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_sync_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_ad_tracking_disable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_ssh_enable
+ - sysprefs_media_sharing_disabled
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_gatekeeper_override_disallow
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_find_my_disable
+ - sysprefs_afp_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_location_services_disable
+ - sysprefs_time_server_configure
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_automatic_login_disable
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_token_removal_enforce
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_time_server_enforce
+ - sysprefs_touchid_unlock_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_siri_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_improve_siri_dictation_disable
+ - section: "Inherent"
+ rules:
+ - os_enforce_access_restrictions
+ - os_limit_gui_sessions
+ - os_prevent_priv_functions
+ - os_logical_access
+ - os_verify_remote_disconnection
+ - os_logoff_capability_and_message
+ - os_fail_secure_state
+ - os_limit_auditable_events
+ - os_prevent_priv_execution
+ - os_allow_info_passed
+ - os_mfa_network_non-priv
+ - os_remove_software_components_after_updates
+ - os_implement_memory_protection
+ - os_implement_cryptography
+ - os_remote_access_methods
+ - os_obscure_password
+ - os_terminate_session_inactivity
+ - os_predictable_behavior
+ - os_reauth_users_change_authenticators
+ - os_map_pki_identity
+ - os_unique_identification
+ - os_provide_disconnect_remote_access
+ - os_isolate_security_functions
+ - os_required_crypto_module
+ - os_grant_privs
+ - os_store_encrypted_passwords
+ - os_prevent_unauthorized_disclosure
+ - os_terminate_session
+ - os_change_security_attributes
+ - os_mfa_network_access
+ - os_peripherals_identify
+ - os_error_message
+ - os_separate_fuctionality
+ - os_crypto_audit
+ - os_reauth_privilege
+ - pwpolicy_temporary_accounts_disable
+ - pwpolicy_force_change_password_change
+ - pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- - audit_alert_processing_fail
- - audit_enforce_dual_auth
- audit_off_load_records
- - os_enforce_login_attempt_delay
- - os_limit_dos_attacks
- - os_limit_invalid_logons
- - os_notify_account_created
- - os_notify_account_disabled
+ - audit_enforce_dual_auth
+ - audit_alert_processing_fail
+ - os_request_verification_name_resolution
+ - os_reauth_devices_change_authenticators
- os_notify_account_enable
+ - os_provide_automated_account_management
+ - os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
- - os_notify_unauthorized_baseline_change
+ - os_auth_peripherals
+ - os_limit_dos_attacks
+ - os_continuous_monitoring
+ - os_notify_account_disabled
- os_protect_dos_attacks
- - os_provide_automated_account_management
- - os_reauth_devices_change_authenticators
+ - os_notify_unauthorized_baseline_change
- pwpolicy_50_percent
- pwpolicy_prevent_dictionary_words
- sysprefs_wifi_disable
- - section: "Not_Applicable"
- rules:
- - os_auth_peripherals
+ - section: "not_applicable"
+ rules:
- os_identify_non-org_users
- - os_prohibit_cached_authenticators
- - os_react_security_anomalies
- - os_request_verification_name_resolution
- - os_verify_security_functions
- - section: "Inherent"
- rules:
- - os_allow_info_passed
- - os_change_security_attributes
- - os_crypto_audit
- - os_enforce_access_restrictions
- - os_error_message
- - os_fail_secure_state
- - os_grant_privs
- - os_implement_memory_protection
- - os_implement_cryptography
- - os_implement_random_address_space
- - os_isolate_security_functions
- - os_limit_auditable_events
- - os_limit_gui_sessions
- - os_logical_access
- - os_logoff_capability_and_message
- - os_map_pki_identity
- - os_mfa_network_access
- - os_mfa_network_non-priv
- - os_obscure_password
- - os_peripherals_identify
- - os_predictable_behavior
- - os_preserve_information_on_crash
- - os_prevent_priv_execution
- - os_prevent_priv_functions
- - os_prevent_restricted_software
- - os_prevent_unauthorized_disclosure
- - os_provide_disconnect_remote_access
- - os_reauth_privilege
- - os_reauth_users_change_authenticators
- - os_remote_access_methods
- - os_remove_software_components_after_updates
- - os_required_crypto_module
- - os_separate_fuctionality
- - os_store_encrypted_passwords
- - os_terminate_session
- - os_terminate_session_inactivity
- - os_unique_identification
- - os_verify_remote_disconnection
- - pwpolicy_emergency_accounts_disable
- - pwpolicy_force_password_change
- - pwpolicy_temporary_accounts_disable
- section: "Supplemental"
rules:
- - supplemental_smartcard
- supplemental_firewall_pf
- supplemental_password_policy
+ - supplemental_smartcard
+ - supplemental_controls
+
diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml
index f0b5afcb..27436354 100644
--- a/baselines/cnssi-1253.yaml
+++ b/baselines/cnssi-1253.yaml
@@ -2,181 +2,184 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Moderate"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline.
