From f6e3f4cec79e3c97a0b9838000f9ca1e9e9bf6f9 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 22 Sep 2020 12:25:59 -0400 Subject: [PATCH 1/6] discussion edits --- baselines/800-171.yaml | 2 +- baselines/800-53_high.yaml | 3 +- baselines/800-53_moderate.yaml | 3 +- baselines/all_rules.yaml | 9 ------ baselines/cnssi-1253.yaml | 3 +- rules/os/os_logical_access.yaml | 8 +++-- rules/os/os_obscure_password.yaml | 8 +++-- rules/os/os_parental_controls_enable.yaml | 13 +++++++- rules/os/os_peripherals_identify.yaml | 8 ++--- rules/os/os_prevent_priv_execution.yaml | 6 +++- rules/os/os_prevent_priv_functions.yaml | 10 ++++-- rules/os/os_prevent_restricted_software.yaml | 32 ------------------- .../os_prevent_unauthorized_disclosure.yaml | 8 +++-- .../os_provide_disconnect_remote_access.yaml | 4 +-- rules/os/os_separate_fuctionality.yaml | 10 ++++-- rules/os/os_store_encrypted_passwords.yaml | 6 +++- .../pwpolicy_temporary_accounts_disable.yaml | 2 +- 17 files changed, 65 insertions(+), 70 deletions(-) delete mode 100644 rules/os/os_prevent_restricted_software.yaml diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 99dbfbd7..af35781b 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -103,6 +103,7 @@ profile: - os_mdm_require - os_messages_app_disable - os_nfsd_disable + - os_parental_controls_enable - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -146,7 +147,6 @@ profile: - os_logical_access - os_obscure_password - os_prevent_priv_functions - - os_prevent_restricted_software - os_prevent_unauthorized_disclosure - os_separate_fuctionality - os_store_encrypted_passwords diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index b377750f..01f83f06 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -107,6 +107,7 @@ profile: - os_mail_app_disable - os_messages_app_disable - os_nfsd_disable + - os_parental_controls_enable - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -158,9 +159,7 @@ profile: - os_limit_gui_sessions - os_logical_access - os_obscure_password - - os_peripherals_identify - os_prevent_priv_functions - - os_prevent_restricted_software - os_prevent_unauthorized_disclosure - os_required_crypto_module - os_separate_fuctionality diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index 399d1fb1..3de6dead 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -103,6 +103,7 @@ profile: - os_mail_app_disable - os_messages_app_disable - os_nfsd_disable + - os_parental_controls_enable - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -147,9 +148,7 @@ profile: - os_implement_cryptography - os_logical_access - os_obscure_password - - os_peripherals_identify - os_prevent_priv_functions - - os_prevent_restricted_software - os_prevent_unauthorized_disclosure - os_required_crypto_module - os_separate_fuctionality diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index bcb2be34..b9566e55 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -128,7 +128,6 @@ profile: - os_ssh_fips_140_ciphers - os_ssh_fips_140_macs - os_ssh_login_grace_time_configure - - os_ssh_max_sessions_configure - os_ssh_permit_root_login_configure - os_sudoers_tty_configure - os_system_wide_preferences_configure @@ -157,9 +156,7 @@ profile: - audit_alert_processing_fail - audit_enforce_dual_auth - audit_off_load_records - - os_enforce_login_attempt_delay - os_limit_dos_attacks - - os_limit_invalid_logons - os_notify_account_created - os_notify_account_disabled - os_notify_account_enable @@ -176,10 +173,7 @@ profile: rules: - os_auth_peripherals - os_identify_non-org_users - - os_prohibit_cached_authenticators - - os_react_security_anomalies - os_request_verification_name_resolution - - os_verify_security_functions - section: "Inherent" rules: - os_allow_info_passed @@ -191,7 +185,6 @@ profile: - os_grant_privs - os_implement_memory_protection - os_implement_cryptography - - os_implement_random_address_space - os_isolate_security_functions - os_limit_auditable_events - os_limit_gui_sessions @@ -203,10 +196,8 @@ profile: - os_obscure_password - os_peripherals_identify - os_predictable_behavior - - os_preserve_information_on_crash - os_prevent_priv_execution - os_prevent_priv_functions - - os_prevent_restricted_software - os_prevent_unauthorized_disclosure - os_provide_disconnect_remote_access - os_reauth_privilege diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index f0b5afcb..d38bf6c2 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -103,6 +103,7 @@ profile: - os_mail_app_disable - os_messages_app_disable - os_nfsd_disable + - os_parental_controls_enable - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable @@ -147,9 +148,7 @@ profile: - os_implement_cryptography - os_logical_access - os_obscure_password - - os_peripherals_identify - os_prevent_priv_functions - - os_prevent_restricted_software - os_prevent_unauthorized_disclosure - os_required_crypto_module - os_separate_fuctionality diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index cf1c37f6..d24c8e4c 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -1,7 +1,11 @@ id: os_logical_access -title: "Enforce approved authorization for logical access" +title: "Enforce Approved Authorization for Logical Access" discussion: | - To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + The information system _IS_ configured to enforce an approved authorization process before granting users logical access. + + The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. + + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 1585128f..33b6bdbf 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -1,7 +1,11 @@ id: os_obscure_password -title: "Obscure passwords" +title: "Obscure Passwords" discussion: | - The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. + The information system _IS_ configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals. + + The inherent configuration of a macOS uses NSSecureTextField for any text field that receives a password, which automatically obscures text which is entered. + + link:https://developer.apple.com/documentation/appkit/nssecuretextfield[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 960a5571..1d12b594 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -3,6 +3,8 @@ title: "Enable Parental Controls" discussion: | Parental Controls _MUST_ be enabled. + Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). + Parental Controls on macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'familyControlsEnabled = 1' @@ -15,16 +17,25 @@ references: - CCE-84773-1 cci: - CCI-001812 + - CCI-001764 800-53r4: - - CM-11(2) + - CM-7(2) srg: - SRG-OS-000362-GPOS-00149 + - SRG-OS-000368-GPOS-00154 disa_stig: - N/A + 800-171r2: + - 3.4.7 macOS: - "10.15" tags: - STIG + - 800-171 + - cnssi-1253 + - fisma-moderate + - fisma-high + - STIG mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 1d3d4283..c7f78ab7 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -14,20 +14,16 @@ references: cci: - CCI-000778 800-53r4: - - IA-3 + - N/A srg: - SRG-OS-000114-GPOS-00059 disa_stig: - AOSX-14-002069 800-171r2: - - 3.5.1 - - 3.5.2 + - N/A macOS: - "10.15" tags: - - cnssi-1253 - - fisma-moderate - - fisma-high - STIG - inherent mobileconfig: false diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 6e3ef418..7185dac4 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -1,7 +1,11 @@ id: os_prevent_priv_execution -title: "Prevent all software from executing at higher privilege levels than users executing the software" +title: "Prevent Software From Executing at Higher Privilege Levels than Users Executing The Software" discussion: | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. + + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 3ede4d70..de8f2b3f 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -1,7 +1,13 @@ id: os_prevent_priv_functions -title: "Preventing non-privileged users from executing privileged functions" +title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions" discussion: | - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + The information system _IS_ configured to block standard users from executing privileged functions. + + Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. + + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_prevent_restricted_software.yaml b/rules/os/os_prevent_restricted_software.yaml deleted file mode 100644 index f4aa37f3..00000000 --- a/rules/os/os_prevent_restricted_software.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: os_prevent_restricted_software -title: "Prevent program execution in accordance with policy" -discussion: | - Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level.Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). -check: | - The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. -fix: | - The technology inherently meets this requirement. No fix is required. -references: - cce: - - CCE-84886-1 - cci: - - CCI-001764 - 800-53r4: - - CM-7(2) - disa_stig: - - N/A - srg: - - SRG-OS-000368-GPOS-00154 - 800-171r2: - - 3.4.7 -macOS: - - "10.15" -tags: - - 800-171 - - cnssi-1253 - - fisma-moderate - - fisma-high - - STIG - - inherent -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 62e65e08..d74641c5 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -1,7 +1,11 @@ id: os_prevent_unauthorized_disclosure -title: "Prevent unauthorized disclosure of data via shared resources" +title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources" discussion: | - The information system prevents unauthorized and unintended information transfer via shared system resources. + The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. + + The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. + + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index 51a1aeec..ca1edbe0 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -1,7 +1,7 @@ id: os_provide_disconnect_remote_access -title: "Provide ability to disconnect or disable remote access" +title: "Provide Ability to Disconnect or Disable Remote Access" discussion: | - Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. + Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., SSH) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_separate_fuctionality.yaml b/rules/os/os_separate_fuctionality.yaml index 115d5284..13d72208 100644 --- a/rules/os/os_separate_fuctionality.yaml +++ b/rules/os/os_separate_fuctionality.yaml @@ -1,7 +1,13 @@ id: os_separate_fuctionality -title: "Must separate user and system functionality" +title: "Configure the System to Separate User and System Functionality" discussion: | - Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges.Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate.An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls. + The information system _IS_ configured to separate user and system functionality. + + Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. + + The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. + + link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index fd817ef9..5077f9c0 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -1,7 +1,11 @@ id: os_store_encrypted_passwords -title: "Store passwords encrypted" +title: "Encrypt Stored Passwords" discussion: | + The information system _IS_ configured to encrypt stored passwords. + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + + link:https://developer.apple.com/documentation/opendirectory/kodattributetypeauthenticationauthority[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index e1b1ca38..1edb146d 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_temporary_accounts_disable title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours" discussion: | - An automated termination _MUST_ be set for 72 hours or less for all temporary accounts upon account creation. + The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. From c45c52db8736d095c8fecef154e01e4ad8894841 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 22 Sep 2020 14:32:51 -0400 Subject: [PATCH 2/6] removed deleted rule and edited discussion --- baselines/800-53_high.yaml | 2 -- rules/os/os_implement_cryptography.yaml | 1 + rules/os/os_implement_memory_protection.yaml | 2 ++ rules/os/os_required_crypto_module.yaml | 1 + rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 01f83f06..55b92bb6 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -124,7 +124,6 @@ profile: - os_ssh_fips_140_ciphers - os_ssh_fips_140_macs - os_ssh_login_grace_time_configure - - os_ssh_max_sessions_configure - os_ssh_permit_root_login_configure - os_sudoers_tty_configure - os_system_wide_preferences_configure @@ -154,7 +153,6 @@ profile: - os_fail_secure_state - os_implement_memory_protection - os_implement_cryptography - - os_implement_random_address_space - os_isolate_security_functions - os_limit_gui_sessions - os_logical_access diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index c8e3a436..220c19c4 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -8,6 +8,7 @@ discussion: | macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST). link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 7feb44bc..f7890f89 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -8,7 +8,9 @@ discussion: | macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] + link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] + link:https://www.apple.com/macos/security/[] check: | diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 72bdc619..2cf158c3 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -6,6 +6,7 @@ discussion: | macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST). link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index c4527037..f8b13da8 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_emergency_accounts_disable title: "Automatically Remove or Disable Emergency Accounts within 72 Hours" discussion: | - The macOS MUST be configured to automatically remove or disable emergency accounts within 72 hours or less. + The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. From 1b88d95e2cbb3534751f3a62df37b45daa1ac9b5 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 22 Sep 2020 15:58:38 -0400 Subject: [PATCH 3/6] FV supplemental --- baselines/800-171.yaml | 3 +- baselines/800-53_high.yaml | 1 + baselines/800-53_low.yaml | 1 + baselines/all_rules.yaml | 3 +- baselines/cnssi-1253.yaml | 3 +- .../supplemental/supplemental_filevault.yaml | 63 +++++++++++++++++++ .../sysprefs/sysprefs_filevault_enforce.yaml | 43 +------------ scripts/generate_guidance.py | 2 +- 8 files changed, 75 insertions(+), 44 deletions(-) create mode 100644 rules/supplemental/supplemental_filevault.yaml diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index af35781b..3a3f519b 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -160,4 +160,5 @@ profile: rules: - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard + - supplemental_controls \ No newline at end of file diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 55b92bb6..651af7f6 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -188,3 +188,4 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard + - supplemental_controls diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index 2db9800e..94ba2526 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -143,3 +143,4 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard + - supplemental_controls diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index b9566e55..be1a8c61 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -216,6 +216,7 @@ profile: - pwpolicy_temporary_accounts_disable - section: "Supplemental" rules: - - supplemental_smartcard - supplemental_firewall_pf - supplemental_password_policy + - supplemental_smartcard + - supplemental_controls diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index d38bf6c2..47c647be 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -178,4 +178,5 @@ profile: rules: - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard + - supplemental_controls \ No newline at end of file diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml new file mode 100644 index 00000000..f76618e0 --- /dev/null +++ b/rules/supplemental/supplemental_filevault.yaml @@ -0,0 +1,63 @@ +id: supplemental_filevault +title: "FileVault Supplemental" +discussion: | + In macOS 10.15 the internal APFS volume (System & Data) can be protected by FileVault. On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes on internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip. + + FileVault2 is described in link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[] + + FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault, the user name and password must be a local OpenDirectory account with a valid SecureToken password. + + Using the command line in the Terminal application you can run the following command. + + [source,bash] + ---- + /usr/bin/fdesetup enable + ---- + This will enable FileVault after prompting for a user name and password, and return the personal recovery key. + There are a number of management features available when managing FileVault using the command line instead of a configuration profile. These are available in the manpage for fdesetup. + + NOTE: Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. + + When managing FileVault with a configuration profile you must deploy a profile with the payload type of com.apple.MCX.FileVault2. When using the key enable to enable FileVault with a configuration profile, you must include 1 of the following: + + [source,xml] + ---- + Enable + On + Defer + + ---- + [source,xml] + ---- + Enable + On + UserEntersMissingInfo + + ---- + + If using the Defer key it will prompt for the user name and password at logout. + + If using the key UserEntersMissingInfo it will only work if installed through manual installation and will prompt for the user name and password. + + When using a configuration profile you can escrow the Recovery Key to an MDM Server. Documentation for that can be found on link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[Apple's Developer site]. + + It's recommended that you use a Personal Recovery Key instead of an Institutional Key as it will generate a specific key for each device. + + NOTE: FileVault currently only uses password based authentication and can not use a smartcard or any other type of multi-factor authentication. +check: | +fix: | +references: + cci: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A +macOS: + - "10.15" +tags: + - supplemental +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index c245bc40..0eb96573 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -1,52 +1,15 @@ id: sysprefs_filevault_enforce title: "Enforce FileVault" discussion: | + FileVault _MUST_ be enforced. + The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. - - FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. - - FileVault2 is described in https://support.apple.com/en-us/HT204837 - - FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault, the user name and password must be a local OpenDirectory account with a valid Secure Token password. - Using the command line in the Terminal application you can run the following command. - - [source,bash] - ---- - /usr/bin/fdesetup enable - ---- - This will enable FileVault after prompting for a user name and password, and return the personal recovery key. - There are a number of management features available when managing FileVault using the command line instead of a configuration profile. These are available in the manpage for fdesetup. Apple has deprecated fdesetup command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. - - When managing FileVault with a configuration profile you must deploy a profile with the payload type of com.apple.MCX.FileVault2. When using the key enable to enable FileVault with a configuration profile, you must include 1 of the following - - [source,xml] - ---- - Enable - On - Defer - - ---- - [source,xml] - ---- - Enable - On - UserEntersMissingInfo - - ---- - - If using the key UserEntersMissingInfo it will only work if installed through manual installation and will prompt for the user name and password. - If using the Defer key it will prompt for the user name and password at logout. - If using a configuration profile you can escrow the Recovery Key to an MDM Server. Documentation for that can be found on link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[Apple's Developer site]. - - It's recommended that you use a Personal Recovery Key instead of an Institutional Key as it will generate a specific key for each device. - - Important to note, FileVault also only uses password based authentication and can not use a smartcard or any other multi factor authentication. check: | /usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On." result: integer: 1 fix: | - NOTE: See discussion on remediation and how to enable FileVault. + NOTE: See the FileVault supplemental to implement this rule. references: cce: - CCE-84830-9 diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 6fa29529..c8dc9518 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -946,7 +946,7 @@ def main(): if args.logo: logo = args.logo else: - logo = "../../templates/images/nist.png" + logo = "../../templates/images/macOSSCP_Banner_3100x500.png" build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') if not (os.path.isdir(build_path)): From 661ffb1f9a07b8625b6a5dd2e53cec8a61582bad Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 22 Sep 2020 16:01:52 -0400 Subject: [PATCH 4/6] Added logo --- README.