profile:
- - section: "Auditing"
- rules:
- - audit_auditd_enabled
- - audit_acls_files_configure
- - audit_files_mode_configure
- - audit_acls_folders_configure
- - audit_folders_mode_configure
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_fm_configure
- - audit_flags_lo_configure
- - audit_flags_ex_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_retention_configure
- - section: "Authentication"
+ - section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- - auth_smartcard_enforce
- - auth_smartcard_certificate_trust_enforce_moderate
+ - auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- - section: "SystemPreferences"
+ - auth_smartcard_certificate_trust_enforce_moderate
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "auditing"
rules:
- - sysprefs_ad_tracking_disable
- - sysprefs_afp_disable
- - sysprefs_apple_watch_unlock_disable
- - sysprefs_automatic_login_disable
- - sysprefs_bluetooth_disable
- - sysprefs_bluetooth_sharing_disable
- - sysprefs_content_caching_disable
- - sysprefs_diagnostics_reports_disable
- - sysprefs_filevault_enforce
- - sysprefs_find_my_disable
- - sysprefs_firewall_enable
- - sysprefs_firewall_stealth_mode_enable
- - sysprefs_gatekeeper_identified_developers_allowed
- - sysprefs_gatekeeper_override_disallow
- - sysprefs_hot_corners_disable
- - sysprefs_improve_siri_dictation_disable
- - sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
- - sysprefs_loginwindow_prompt_username_password_enforce
- - sysprefs_password_hints_disable
- - sysprefs_rae_disable
- - sysprefs_screensaver_ask_for_password_delay_enforce
- - sysprefs_screensaver_password_enforce
- - sysprefs_screensaver_timeout_enforce
- - sysprefs_screen_sharing_disable
- - sysprefs_siri_disable
- - sysprefs_smbd_disable
- - sysprefs_ssh_enable
- - sysprefs_time_server_configure
- - sysprefs_time_server_enforce
- - sysprefs_token_removal_enforce
- - sysprefs_touchid_unlock_disable
- - section: "iCloud"
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_retention_configure
+ - audit_flags_fr_configure
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
rules:
- - icloud_addressbook_disable
- - icloud_calendar_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_reminders_disable
- - icloud_appleid_prefpane_disable
- - icloud_bookmarks_disable
- - icloud_drive_disable
- - icloud_keychain_disable
- - icloud_photos_disable
- - icloud_sync_disable
- - section: "macOS"
- rules:
- - os_sip_enable
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_bonjour_disable
- - os_calendar_app_disable
- - os_camera_disable
- - os_certificate_authority_trust
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- - os_firmware_password_require
- - os_guest_access_afp_disable
- - os_guest_access_smb_disable
- - os_handoff_disable
- - os_home_folders_secure
- - os_httpd_disable
- - os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- - os_ir_support_disable
- - os_mail_app_disable
- - os_messages_app_disable
- - os_nfsd_disable
- - os_password_autofill_disable
- - os_password_proximity_disable
- - os_password_sharing_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_power_nap_disable
- - os_removable_media_disable
- - os_root_disable
- - os_ssh_permit_root_login_configure
- - os_screensaver_loginwindow_enforce
- - os_siri_prompt_disable
- os_ssh_client_alive_count_max_configure
- - os_ssh_client_alive_interval_configure
+ - os_firmware_password_require
+ - os_power_nap_disable
+ - os_gatekeeper_rearm
+ - os_root_disable
+ - os_policy_banner_ssh_enforce
+ - os_password_proximity_disable
+ - os_mdm_require
+ - os_screensaver_loginwindow_enforce
+ - os_handoff_disable
+ - os_firewall_log_enable
+ - os_system_wide_preferences_configure
+ - os_tftpd_disable
+ - os_password_autofill_disable
+ - os_password_sharing_disable
- os_ssh_fips_140_ciphers
- - os_ssh_fips_140_macs
- os_ssh_login_grace_time_configure
- os_sudoers_tty_configure
- - os_system_wide_preferences_configure
- - os_time_server_enabled
- - os_touchid_prompt_disable
- - os_mdm_require
- - os_unlock_active_user_session_disable
- os_uucp_disable
- - section: "PasswordPolicy"
+ - os_policy_banner_loginwindow_enforce
+ - os_touchid_prompt_disable
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_parental_controls_enable
+ - os_nfsd_disable
+ - os_httpd_disable
+ - os_gatekeeper_enable
+ - os_sip_enable
+ - os_removable_media_disable
+ - os_guest_access_smb_disable
+ - os_policy_banner_ssh_configure
+ - os_time_server_enabled
+ - os_unlock_active_user_session_disable
+ - os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_certificate_authority_trust
+ - os_ssh_fips_140_macs
+ - os_home_folders_secure
+ - os_facetime_app_disable
+ - os_guest_access_afp_disable
+ - os_icloud_storage_prompt_disable
+ - os_ir_support_disable
+ - os_mail_app_disable
+ - os_ssh_client_alive_interval_configure
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
rules:
- - pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
- - pwpolicy_lower_case_character_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
+ - pwpolicy_account_lockout_enforce
- pwpolicy_simple_sequence_disable
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
- pwpolicy_upper_case_character_enforce
+ - pwpolicy_60_day_enforce
+ - pwpolicy_minimum_lifetime_enforce
+ - section: "icloud"
+ rules:
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_sync_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_ad_tracking_disable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_ssh_enable
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_gatekeeper_override_disallow
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_find_my_disable
+ - sysprefs_afp_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_location_services_disable
+ - sysprefs_time_server_configure
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_automatic_login_disable
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_token_removal_enforce
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_time_server_enforce
+ - sysprefs_touchid_unlock_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_siri_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_improve_siri_dictation_disable
- section: "Inherent"
rules:
+ - os_prevent_priv_functions
+ - os_logical_access
- os_implement_memory_protection
- os_implement_cryptography
- - os_logical_access
- os_obscure_password
- - os_peripherals_identify
- - os_prevent_priv_functions
- - os_prevent_restricted_software
- - os_prevent_unauthorized_disclosure
- - os_required_crypto_module
- - os_separate_fuctionality
- - os_store_encrypted_passwords
- os_terminate_session_inactivity
- - pwpolicy_emergency_accounts_disable
- - pwpolicy_force_password_change
+ - os_map_pki_identity
+ - os_required_crypto_module
+ - os_store_encrypted_passwords
+ - os_prevent_unauthorized_disclosure
+ - os_separate_fuctionality
- pwpolicy_temporary_accounts_disable
+ - pwpolicy_force_change_password_change
+ - pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- - audit_enforce_dual_auth
- - os_auth_peripherals
- - os_notify_account_created
- - os_notify_account_disabled
+ - os_request_verification_name_resolution
- os_notify_account_enable
+ - os_provide_automated_account_management
+ - os_notify_account_created
- os_notify_account_modified
- os_notify_account_removal
+ - os_auth_peripherals
+ - os_continuous_monitoring
+ - os_notify_account_disabled
- os_protect_dos_attacks
- - os_provide_automated_account_management
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
- rules:
+ rules:
- os_identify_non-org_users
- - os_request_verification_name_resolution
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_password_policy
- - supplemental_smartcard
\ No newline at end of file
+ - supplemental_smartcard
+ - supplemental_controls
+
diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml
new file mode 100644
index 00000000..0ef8449b
--- /dev/null
+++ b/rules/os/os_continuous_monitoring.yaml
@@ -0,0 +1,29 @@
+id: os_continuous_monitoring
+title: "Configure Automated Flaw Remediation"
+discussion: |
+ The macOS system _MUST_ be configured to determine the state of system components with regard to flaw remediation.