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.adoc b/README.adoc index 737f39d3..e8b1bd95 100644 --- a/README.adoc +++ b/README.adoc @@ -1,4 +1,4 @@ -= macOS Security Compliance Project +image::templates/images/macOSSCP_Banner_3100x500.png[] // settings: :idprefix: :idseparator: - From e431ce4e3a03bf7cd9d6d9b027f7e753e8f3e737 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 22 Sep 2020 16:58:29 -0400 Subject: [PATCH 5/6] baseline edits. rule changes --- baselines/800-171.yaml | 292 +++++++------- baselines/800-53_high.yaml | 285 +++++++------- baselines/800-53_low.yaml | 208 +++++----- baselines/800-53_moderate.yaml | 274 ++++++------- baselines/all_rules.yaml | 368 +++++++++--------- baselines/cnssi-1253.yaml | 280 ++++++------- rules/os/os_continuous_monitoring.yaml | 29 ++ rules/os/os_parental_controls_enable.yaml | 2 +- ...wpolicy_force_change_password_change.yaml} | 0 rules/srg/srg_hbss_installed.yaml | 34 -- 10 files changed, 891 insertions(+), 881 deletions(-) create mode 100644 rules/os/os_continuous_monitoring.yaml rename rules/pwpolicy/{pwpolicy_force_password_change.yaml => pwpolicy_force_change_password_change.yaml} (100%) delete mode 100644 rules/srg/srg_hbss_installed.yaml diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index af35781b..253ea92d 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -2,162 +2,164 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-171" description: | This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-171. profile: - - section: "Auditing" + - section: "authentication" rules: - - audit_acls_files_configure - - audit_acls_folders_configure - - audit_auditd_enabled - - audit_failure_halt - - audit_files_group_configure - - audit_files_mode_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fm_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_folders_mode_configure - - audit_settings_failure_notify - - section: "Authentication" + - auth_pam_login_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_ssh_smartcard_enforce + - auth_smartcard_enforce + - auth_pam_su_smartcard_enforce + - section: "auditing" rules: - - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - - auth_smartcard_enforce - - auth_ssh_smartcard_enforce - - section: "SystemPreferences" + - audit_folder_group_configure + - audit_failure_halt + - audit_acls_folders_configure + - audit_flags_fm_configure + - audit_auditd_enabled + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_files_mode_configure + - audit_flags_aa_configure + - audit_files_owner_configure + - audit_flags_fr_configure + - audit_settings_failure_notify + - audit_folder_owner_configure + - audit_flags_lo_configure + - audit_flags_fw_configure + - audit_folders_mode_configure + - audit_files_group_configure + - audit_acls_files_configure + - section: "macos" rules: - - sysprefs_ad_tracking_disable - - sysprefs_afp_disable - - sysprefs_apple_watch_unlock_disable - - sysprefs_automatic_login_disable - - sysprefs_bluetooth_disable - - sysprefs_bluetooth_sharing_disable - - sysprefs_content_caching_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_filevault_enforce - - sysprefs_find_my_disable - - sysprefs_firewall_enable - - sysprefs_firewall_stealth_mode_enable - - sysprefs_gatekeeper_identified_developers_allowed - - sysprefs_gatekeeper_override_disallow - - sysprefs_hot_corners_disable - - sysprefs_improve_siri_dictation_disable - - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable - - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_media_sharing_disabled - - sysprefs_password_hints_disable - - sysprefs_rae_disable - - sysprefs_screensaver_ask_for_password_delay_enforce - - sysprefs_screensaver_password_enforce - - sysprefs_screensaver_timeout_enforce - - sysprefs_screen_sharing_disable - - sysprefs_siri_disable - - sysprefs_smbd_disable - - sysprefs_ssh_enable - - sysprefs_time_server_configure - - sysprefs_time_server_enforce - - sysprefs_token_removal_enforce - - sysprefs_touchid_unlock_disable - - section: "iCloud" + - os_firewall_default_deny_require + - os_ssh_client_alive_count_max_configure + - os_firmware_password_require + - os_power_nap_disable + - os_gatekeeper_rearm + - os_root_disable + - os_guest_account_disable + - os_policy_banner_ssh_enforce + - os_password_proximity_disable + - os_mdm_require + - os_screensaver_loginwindow_enforce + - os_handoff_disable + - os_firewall_log_enable + - os_system_wide_preferences_configure + - os_tftpd_disable + - os_password_autofill_disable + - os_password_sharing_disable + - os_ssh_fips_140_ciphers + - os_ssh_login_grace_time_configure + - os_uucp_disable + - os_policy_banner_loginwindow_enforce + - os_touchid_prompt_disable + - os_filevault_autologin_disable + - os_messages_app_disable + - os_airdrop_disable + - os_parental_controls_enable + - os_nfsd_disable + - os_httpd_disable + - os_gatekeeper_enable + - os_sip_enable + - os_removable_media_disable + - os_guest_access_smb_disable + - os_policy_banner_ssh_configure + - os_time_server_enabled + - os_unlock_active_user_session_disable + - os_internet_accounts_prefpane_disable + - os_siri_prompt_disable + - os_appleid_prompt_disable + - os_ssh_fips_140_macs + - os_home_folders_secure + - os_facetime_app_disable + - os_guest_access_afp_disable + - os_icloud_storage_prompt_disable + - os_ir_support_disable + - os_mail_app_disable + - os_ssh_client_alive_interval_configure + - os_bonjour_disable + - os_calendar_app_disable + - section: "passwordpolicy" rules: - - icloud_addressbook_disable - - icloud_appleid_prefpane_disable - - icloud_bookmarks_disable - - icloud_calendar_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_photos_disable - - icloud_reminders_disable - - icloud_sync_disable - - section: "macOS" + - pwpolicy_account_inactivity_enforce + - pwpolicy_history_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_simple_sequence_disable + - pwpolicy_lower_case_character_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_special_character_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_upper_case_character_enforce + - pwpolicy_60_day_enforce + - pwpolicy_minimum_lifetime_enforce + - section: "icloud" rules: - - os_airdrop_disable - - os_appleid_prompt_disable - - os_bonjour_disable - - os_calendar_app_disable - - os_facetime_app_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_gatekeeper_enable - - os_gatekeeper_rearm - - os_guest_access_afp_disable - - os_guest_access_smb_disable - - os_guest_account_disable - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - - os_ir_support_disable - - os_mail_app_disable - - os_mdm_require - - os_messages_app_disable - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_removable_media_disable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_sip_enable - - os_siri_prompt_disable - - os_ssh_client_alive_count_max_configure - - os_ssh_client_alive_interval_configure - - os_ssh_fips_140_ciphers - - os_ssh_fips_140_macs - - os_ssh_login_grace_time_configure - - os_system_wide_preferences_configure - - os_tftpd_disable - - os_time_server_enabled - - os_touchid_prompt_disable - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "PasswordPolicy" + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - icloud_appleid_prefpane_disable + - icloud_keychain_disable + - icloud_notes_disable + - icloud_drive_disable + - icloud_bookmarks_disable + - icloud_mail_disable + - icloud_calendar_disable + - icloud_addressbook_disable + - section: "systempreferences" rules: - - pwpolicy_60_day_enforce - - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - - pwpolicy_upper_case_character_enforce + - sysprefs_smbd_disable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_ad_tracking_disable + - sysprefs_internet_sharing_disable + - sysprefs_rae_disable + - sysprefs_ssh_enable + - sysprefs_media_sharing_disabled + - sysprefs_screensaver_password_enforce + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce + - sysprefs_firewall_enable + - sysprefs_find_my_disable + - sysprefs_afp_disable + - sysprefs_content_caching_disable + - sysprefs_location_services_disable + - sysprefs_time_server_configure + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_automatic_login_disable + - sysprefs_apple_watch_unlock_disable + - sysprefs_token_removal_enforce + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_time_server_enforce + - sysprefs_touchid_unlock_disable + - sysprefs_screen_sharing_disable + - sysprefs_hot_corners_disable + - sysprefs_siri_disable + - sysprefs_filevault_enforce + - sysprefs_password_hints_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_improve_siri_dictation_disable - section: "Inherent" rules: - - os_implement_cryptography - - os_logical_access - - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_separate_fuctionality - - os_store_encrypted_passwords - - os_terminate_session_inactivity - - pwpolicy_force_password_change + - os_prevent_priv_functions + - os_logical_access + - os_implement_cryptography + - os_obscure_password + - os_terminate_session_inactivity + - os_store_encrypted_passwords + - os_prevent_unauthorized_disclosure + - os_separate_fuctionality + - pwpolicy_force_change_password_change - section: "Permanent" rules: - - pwpolicy_50_percent - - sysprefs_wifi_disable + - pwpolicy_50_percent + - sysprefs_wifi_disable - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard + - supplemental_controls + \ No newline at end of file diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 55b92bb6..b00b9509 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -2,189 +2,192 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 High" description: | This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 HIGH baseline. profile: - - section: "Auditing" - rules: - - audit_auditd_enabled - - audit_acls_files_configure - - audit_files_mode_configure - - audit_acls_folders_configure - - audit_folders_mode_configure - - audit_configure_capacity_notify - - audit_failure_halt - - audit_files_group_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_fm_configure - - audit_flags_lo_configure - - audit_flags_ex_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "Authentication" + - section: "authentication" rules: - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow - - auth_smartcard_enforce - - auth_smartcard_certificate_trust_enforce_high + - auth_pam_sudo_smartcard_enforce - auth_ssh_smartcard_enforce - - section: "SystemPreferences" + - auth_smartcard_certificate_trust_enforce_high + - auth_smartcard_enforce + - auth_pam_su_smartcard_enforce + - section: "auditing" rules: - - sysprefs_ad_tracking_disable - - sysprefs_afp_disable - - sysprefs_apple_watch_unlock_disable - - sysprefs_automatic_login_disable - - sysprefs_bluetooth_disable - - sysprefs_bluetooth_sharing_disable - - sysprefs_content_caching_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_filevault_enforce - - sysprefs_find_my_disable - - sysprefs_firewall_enable - - sysprefs_firewall_stealth_mode_enable - - sysprefs_gatekeeper_identified_developers_allowed - - sysprefs_gatekeeper_override_disallow - - sysprefs_hot_corners_disable - - sysprefs_improve_siri_dictation_disable - - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable - - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_password_hints_disable - - sysprefs_rae_disable - - sysprefs_screensaver_ask_for_password_delay_enforce - - sysprefs_screensaver_password_enforce - - sysprefs_screensaver_timeout_enforce - - sysprefs_screen_sharing_disable - - sysprefs_siri_disable - - sysprefs_smbd_disable - - sysprefs_ssh_enable - - sysprefs_time_server_configure - - sysprefs_time_server_enforce - - sysprefs_token_removal_enforce - - sysprefs_touchid_unlock_disable - - section: "iCloud" + - audit_folder_group_configure + - audit_failure_halt + - audit_acls_folders_configure + - audit_flags_fm_configure + - audit_auditd_enabled + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_files_mode_configure + - audit_flags_aa_configure + - audit_files_owner_configure + - audit_retention_configure + - audit_flags_fr_configure + - audit_settings_failure_notify + - audit_folder_owner_configure + - audit_flags_lo_configure + - audit_flags_fw_configure + - audit_folders_mode_configure + - audit_configure_capacity_notify + - audit_files_group_configure + - audit_acls_files_configure + - section: "macos" rules: - - icloud_addressbook_disable - - icloud_calendar_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_reminders_disable - - icloud_appleid_prefpane_disable - - icloud_bookmarks_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_photos_disable - - icloud_sync_disable - - section: "macOS" - rules: - - os_sip_enable - - os_airdrop_disable - - os_appleid_prompt_disable - - os_bonjour_disable - - os_calendar_app_disable - - os_camera_disable - - os_certificate_authority_trust - - os_facetime_app_disable - - os_filevault_autologin_disable - os_firewall_default_deny_require - - os_firewall_log_enable + - os_ssh_client_alive_count_max_configure - os_firmware_password_require - - os_gatekeeper_enable - - os_guest_access_afp_disable - - os_guest_access_smb_disable + - os_power_nap_disable + - os_gatekeeper_rearm + - os_root_disable - os_guest_account_disable + - os_policy_banner_ssh_enforce + - os_password_proximity_disable + - os_mdm_require + - os_screensaver_loginwindow_enforce - os_handoff_disable - - os_home_folders_secure + - os_firewall_log_enable + - os_system_wide_preferences_configure + - os_tftpd_disable + - os_password_autofill_disable + - os_password_sharing_disable + - os_ssh_fips_140_ciphers + - os_ssh_login_grace_time_configure + - os_secure_boot_verify + - os_uucp_disable + - os_policy_banner_loginwindow_enforce + - os_touchid_prompt_disable + - os_filevault_autologin_disable + - os_messages_app_disable + - os_airdrop_disable + - os_parental_controls_enable + - os_system_read_only + - os_nfsd_disable - os_httpd_disable - - os_icloud_storage_prompt_disable + - os_gatekeeper_enable + - os_sip_enable + - os_removable_media_disable + - os_guest_access_smb_disable + - os_policy_banner_ssh_configure + - os_time_server_enabled + - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable + - os_siri_prompt_disable + - os_appleid_prompt_disable + - os_certificate_authority_trust + - os_ssh_fips_140_macs + - os_home_folders_secure + - os_facetime_app_disable + - os_guest_access_afp_disable + - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_messages_app_disable - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_removable_media_disable - - os_screensaver_loginwindow_enforce - - os_secure_boot_verify - - os_siri_prompt_disable - - os_ssh_client_alive_count_max_configure - os_ssh_client_alive_interval_configure - - os_ssh_fips_140_ciphers - - os_ssh_fips_140_macs - - os_ssh_login_grace_time_configure - - os_ssh_permit_root_login_configure - - os_sudoers_tty_configure - - os_system_wide_preferences_configure - - os_time_server_enabled - - os_touchid_prompt_disable - - os_mdm_require - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "PasswordPolicy" + - os_bonjour_disable + - os_calendar_app_disable + - section: "passwordpolicy" rules: - - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce + - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable + - pwpolicy_lower_case_character_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_special_character_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_minimum_length_enforce - pwpolicy_upper_case_character_enforce + - pwpolicy_60_day_enforce + - pwpolicy_minimum_lifetime_enforce + - section: "icloud" + rules: + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - icloud_appleid_prefpane_disable + - icloud_keychain_disable + - icloud_notes_disable + - icloud_drive_disable + - icloud_bookmarks_disable + - icloud_mail_disable + - icloud_calendar_disable + - icloud_addressbook_disable + - section: "systempreferences" + rules: + - sysprefs_smbd_disable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_ad_tracking_disable + - sysprefs_internet_sharing_disable + - sysprefs_rae_disable + - sysprefs_ssh_enable + - sysprefs_screensaver_password_enforce + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce + - sysprefs_firewall_enable + - sysprefs_find_my_disable + - sysprefs_afp_disable + - sysprefs_content_caching_disable + - sysprefs_location_services_disable + - sysprefs_time_server_configure + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_automatic_login_disable + - sysprefs_apple_watch_unlock_disable + - sysprefs_token_removal_enforce + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_time_server_enforce + - sysprefs_touchid_unlock_disable + - sysprefs_screen_sharing_disable + - sysprefs_hot_corners_disable + - sysprefs_siri_disable + - sysprefs_filevault_enforce + - sysprefs_password_hints_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_improve_siri_dictation_disable - section: "Inherent" rules: - - os_crypto_audit - os_enforce_access_restrictions + - os_limit_gui_sessions + - os_prevent_priv_functions + - os_logical_access - os_fail_secure_state - os_implement_memory_protection - os_implement_cryptography - - os_isolate_security_functions - - os_limit_gui_sessions - - os_logical_access - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_required_crypto_module - - os_separate_fuctionality - - os_store_encrypted_passwords - os_terminate_session_inactivity - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change + - os_isolate_security_functions + - os_required_crypto_module + - os_store_encrypted_passwords + - os_prevent_unauthorized_disclosure + - os_separate_fuctionality + - os_crypto_audit - pwpolicy_temporary_accounts_disable + - pwpolicy_force_change_password_change + - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - audit_enforce_dual_auth - - os_auth_peripherals - - os_notify_account_created - - os_notify_account_disabled + - os_request_verification_name_resolution - os_notify_account_enable + - os_provide_automated_account_management + - os_notify_account_created - os_notify_account_modified - os_notify_account_removal + - os_auth_peripherals + - os_continuous_monitoring + - os_notify_account_disabled - os_protect_dos_attacks - - os_provide_automated_account_management - pwpolicy_50_percent - sysprefs_wifi_disable - section: "not_applicable" - rules: + rules: - os_identify_non-org_users - - os_request_verification_name_resolution - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard + - supplemental_controls + diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index 2db9800e..75fc23aa 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -2,144 +2,138 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Low" description: | This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 LOW baseline. profile: - - section: "Auditing" - rules: - - audit_auditd_enabled - - audit_acls_files_configure - - audit_files_mode_configure - - audit_acls_folders_configure - - audit_folders_mode_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_fm_configure - - audit_flags_lo_configure - - audit_flags_ex_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_retention_configure - - section: "Authentication" + - section: "authentication" rules: - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow - - auth_smartcard_enforce + - auth_pam_sudo_smartcard_enforce - auth_ssh_smartcard_enforce - - section: "SystemPreferences" + - auth_smartcard_enforce + - auth_pam_su_smartcard_enforce + - section: "auditing" rules: - - sysprefs_ad_tracking_disable - - sysprefs_afp_disable - - sysprefs_automatic_login_disable - - sysprefs_bluetooth_sharing_disable - - sysprefs_content_caching_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_find_my_disable - - sysprefs_firewall_enable - - sysprefs_firewall_stealth_mode_enable - - sysprefs_gatekeeper_identified_developers_allowed - - sysprefs_gatekeeper_override_disallow - - sysprefs_improve_siri_dictation_disable - - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable - - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_password_hints_disable - - sysprefs_rae_disable - - sysprefs_screen_sharing_disable - - sysprefs_siri_disable - - sysprefs_smbd_disable - - section: "iCloud" + - audit_folder_group_configure + - audit_failure_halt + - audit_acls_folders_configure + - audit_flags_fm_configure + - audit_auditd_enabled + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_files_mode_configure + - audit_flags_aa_configure + - audit_files_owner_configure + - audit_retention_configure + - audit_flags_fr_configure + - audit_folder_owner_configure + - audit_flags_lo_configure + - audit_flags_fw_configure + - audit_folders_mode_configure + - audit_files_group_configure + - audit_acls_files_configure + - section: "macos" rules: - - icloud_addressbook_disable - - icloud_calendar_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_reminders_disable - - icloud_appleid_prefpane_disable - - icloud_bookmarks_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_photos_disable - - icloud_sync_disable - - section: "macOS" - rules: - - os_sip_enable - - os_airdrop_disable - - os_appleid_prompt_disable - - os_bonjour_disable - - os_calendar_app_disable - - os_camera_disable - - os_facetime_app_disable - - os_filevault_autologin_disable - - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_guest_access_afp_disable - - os_guest_access_smb_disable + - os_power_nap_disable + - os_root_disable + - os_policy_banner_ssh_enforce + - os_password_proximity_disable + - os_mdm_require - os_handoff_disable - - os_home_folders_secure + - os_firewall_log_enable + - os_tftpd_disable + - os_password_autofill_disable + - os_password_sharing_disable + - os_ssh_fips_140_ciphers + - os_uucp_disable + - os_policy_banner_loginwindow_enforce + - os_touchid_prompt_disable + - os_filevault_autologin_disable + - os_messages_app_disable + - os_airdrop_disable + - os_nfsd_disable - os_httpd_disable - - os_icloud_storage_prompt_disable + - os_sip_enable + - os_guest_access_smb_disable + - os_policy_banner_ssh_configure + - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable + - os_siri_prompt_disable + - os_appleid_prompt_disable + - os_ssh_fips_140_macs + - os_facetime_app_disable + - os_guest_access_afp_disable + - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_messages_app_disable - - os_nfsd_disable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_removable_media_disable - - os_root_disable - - os_ssh_permit_root_login_configure - - os_siri_prompt_disable - - os_ssh_fips_140_ciphers - - os_ssh_fips_140_macs - - os_sudoers_tty_configure - - os_touchid_prompt_disable - - os_mdm_require - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "PasswordPolicy" + - os_bonjour_disable + - os_calendar_app_disable + - section: "passwordpolicy" rules: - - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce + - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable + - pwpolicy_lower_case_character_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_special_character_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_minimum_length_enforce - pwpolicy_upper_case_character_enforce + - pwpolicy_60_day_enforce + - pwpolicy_minimum_lifetime_enforce + - section: "icloud" + rules: + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - icloud_appleid_prefpane_disable + - icloud_keychain_disable + - icloud_notes_disable + - icloud_drive_disable + - icloud_bookmarks_disable + - icloud_mail_disable + - icloud_calendar_disable + - icloud_addressbook_disable + - section: "systempreferences" + rules: + - sysprefs_smbd_disable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_ad_tracking_disable + - sysprefs_internet_sharing_disable + - sysprefs_rae_disable + - sysprefs_firewall_enable + - sysprefs_find_my_disable + - sysprefs_afp_disable + - sysprefs_content_caching_disable + - sysprefs_location_services_disable + - sysprefs_diagnostics_reports_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_automatic_login_disable + - sysprefs_screen_sharing_disable + - sysprefs_siri_disable + - sysprefs_password_hints_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_improve_siri_dictation_disable - section: "Inherent" rules: - - os_implement_cryptography - os_logical_access + - os_implement_cryptography - os_obscure_password + - os_terminate_session_inactivity - os_required_crypto_module - os_store_encrypted_passwords - - pwpolicy_force_password_change + - pwpolicy_force_change_password_change - section: "Permanent" rules: - - audit_enforce_dual_auth + - os_request_verification_name_resolution - os_protect_dos_attacks - pwpolicy_50_percent - section: "not_applicable" - rules: + rules: - os_identify_non-org_users - - os_request_verification_name_resolution - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard + - supplemental_controls + \ No newline at end of file diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index 3de6dead..93e30a79 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -2,181 +2,183 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Moderate" description: | This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline. profile: - - section: "Auditing" - rules: - - audit_auditd_enabled - - audit_acls_files_configure - - audit_files_mode_configure - - audit_acls_folders_configure - - audit_folders_mode_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_fm_configure - - audit_flags_lo_configure - - audit_flags_ex_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_retention_configure - - section: "Authentication" + - section: "authentication" rules: - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow - - auth_smartcard_enforce - - auth_smartcard_certificate_trust_enforce_moderate + - auth_pam_sudo_smartcard_enforce - auth_ssh_smartcard_enforce - - section: "SystemPreferences" + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_pam_su_smartcard_enforce + - section: "auditing" rules: - - sysprefs_ad_tracking_disable - - sysprefs_afp_disable - - sysprefs_apple_watch_unlock_disable - - sysprefs_automatic_login_disable - - sysprefs_bluetooth_disable - - sysprefs_bluetooth_sharing_disable - - sysprefs_content_caching_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_filevault_enforce - - sysprefs_find_my_disable - - sysprefs_firewall_enable - - sysprefs_firewall_stealth_mode_enable - - sysprefs_gatekeeper_identified_developers_allowed - - sysprefs_gatekeeper_override_disallow - - sysprefs_hot_corners_disable - - sysprefs_improve_siri_dictation_disable - - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable - - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_password_hints_disable - - sysprefs_rae_disable - - sysprefs_screensaver_ask_for_password_delay_enforce - - sysprefs_screensaver_password_enforce - - sysprefs_screensaver_timeout_enforce - - sysprefs_screen_sharing_disable - - sysprefs_siri_disable - - sysprefs_smbd_disable - - sysprefs_ssh_enable - - sysprefs_time_server_configure - - sysprefs_time_server_enforce - - sysprefs_token_removal_enforce - - sysprefs_touchid_unlock_disable - - section: "iCloud" + - audit_folder_group_configure + - audit_failure_halt + - audit_acls_folders_configure + - audit_flags_fm_configure + - audit_auditd_enabled + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_files_mode_configure + - audit_flags_aa_configure + - audit_files_owner_configure + - audit_retention_configure + - audit_flags_fr_configure + - audit_folder_owner_configure + - audit_flags_lo_configure + - audit_flags_fw_configure + - audit_folders_mode_configure + - audit_files_group_configure + - audit_acls_files_configure + - section: "macos" rules: - - icloud_addressbook_disable - - icloud_calendar_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_reminders_disable - - icloud_appleid_prefpane_disable - - icloud_bookmarks_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_photos_disable - - icloud_sync_disable - - section: "macOS" - rules: - - os_sip_enable - - os_airdrop_disable - - os_appleid_prompt_disable - - os_bonjour_disable - - os_calendar_app_disable - - os_camera_disable - - os_certificate_authority_trust - - os_facetime_app_disable - - os_filevault_autologin_disable - os_firewall_default_deny_require - - os_firewall_log_enable + - os_ssh_client_alive_count_max_configure - os_firmware_password_require - - os_guest_access_afp_disable - - os_guest_access_smb_disable + - os_power_nap_disable + - os_gatekeeper_rearm + - os_root_disable + - os_policy_banner_ssh_enforce + - os_password_proximity_disable + - os_mdm_require + - os_screensaver_loginwindow_enforce - os_handoff_disable - - os_home_folders_secure + - os_firewall_log_enable + - os_system_wide_preferences_configure + - os_tftpd_disable + - os_password_autofill_disable + - os_password_sharing_disable + - os_ssh_fips_140_ciphers + - os_ssh_login_grace_time_configure + - os_uucp_disable + - os_policy_banner_loginwindow_enforce + - os_touchid_prompt_disable + - os_filevault_autologin_disable + - os_messages_app_disable + - os_airdrop_disable + - os_parental_controls_enable + - os_system_read_only + - os_nfsd_disable - os_httpd_disable - - os_icloud_storage_prompt_disable + - os_gatekeeper_enable + - os_sip_enable + - os_removable_media_disable + - os_guest_access_smb_disable + - os_policy_banner_ssh_configure + - os_time_server_enabled + - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable + - os_siri_prompt_disable + - os_appleid_prompt_disable + - os_certificate_authority_trust + - os_ssh_fips_140_macs + - os_home_folders_secure + - os_facetime_app_disable + - os_guest_access_afp_disable + - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_messages_app_disable - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_removable_media_disable - - os_root_disable - - os_ssh_permit_root_login_configure - - os_screensaver_loginwindow_enforce - - os_siri_prompt_disable - - os_ssh_client_alive_count_max_configure - os_ssh_client_alive_interval_configure - - os_ssh_fips_140_ciphers - - os_ssh_fips_140_macs - - os_ssh_login_grace_time_configure - - os_sudoers_tty_configure - - os_system_wide_preferences_configure - - os_time_server_enabled - - os_touchid_prompt_disable - - os_mdm_require - - os_unlock_active_user_session_disable - - os_uucp_disable - - section: "PasswordPolicy" + - os_bonjour_disable + - os_calendar_app_disable + - section: "passwordpolicy" rules: - - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce + - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable + - pwpolicy_lower_case_character_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_special_character_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_minimum_length_enforce - pwpolicy_upper_case_character_enforce + - pwpolicy_60_day_enforce + - pwpolicy_minimum_lifetime_enforce + - section: "icloud" + rules: + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - icloud_appleid_prefpane_disable + - icloud_keychain_disable + - icloud_notes_disable + - icloud_drive_disable + - icloud_bookmarks_disable + - icloud_mail_disable + - icloud_calendar_disable + - icloud_addressbook_disable + - section: "systempreferences" + rules: + - sysprefs_smbd_disable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_ad_tracking_disable + - sysprefs_internet_sharing_disable + - sysprefs_rae_disable + - sysprefs_ssh_enable + - sysprefs_screensaver_password_enforce + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce + - sysprefs_firewall_enable + - sysprefs_find_my_disable + - sysprefs_afp_disable + - sysprefs_content_caching_disable + - sysprefs_location_services_disable + - sysprefs_time_server_configure + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_automatic_login_disable + - sysprefs_apple_watch_unlock_disable + - sysprefs_token_removal_enforce + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_time_server_enforce + - sysprefs_touchid_unlock_disable + - sysprefs_screen_sharing_disable + - sysprefs_hot_corners_disable + - sysprefs_siri_disable + - sysprefs_filevault_enforce + - sysprefs_password_hints_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_improve_siri_dictation_disable - section: "Inherent" rules: + - os_prevent_priv_functions + - os_logical_access - os_implement_memory_protection - os_implement_cryptography - - os_logical_access - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_required_crypto_module - - os_separate_fuctionality - - os_store_encrypted_passwords - os_terminate_session_inactivity - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change + - os_required_crypto_module + - os_store_encrypted_passwords + - os_prevent_unauthorized_disclosure + - os_separate_fuctionality - pwpolicy_temporary_accounts_disable + - pwpolicy_force_change_password_change + - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - audit_enforce_dual_auth - - os_auth_peripherals - - os_notify_account_created - - os_notify_account_disabled + - os_request_verification_name_resolution - os_notify_account_enable + - os_provide_automated_account_management + - os_notify_account_created - os_notify_account_modified - os_notify_account_removal + - os_auth_peripherals + - os_continuous_monitoring + - os_notify_account_disabled - os_protect_dos_attacks - - os_provide_automated_account_management - pwpolicy_50_percent - sysprefs_wifi_disable - section: "not_applicable" - rules: + rules: - os_identify_non-org_users - - os_request_verification_name_resolution - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard - - supplemental_controls \ No newline at end of file + - supplemental_controls + \ No newline at end of file diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index b9566e55..6ed66e25 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -2,220 +2,230 @@ title: "macOS 10.15 (Catalina): Security Configuration - All Rules" description: | This guide describes the actions to take when securing a macOS 10.15 system using every available rule. profile: - - section: "Auditing" - rules: - - audit_auditd_enabled - - audit_acls_files_configure - - audit_files_mode_configure - - audit_acls_folders_configure - - audit_folders_mode_configure - - audit_configure_capacity_notify - - audit_failure_halt - - audit_files_group_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_fm_configure - - audit_flags_lo_configure - - audit_flags_ex_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_retention_configure - - audit_settings_failure_notify - - section: "Authentication" + - section: "authentication" rules: - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow - - auth_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_ssh_smartcard_enforce - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_certificate_trust_enforce_moderate - - auth_ssh_smartcard_enforce - - section: "SystemPreferences" + - auth_smartcard_enforce + - auth_pam_su_smartcard_enforce + - section: "srg" rules: - - sysprefs_ad_tracking_disable - - sysprefs_afp_disable - - sysprefs_apple_watch_unlock_disable - - sysprefs_automatic_login_disable - - sysprefs_bluetooth_disable - - sysprefs_bluetooth_sharing_disable - - sysprefs_content_caching_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_filevault_enforce - - sysprefs_find_my_disable - - sysprefs_firewall_enable - - sysprefs_firewall_stealth_mode_enable - - sysprefs_gatekeeper_identified_developers_allowed - - sysprefs_gatekeeper_override_disallow - - sysprefs_hot_corners_disable - - sysprefs_improve_siri_dictation_disable - - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable - - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_media_sharing_disabled - - sysprefs_password_hints_disable - - sysprefs_rae_disable - - sysprefs_screensaver_ask_for_password_delay_enforce - - sysprefs_screensaver_password_enforce - - sysprefs_screensaver_timeout_enforce - - sysprefs_screen_sharing_disable - - sysprefs_siri_disable - - sysprefs_smbd_disable - - sysprefs_ssh_enable - - sysprefs_time_server_configure - - sysprefs_time_server_enforce - - sysprefs_token_removal_enforce - - sysprefs_touchid_unlock_disable - - section: "iCloud" + - srg_filevault_user_account + - srg_anti_virus_installed + - section: "auditing" rules: - - icloud_addressbook_disable - - icloud_calendar_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_reminders_disable - - icloud_appleid_prefpane_disable - - icloud_bookmarks_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_photos_disable - - icloud_sync_disable - - section: "macOS" + - audit_folder_group_configure + - audit_failure_halt + - audit_acls_folders_configure + - audit_flags_fm_configure + - audit_auditd_enabled + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_files_mode_configure + - audit_flags_aa_configure + - audit_files_owner_configure + - audit_retention_configure + - audit_flags_fr_configure + - audit_settings_failure_notify + - audit_folder_owner_configure + - audit_flags_lo_configure + - audit_flags_fw_configure + - audit_folders_mode_configure + - audit_configure_capacity_notify + - audit_files_group_configure + - audit_acls_files_configure + - section: "macos" rules: - - os_sip_enable - - os_airdrop_disable - - os_appleid_prompt_disable - - os_bonjour_disable - - os_calendar_app_disable - - os_camera_disable - - os_certificate_authority_trust - - os_facetime_app_disable - - os_filevault_autologin_disable - os_firewall_default_deny_require - - os_firewall_log_enable + - os_ssh_client_alive_count_max_configure - os_firmware_password_require - - os_gatekeeper_enable - - os_guest_access_afp_disable - - os_guest_access_smb_disable + - os_power_nap_disable + - os_gatekeeper_rearm + - os_root_disable - os_guest_account_disable + - os_policy_banner_ssh_enforce + - os_password_proximity_disable + - os_mdm_require + - os_screensaver_loginwindow_enforce - os_handoff_disable - - os_home_folders_secure + - os_firewall_log_enable + - os_system_wide_preferences_configure + - os_tftpd_disable + - os_password_autofill_disable + - os_password_sharing_disable + - os_ssh_fips_140_ciphers + - os_ssh_login_grace_time_configure + - os_privacy_setup_prompt_disable + - os_secure_boot_verify + - os_sudoers_tty_configure + - os_uucp_disable + - os_policy_banner_loginwindow_enforce + - os_user_app_installation_prohibit + - os_touchid_prompt_disable + - os_filevault_autologin_disable + - os_messages_app_disable + - os_airdrop_disable + - os_parental_controls_enable + - os_system_read_only + - os_nfsd_disable - os_httpd_disable - - os_icloud_storage_prompt_disable + - os_gatekeeper_enable + - os_sip_enable + - os_removable_media_disable + - os_guest_access_smb_disable + - os_policy_banner_ssh_configure + - os_time_server_enabled + - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable + - os_siri_prompt_disable + - os_appleid_prompt_disable + - os_certificate_authority_trust + - os_ssh_fips_140_macs + - os_home_folders_secure + - os_facetime_app_disable + - os_camera_disable + - os_guest_access_afp_disable + - os_icloud_storage_prompt_disable + - os_ssh_permit_root_login_configure - os_ir_support_disable - os_mail_app_disable - - os_messages_app_disable - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_privacy_setup_prompt_disable - - os_removable_media_disable - - os_root_disable - - os_screensaver_loginwindow_enforce - - os_secure_boot_verify - - os_siri_prompt_disable - - os_ssh_client_alive_count_max_configure - os_ssh_client_alive_interval_configure - - os_ssh_fips_140_ciphers - - os_ssh_fips_140_macs - - os_ssh_login_grace_time_configure - - os_ssh_permit_root_login_configure - - os_sudoers_tty_configure - - os_system_wide_preferences_configure - - os_time_server_enabled - - os_touchid_prompt_disable - - os_mdm_require - - os_unlock_active_user_session_disable - - os_user_app_installation_prohibit - - os_uucp_disable - - section: "PasswordPolicy" + - os_bonjour_disable + - os_calendar_app_disable + - section: "passwordpolicy" rules: - - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce + - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable + - pwpolicy_lower_case_character_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_special_character_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_minimum_length_enforce - pwpolicy_upper_case_character_enforce + - pwpolicy_60_day_enforce + - pwpolicy_minimum_lifetime_enforce + - section: "icloud" + rules: + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - icloud_appleid_prefpane_disable + - icloud_keychain_disable + - icloud_notes_disable + - icloud_drive_disable + - icloud_bookmarks_disable + - icloud_mail_disable + - icloud_calendar_disable + - icloud_addressbook_disable + - section: "systempreferences" + rules: + - sysprefs_smbd_disable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_ad_tracking_disable + - sysprefs_internet_sharing_disable + - sysprefs_rae_disable + - sysprefs_ssh_enable + - sysprefs_media_sharing_disabled + - sysprefs_screensaver_password_enforce + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce + - sysprefs_firewall_enable + - sysprefs_find_my_disable + - sysprefs_afp_disable + - sysprefs_content_caching_disable + - sysprefs_location_services_disable + - sysprefs_time_server_configure + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_automatic_login_disable + - sysprefs_apple_watch_unlock_disable + - sysprefs_token_removal_enforce + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_time_server_enforce + - sysprefs_touchid_unlock_disable + - sysprefs_screen_sharing_disable + - sysprefs_hot_corners_disable + - sysprefs_siri_disable + - sysprefs_filevault_enforce + - sysprefs_password_hints_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_improve_siri_dictation_disable + - section: "Inherent" + rules: + - os_enforce_access_restrictions + - os_limit_gui_sessions + - os_prevent_priv_functions + - os_logical_access + - os_verify_remote_disconnection + - os_logoff_capability_and_message + - os_fail_secure_state + - os_limit_auditable_events + - os_prevent_priv_execution + - os_allow_info_passed + - os_mfa_network_non-priv + - os_remove_software_components_after_updates + - os_implement_memory_protection + - os_implement_cryptography + - os_remote_access_methods + - os_obscure_password + - os_terminate_session_inactivity + - os_predictable_behavior + - os_reauth_users_change_authenticators + - os_map_pki_identity + - os_unique_identification + - os_provide_disconnect_remote_access + - os_isolate_security_functions + - os_required_crypto_module + - os_grant_privs + - os_store_encrypted_passwords + - os_prevent_unauthorized_disclosure + - os_terminate_session + - os_change_security_attributes + - os_mfa_network_access + - os_peripherals_identify + - os_error_message + - os_separate_fuctionality + - os_crypto_audit + - os_reauth_privilege + - pwpolicy_temporary_accounts_disable + - pwpolicy_force_change_password_change + - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - audit_alert_processing_fail - - audit_enforce_dual_auth - audit_off_load_records - - os_limit_dos_attacks - - os_notify_account_created - - os_notify_account_disabled + - audit_enforce_dual_auth + - audit_alert_processing_fail + - os_request_verification_name_resolution + - os_reauth_devices_change_authenticators - os_notify_account_enable + - os_provide_automated_account_management + - os_notify_account_created - os_notify_account_modified - os_notify_account_removal - - os_notify_unauthorized_baseline_change + - os_auth_peripherals + - os_limit_dos_attacks + - os_continuous_monitoring + - os_notify_account_disabled - os_protect_dos_attacks - - os_provide_automated_account_management - - os_reauth_devices_change_authenticators + - os_notify_unauthorized_baseline_change - pwpolicy_50_percent - pwpolicy_prevent_dictionary_words - sysprefs_wifi_disable - - section: "Not_Applicable" - rules: - - os_auth_peripherals + - section: "not_applicable" + rules: - os_identify_non-org_users - - os_request_verification_name_resolution - - section: "Inherent" - rules: - - os_allow_info_passed - - os_change_security_attributes - - os_crypto_audit - - os_enforce_access_restrictions - - os_error_message - - os_fail_secure_state - - os_grant_privs - - os_implement_memory_protection - - os_implement_cryptography - - os_isolate_security_functions - - os_limit_auditable_events - - os_limit_gui_sessions - - os_logical_access - - os_logoff_capability_and_message - - os_map_pki_identity - - os_mfa_network_access - - os_mfa_network_non-priv - - os_obscure_password - - os_peripherals_identify - - os_predictable_behavior - - os_prevent_priv_execution - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_provide_disconnect_remote_access - - os_reauth_privilege - - os_reauth_users_change_authenticators - - os_remote_access_methods - - os_remove_software_components_after_updates - - os_required_crypto_module - - os_separate_fuctionality - - os_store_encrypted_passwords - - os_terminate_session - - os_terminate_session_inactivity - - os_unique_identification - - os_verify_remote_disconnection - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change - - pwpolicy_temporary_accounts_disable - section: "Supplemental" rules: - - supplemental_smartcard - supplemental_firewall_pf - supplemental_password_policy + - supplemental_smartcard + - supplemental_controls + diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index d38bf6c2..7ab3942c 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -2,180 +2,184 @@ title: "macOS 10.15 (Catalina): Security Configuration - 800-53 Moderate" description: | This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline. profile: - - section: "Auditing" - rules: - - audit_auditd_enabled - - audit_acls_files_configure - - audit_files_mode_configure - - audit_acls_folders_configure - - audit_folders_mode_configure - - audit_failure_halt - - audit_files_group_configure - - audit_files_owner_configure - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_fm_configure - - audit_flags_lo_configure - - audit_flags_ex_configure - - audit_folder_group_configure - - audit_folder_owner_configure - - audit_retention_configure - - section: "Authentication" + - section: "authentication" rules: - auth_pam_login_smartcard_enforce - - auth_pam_su_smartcard_enforce - - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow - - auth_smartcard_enforce - - auth_smartcard_certificate_trust_enforce_moderate + - auth_pam_sudo_smartcard_enforce - auth_ssh_smartcard_enforce - - section: "SystemPreferences" + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_pam_su_smartcard_enforce + - section: "auditing" rules: - - sysprefs_ad_tracking_disable - - sysprefs_afp_disable - - sysprefs_apple_watch_unlock_disable - - sysprefs_automatic_login_disable - - sysprefs_bluetooth_disable - - sysprefs_bluetooth_sharing_disable - - sysprefs_content_caching_disable - - sysprefs_diagnostics_reports_disable - - sysprefs_filevault_enforce - - sysprefs_find_my_disable - - sysprefs_firewall_enable - - sysprefs_firewall_stealth_mode_enable - - sysprefs_gatekeeper_identified_developers_allowed - - sysprefs_gatekeeper_override_disallow - - sysprefs_hot_corners_disable - - sysprefs_improve_siri_dictation_disable - - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable - - sysprefs_loginwindow_prompt_username_password_enforce - - sysprefs_password_hints_disable - - sysprefs_rae_disable - - sysprefs_screensaver_ask_for_password_delay_enforce - - sysprefs_screensaver_password_enforce - - sysprefs_screensaver_timeout_enforce - - sysprefs_screen_sharing_disable - - sysprefs_siri_disable - - sysprefs_smbd_disable - - sysprefs_ssh_enable - - sysprefs_time_server_configure - - sysprefs_time_server_enforce - - sysprefs_token_removal_enforce - - sysprefs_touchid_unlock_disable - - section: "iCloud" + - audit_folder_group_configure + - audit_failure_halt + - audit_acls_folders_configure + - audit_flags_fm_configure + - audit_auditd_enabled + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_files_mode_configure + - audit_flags_aa_configure + - audit_files_owner_configure + - audit_retention_configure + - audit_flags_fr_configure + - audit_folder_owner_configure + - audit_flags_lo_configure + - audit_flags_fw_configure + - audit_folders_mode_configure + - audit_files_group_configure + - audit_acls_files_configure + - section: "macos" rules: - - icloud_addressbook_disable - - icloud_calendar_disable - - icloud_mail_disable - - icloud_notes_disable - - icloud_reminders_disable - - icloud_appleid_prefpane_disable - - icloud_bookmarks_disable - - icloud_drive_disable - - icloud_keychain_disable - - icloud_photos_disable - - icloud_sync_disable - - section: "macOS" - rules: - - os_sip_enable - - os_airdrop_disable - - os_appleid_prompt_disable - - os_bonjour_disable - - os_calendar_app_disable - - os_camera_disable - - os_certificate_authority_trust - - os_facetime_app_disable - - os_filevault_autologin_disable - os_firewall_default_deny_require - - os_firewall_log_enable - - os_firmware_password_require - - os_guest_access_afp_disable - - os_guest_access_smb_disable - - os_handoff_disable - - os_home_folders_secure - - os_httpd_disable - - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - - os_ir_support_disable - - os_mail_app_disable - - os_messages_app_disable - - os_nfsd_disable - - os_parental_controls_enable - - os_password_autofill_disable - - os_password_proximity_disable - - os_password_sharing_disable - - os_policy_banner_loginwindow_enforce - - os_policy_banner_ssh_configure - - os_policy_banner_ssh_enforce - - os_power_nap_disable - - os_removable_media_disable - - os_root_disable - - os_ssh_permit_root_login_configure - - os_screensaver_loginwindow_enforce - - os_siri_prompt_disable - os_ssh_client_alive_count_max_configure - - os_ssh_client_alive_interval_configure + - os_firmware_password_require + - os_power_nap_disable + - os_gatekeeper_rearm + - os_root_disable + - os_policy_banner_ssh_enforce + - os_password_proximity_disable + - os_mdm_require + - os_screensaver_loginwindow_enforce + - os_handoff_disable + - os_firewall_log_enable + - os_system_wide_preferences_configure + - os_tftpd_disable + - os_password_autofill_disable + - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_fips_140_macs - os_ssh_login_grace_time_configure - os_sudoers_tty_configure - - os_system_wide_preferences_configure - - os_time_server_enabled - - os_touchid_prompt_disable - - os_mdm_require - - os_unlock_active_user_session_disable - os_uucp_disable - - section: "PasswordPolicy" + - os_policy_banner_loginwindow_enforce + - os_touchid_prompt_disable + - os_filevault_autologin_disable + - os_messages_app_disable + - os_airdrop_disable + - os_parental_controls_enable + - os_nfsd_disable + - os_httpd_disable + - os_gatekeeper_enable + - os_sip_enable + - os_removable_media_disable + - os_guest_access_smb_disable + - os_policy_banner_ssh_configure + - os_time_server_enabled + - os_unlock_active_user_session_disable + - os_internet_accounts_prefpane_disable + - os_siri_prompt_disable + - os_appleid_prompt_disable + - os_certificate_authority_trust + - os_ssh_fips_140_macs + - os_home_folders_secure + - os_facetime_app_disable + - os_guest_access_afp_disable + - os_icloud_storage_prompt_disable + - os_ir_support_disable + - os_mail_app_disable + - os_ssh_client_alive_interval_configure + - os_bonjour_disable + - os_calendar_app_disable + - section: "passwordpolicy" rules: - - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - - pwpolicy_account_lockout_enforce - - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce - - pwpolicy_lower_case_character_enforce - - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce + - pwpolicy_account_lockout_enforce - pwpolicy_simple_sequence_disable + - pwpolicy_lower_case_character_enforce + - pwpolicy_account_lockout_timeout_enforce - pwpolicy_special_character_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_minimum_length_enforce - pwpolicy_upper_case_character_enforce + - pwpolicy_60_day_enforce + - pwpolicy_minimum_lifetime_enforce + - section: "icloud" + rules: + - icloud_photos_disable + - icloud_reminders_disable + - icloud_sync_disable + - icloud_appleid_prefpane_disable + - icloud_keychain_disable + - icloud_notes_disable + - icloud_drive_disable + - icloud_bookmarks_disable + - icloud_mail_disable + - icloud_calendar_disable + - icloud_addressbook_disable + - section: "systempreferences" + rules: + - sysprefs_smbd_disable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_ad_tracking_disable + - sysprefs_internet_sharing_disable + - sysprefs_rae_disable + - sysprefs_ssh_enable + - sysprefs_screensaver_password_enforce + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_gatekeeper_override_disallow + - sysprefs_screensaver_timeout_enforce + - sysprefs_firewall_enable + - sysprefs_find_my_disable + - sysprefs_afp_disable + - sysprefs_content_caching_disable + - sysprefs_location_services_disable + - sysprefs_time_server_configure + - sysprefs_diagnostics_reports_disable + - sysprefs_bluetooth_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_automatic_login_disable + - sysprefs_apple_watch_unlock_disable + - sysprefs_token_removal_enforce + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_time_server_enforce + - sysprefs_touchid_unlock_disable + - sysprefs_screen_sharing_disable + - sysprefs_hot_corners_disable + - sysprefs_siri_disable + - sysprefs_filevault_enforce + - sysprefs_password_hints_disable + - sysprefs_bluetooth_sharing_disable + - sysprefs_improve_siri_dictation_disable - section: "Inherent" rules: + - os_prevent_priv_functions + - os_logical_access - os_implement_memory_protection - os_implement_cryptography - - os_logical_access - os_obscure_password - - os_prevent_priv_functions - - os_prevent_unauthorized_disclosure - - os_required_crypto_module - - os_separate_fuctionality - - os_store_encrypted_passwords - os_terminate_session_inactivity - - pwpolicy_emergency_accounts_disable - - pwpolicy_force_password_change + - os_map_pki_identity + - os_required_crypto_module + - os_store_encrypted_passwords + - os_prevent_unauthorized_disclosure + - os_separate_fuctionality - pwpolicy_temporary_accounts_disable + - pwpolicy_force_change_password_change + - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - audit_enforce_dual_auth - - os_auth_peripherals - - os_notify_account_created - - os_notify_account_disabled + - os_request_verification_name_resolution - os_notify_account_enable + - os_provide_automated_account_management + - os_notify_account_created - os_notify_account_modified - os_notify_account_removal + - os_auth_peripherals + - os_continuous_monitoring + - os_notify_account_disabled - os_protect_dos_attacks - - os_provide_automated_account_management - pwpolicy_50_percent - sysprefs_wifi_disable - section: "not_applicable" - rules: + rules: - os_identify_non-org_users - - os_request_verification_name_resolution - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard \ No newline at end of file + - supplemental_smartcard + - supplemental_controls + \ No newline at end of file diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml new file mode 100644 index 00000000..0ef8449b --- /dev/null +++ b/rules/os/os_continuous_monitoring.yaml @@ -0,0 +1,29 @@ +id: os_continuous_monitoring +title: "Configure Automated Flaw Remediation" +discussion: | + The macOS system _MUST_ be configured to determine the state of system components with regard to flaw remediation. +check: | + The technology does not support this requirement. This is an applicable-does not meet finding. +fix: | + This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. +references: + cce: + - CCE-84892-9 + cci: + - CCI-001233 + 800-53r4: + - SI-2(2) + srg: + - SRG-OS-000191-GPOS-00080 + disa_stig: + - AOSX-14-000015 +macOS: + - "10.15" +tags: + - cnssi-1253 + - fisma-moderate + - fisma-high + - permanent + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 1d12b594..4cbc0119 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -3,7 +3,7 @@ title: "Enable Parental Controls" discussion: | Parental Controls _MUST_ be enabled. - Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). + Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). Parental Controls on macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. check: | diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_change_password_change.yaml similarity index 100% rename from rules/pwpolicy/pwpolicy_force_password_change.yaml rename to rules/pwpolicy/pwpolicy_force_change_password_change.yaml diff --git a/rules/srg/srg_hbss_installed.yaml b/rules/srg/srg_hbss_installed.yaml deleted file mode 100644 index ff697e4d..00000000 --- a/rules/srg/srg_hbss_installed.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: srg_hbss_installed -title: The macOS system must utilize an HBSS solution and implement all DoD required modules. -discussion: | - The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNet. -check: | - Verify that there is an approved HBSS solution installed on the system. - - If there is not an approved HBSS solution installed, this is a finding. - - Verify that all installed components of the HBSS Solution are at the DoD approved minimal version. - - If the installed components are not at the DoD approved minimal versions, this is a finding. -fix: | - Install an approved HBSS solution onto the system and ensure that all components are at least updated to their DoD approved minimal versions. -references: - cce: - - CCE-84892-9 - cci: - - CCI-001233 - 800-53r4: - - SI-2(2) - srg: - - SRG-OS-000191-GPOS-00080 - disa_stig: - - AOSX-14-000015 -macOS: - - "10.15" -tags: - - cnssi-1253 - - fisma-moderate - - fisma-high - - STIG -mobileconfig: false -mobileconfig_info: \ No newline at end of file From f9a46b37530651413ebae9c6c85da755fb24dfab Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 22 Sep 2020 17:04:34 -0400 Subject: [PATCH 6/6] baseline tweaks --- baselines/800-171.yaml | 4 ---- baselines/800-53_high.yaml | 3 --- baselines/800-53_low.yaml | 3 --- baselines/all_rules.yaml | 3 --- baselines/cnssi-1253.yaml | 4 ---- 5 files changed, 17 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index b807fe58..72eb2b0b 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -161,9 +161,5 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard -<<<<<<< HEAD - supplemental_controls -======= - - supplemental_controls ->>>>>>> 661ffb1f9a07b8625b6a5dd2e53cec8a61582bad diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index b402f5c7..b00b9509 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -190,7 +190,4 @@ profile: - supplemental_password_policy - supplemental_smartcard - supplemental_controls -<<<<<<< HEAD -======= ->>>>>>> 661ffb1f9a07b8625b6a5dd2e53cec8a61582bad diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index 9d361df4..1ee38f21 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -136,7 +136,4 @@ profile: - supplemental_password_policy - supplemental_smartcard - supplemental_controls -<<<<<<< HEAD -======= ->>>>>>> 661ffb1f9a07b8625b6a5dd2e53cec8a61582bad diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 098dca1c..6ed66e25 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -228,7 +228,4 @@ profile: - supplemental_password_policy - supplemental_smartcard - supplemental_controls -<<<<<<< HEAD -======= ->>>>>>> 661ffb1f9a07b8625b6a5dd2e53cec8a61582bad diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index e88af181..27436354 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -181,9 +181,5 @@ profile: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard -<<<<<<< HEAD - supplemental_controls -======= - - supplemental_controls ->>>>>>> 661ffb1f9a07b8625b6a5dd2e53cec8a61582bad