+check: |
+ The technology does not support this requirement. This is an applicable-does not meet finding.
+fix: |
+ This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
+references:
+ cce:
+ - CCE-84892-9
+ cci:
+ - CCI-001233
+ 800-53r4:
+ - SI-2(2)
+ srg:
+ - SRG-OS-000191-GPOS-00080
+ disa_stig:
+ - AOSX-14-000015
+macOS:
+ - "10.15"
+tags:
+ - cnssi-1253
+ - fisma-moderate
+ - fisma-high
+ - permanent
+ - STIG
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml
index c8e3a436..220c19c4 100644
--- a/rules/os/os_implement_cryptography.yaml
+++ b/rules/os/os_implement_cryptography.yaml
@@ -8,6 +8,7 @@ discussion: |
macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST).
link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[]
+
link:https://support.apple.com/en-us/HT201159[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules.
diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml
index 7feb44bc..f7890f89 100644
--- a/rules/os/os_implement_memory_protection.yaml
+++ b/rules/os/os_implement_memory_protection.yaml
@@ -8,7 +8,9 @@ discussion: |
macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection.
link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[]
+
link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[]
+
link:https://www.apple.com/macos/security/[]
check: |
diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml
index cf1c37f6..d24c8e4c 100644
--- a/rules/os/os_logical_access.yaml
+++ b/rules/os/os_logical_access.yaml
@@ -1,7 +1,11 @@
id: os_logical_access
-title: "Enforce approved authorization for logical access"
+title: "Enforce Approved Authorization for Logical Access"
discussion: |
- To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
+ The information system _IS_ configured to enforce an approved authorization process before granting users logical access.
+
+ The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications.
+
+ link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml
index 1585128f..33b6bdbf 100644
--- a/rules/os/os_obscure_password.yaml
+++ b/rules/os/os_obscure_password.yaml
@@ -1,7 +1,11 @@
id: os_obscure_password
-title: "Obscure passwords"
+title: "Obscure Passwords"
discussion: |
- The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
+ The information system _IS_ configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals.
+
+ The inherent configuration of a macOS uses NSSecureTextField for any text field that receives a password, which automatically obscures text which is entered.
+
+ link:https://developer.apple.com/documentation/appkit/nssecuretextfield[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml
index 960a5571..4cbc0119 100644
--- a/rules/os/os_parental_controls_enable.yaml
+++ b/rules/os/os_parental_controls_enable.yaml
@@ -3,6 +3,8 @@ title: "Enable Parental Controls"
discussion: |
Parental Controls _MUST_ be enabled.
+ Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
+
Parental Controls on macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
check: |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'familyControlsEnabled = 1'
@@ -15,16 +17,25 @@ references:
- CCE-84773-1
cci:
- CCI-001812
+ - CCI-001764
800-53r4:
- - CM-11(2)
+ - CM-7(2)
srg:
- SRG-OS-000362-GPOS-00149
+ - SRG-OS-000368-GPOS-00154
disa_stig:
- N/A
+ 800-171r2:
+ - 3.4.7
macOS:
- "10.15"
tags:
- STIG
+ - 800-171
+ - cnssi-1253
+ - fisma-moderate
+ - fisma-high
+ - STIG
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml
index 1d3d4283..c7f78ab7 100644
--- a/rules/os/os_peripherals_identify.yaml
+++ b/rules/os/os_peripherals_identify.yaml
@@ -14,20 +14,16 @@ references:
cci:
- CCI-000778
800-53r4:
- - IA-3
+ - N/A
srg:
- SRG-OS-000114-GPOS-00059
disa_stig:
- AOSX-14-002069
800-171r2:
- - 3.5.1
- - 3.5.2
+ - N/A
macOS:
- "10.15"
tags:
- - cnssi-1253
- - fisma-moderate
- - fisma-high
- STIG
- inherent
mobileconfig: false
diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml
index 6e3ef418..7185dac4 100644
--- a/rules/os/os_prevent_priv_execution.yaml
+++ b/rules/os/os_prevent_priv_execution.yaml
@@ -1,7 +1,11 @@
id: os_prevent_priv_execution
-title: "Prevent all software from executing at higher privilege levels than users executing the software"
+title: "Prevent Software From Executing at Higher Privilege Levels than Users Executing The Software"
discussion: |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
+
+ The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
+
+ link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml
index 3ede4d70..de8f2b3f 100644
--- a/rules/os/os_prevent_priv_functions.yaml
+++ b/rules/os/os_prevent_priv_functions.yaml
@@ -1,7 +1,13 @@
id: os_prevent_priv_functions
-title: "Preventing non-privileged users from executing privileged functions"
+title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions"
discussion: |
- The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
+ The information system _IS_ configured to block standard users from executing privileged functions.
+
+ Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures.
+
+ The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
+
+ link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_prevent_restricted_software.yaml b/rules/os/os_prevent_restricted_software.yaml
deleted file mode 100644
index f4aa37f3..00000000
--- a/rules/os/os_prevent_restricted_software.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-id: os_prevent_restricted_software
-title: "Prevent program execution in accordance with policy"
-discussion: |
- Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level.Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
-check: |
- The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
-fix: |
- The technology inherently meets this requirement. No fix is required.
-references:
- cce:
- - CCE-84886-1
- cci:
- - CCI-001764
- 800-53r4:
- - CM-7(2)
- disa_stig:
- - N/A
- srg:
- - SRG-OS-000368-GPOS-00154
- 800-171r2:
- - 3.4.7
-macOS:
- - "10.15"
-tags:
- - 800-171
- - cnssi-1253
- - fisma-moderate
- - fisma-high
- - STIG
- - inherent
-mobileconfig: false
-mobileconfig_info:
diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml
index 62e65e08..d74641c5 100644
--- a/rules/os/os_prevent_unauthorized_disclosure.yaml
+++ b/rules/os/os_prevent_unauthorized_disclosure.yaml
@@ -1,7 +1,11 @@
id: os_prevent_unauthorized_disclosure
-title: "Prevent unauthorized disclosure of data via shared resources"
+title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources"
discussion: |
- The information system prevents unauthorized and unintended information transfer via shared system resources.
+ The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared.
+
+ The inherent configuration of the macOS does not allow for resources to be shared between users without authorization.
+
+ link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml
index 51a1aeec..ca1edbe0 100644
--- a/rules/os/os_provide_disconnect_remote_access.yaml
+++ b/rules/os/os_provide_disconnect_remote_access.yaml
@@ -1,7 +1,7 @@
id: os_provide_disconnect_remote_access
-title: "Provide ability to disconnect or disable remote access"
+title: "Provide Ability to Disconnect or Disable Remote Access"
discussion: |
- Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
+ Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., SSH) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml
index 72bdc619..2cf158c3 100644
--- a/rules/os/os_required_crypto_module.yaml
+++ b/rules/os/os_required_crypto_module.yaml
@@ -6,6 +6,7 @@ discussion: |
macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST).
link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[]
+
link:https://support.apple.com/en-us/HT201159[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml
index 6aeb8f25..13d72208 100644
--- a/rules/os/os_separate_functionality.yaml
+++ b/rules/os/os_separate_functionality.yaml
@@ -1,7 +1,13 @@
-id: os_separate_functionality
-title: "Must separate user and system functionality"
+id: os_separate_fuctionality
+title: "Configure the System to Separate User and System Functionality"
discussion: |
- Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges.Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate.An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls.
+ The information system _IS_ configured to separate user and system functionality.
+
+ Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.
+
+ The inherent configuration of the macOS allows only privileged users to access operating system management functionalities.
+
+ link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml
index fd817ef9..5077f9c0 100644
--- a/rules/os/os_store_encrypted_passwords.yaml
+++ b/rules/os/os_store_encrypted_passwords.yaml
@@ -1,7 +1,11 @@
id: os_store_encrypted_passwords
-title: "Store passwords encrypted"
+title: "Encrypt Stored Passwords"
discussion: |
+ The information system _IS_ configured to encrypt stored passwords.
+
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+ link:https://developer.apple.com/documentation/opendirectory/kodattributetypeauthenticationauthority[]
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
index c4527037..f8b13da8 100644
--- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
@@ -1,7 +1,7 @@
id: pwpolicy_emergency_accounts_disable
title: "Automatically Remove or Disable Emergency Accounts within 72 Hours"
discussion: |
- The macOS MUST be configured to automatically remove or disable emergency accounts within 72 hours or less.
+ The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_change_password_change.yaml
similarity index 100%
rename from rules/pwpolicy/pwpolicy_force_password_change.yaml
rename to rules/pwpolicy/pwpolicy_force_change_password_change.yaml
diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
index e1b1ca38..1edb146d 100644
--- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
@@ -1,7 +1,7 @@
id: pwpolicy_temporary_accounts_disable
title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours"
discussion: |
- An automated termination _MUST_ be set for 72 hours or less for all temporary accounts upon account creation.
+ The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created.
diff --git a/rules/srg/srg_hbss_installed.yaml b/rules/srg/srg_hbss_installed.yaml
deleted file mode 100644
index ff697e4d..00000000
--- a/rules/srg/srg_hbss_installed.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-id: srg_hbss_installed
-title: The macOS system must utilize an HBSS solution and implement all DoD required modules.
-discussion: |
- The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNet.
-check: |
- Verify that there is an approved HBSS solution installed on the system.
-
- If there is not an approved HBSS solution installed, this is a finding.
-
- Verify that all installed components of the HBSS Solution are at the DoD approved minimal version.
-
- If the installed components are not at the DoD approved minimal versions, this is a finding.
-fix: |
- Install an approved HBSS solution onto the system and ensure that all components are at least updated to their DoD approved minimal versions.
-references:
- cce:
- - CCE-84892-9
- cci:
- - CCI-001233
- 800-53r4:
- - SI-2(2)
- srg:
- - SRG-OS-000191-GPOS-00080
- disa_stig:
- - AOSX-14-000015
-macOS:
- - "10.15"
-tags:
- - cnssi-1253
- - fisma-moderate
- - fisma-high
- - STIG
-mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml
new file mode 100644
index 00000000..f76618e0
--- /dev/null
+++ b/rules/supplemental/supplemental_filevault.yaml
@@ -0,0 +1,63 @@
+id: supplemental_filevault
+title: "FileVault Supplemental"
+discussion: |
+ In macOS 10.15 the internal APFS volume (System & Data) can be protected by FileVault. On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes on internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip.
+
+ FileVault2 is described in link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[]
+
+ FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault, the user name and password must be a local OpenDirectory account with a valid SecureToken password.
+
+ Using the command line in the Terminal application you can run the following command.
+
+ [source,bash]
+ ----
+ /usr/bin/fdesetup enable
+ ----
+ This will enable FileVault after prompting for a user name and password, and return the personal recovery key.
+ There are a number of management features available when managing FileVault using the command line instead of a configuration profile. These are available in the manpage for fdesetup.
+
+ NOTE: Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS.
+
+ When managing FileVault with a configuration profile you must deploy a profile with the payload type of com.apple.MCX.FileVault2. When using the key enable to enable FileVault with a configuration profile, you must include 1 of the following:
+
+ [source,xml]
+ ----
+ Enable
+ On
+ Defer
+
+ ----
+ [source,xml]
+ ----
+ Enable
+ On
+ UserEntersMissingInfo
+
+ ----
+
+ If using the Defer key it will prompt for the user name and password at logout.
+
+ If using the key UserEntersMissingInfo it will only work if installed through manual installation and will prompt for the user name and password.
+
+ When using a configuration profile you can escrow the Recovery Key to an MDM Server. Documentation for that can be found on link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[Apple's Developer site].
+
+ It's recommended that you use a Personal Recovery Key instead of an Institutional Key as it will generate a specific key for each device.
+
+ NOTE: FileVault currently only uses password based authentication and can not use a smartcard or any other type of multi-factor authentication.
+check: |
+fix: |
+references:
+ cci:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+macOS:
+ - "10.15"
+tags:
+ - supplemental
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml
index c245bc40..0eb96573 100644
--- a/rules/sysprefs/sysprefs_filevault_enforce.yaml
+++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml
@@ -1,52 +1,15 @@
id: sysprefs_filevault_enforce
title: "Enforce FileVault"
discussion: |
+ FileVault _MUST_ be enforced.
+
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
-
- FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
-
- FileVault2 is described in https://support.apple.com/en-us/HT204837
-
- FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault, the user name and password must be a local OpenDirectory account with a valid Secure Token password.
- Using the command line in the Terminal application you can run the following command.
-
- [source,bash]
- ----
- /usr/bin/fdesetup enable
- ----
- This will enable FileVault after prompting for a user name and password, and return the personal recovery key.
- There are a number of management features available when managing FileVault using the command line instead of a configuration profile. These are available in the manpage for fdesetup. Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS.
-
- When managing FileVault with a configuration profile you must deploy a profile with the payload type of com.apple.MCX.FileVault2. When using the key enable to enable FileVault with a configuration profile, you must include 1 of the following
-
- [source,xml]
- ----
- Enable
- On
- Defer
-
- ----
- [source,xml]
- ----
- Enable
- On
- UserEntersMissingInfo
-
- ----
-
- If using the key UserEntersMissingInfo it will only work if installed through manual installation and will prompt for the user name and password.
- If using the Defer key it will prompt for the user name and password at logout.
- If using a configuration profile you can escrow the Recovery Key to an MDM Server. Documentation for that can be found on link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[Apple's Developer site].
-
- It's recommended that you use a Personal Recovery Key instead of an Institutional Key as it will generate a specific key for each device.
-
- Important to note, FileVault also only uses password based authentication and can not use a smartcard or any other multi factor authentication.
check: |
/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On."
result:
integer: 1
fix: |
- NOTE: See discussion on remediation and how to enable FileVault.
+ NOTE: See the FileVault supplemental to implement this rule.
references:
cce:
- CCE-84830-9
diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py
index fda05abd..bc53f6bd 100755
--- a/scripts/generate_guidance.py
+++ b/scripts/generate_guidance.py
@@ -956,7 +956,7 @@ def main():
if args.logo:
logo = args.logo
else:
- logo = "../../templates/images/nist.png"
+ logo = "../../templates/images/macOSSCP_Banner_3100x500.png"
build_path = os.path.join(parent_dir, 'build', f'{baseline_name}')
if not (os.path.isdir(build_path)):