usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

added references

Browse Source
This commit is contained in:
Bob Gendler
2021-10-13 16:07:38 -04:00
parent 67e6278bbd
commit f3b783cc14
14 changed files with 179 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
rules/icloud/icloud_private_relay_disable.yaml
View File

@@ -31,7 +31,12 @@ references:
disa_stig: disa_stig:
- N/A - N/A
800-171r2: 800-171r2:
- N/A - 3.1.20
- 3.4.6
cisv8:
- 4.1
- 4.8
- 15.3
macOS: macOS:
- "12.0" - "12.0"
tags: tags:

2
rules/sysprefs/sysprefs_airplay_receiver_disable.yaml
View File

@@ -27,7 +27,7 @@ references:
disa_stig: disa_stig:
- N/A - N/A
800-171r2: 800-171r2:
- N/A - 3.4.6
cisv8: cisv8:
- 4.1 - 4.1
- 4.8 - 4.8

10
scripts/generate_baseline.py
View File

@@ -247,15 +247,9 @@ def output_baseline(rules, os, keyword):
output_text = f'title: "macOS {os}: Security Configuration - {keyword}"\n' output_text = f'title: "macOS {os}: Security Configuration - {keyword}"\n'
output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n' output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n'
output_text += f'authors: |\n |===\n |Name|Organization\n |===\n'
output_text += 'profile:\n' output_text += 'profile:\n'
# sort the rules
other_rules.sort()
inherent_rules.sort()
permanent_rules.sort()
na_rules.sort()
supplemental_rules.sort()
if len(other_rules) > 0: if len(other_rules) > 0:
for section in sections: for section in sections:
output_text += (' - section: "{}"\n'.format(section_title(section))) output_text += (' - section: "{}"\n'.format(section_title(section)))
@@ -367,4 +361,4 @@ def main():
os.chdir(original_working_directory) os.chdir(original_working_directory)
if __name__ == "__main__": if __name__ == "__main__":
main() main()

232
scripts/generate_guidance.py
View File

@@ -23,7 +23,7 @@ from collections import namedtuple
class MacSecurityRule(): class MacSecurityRule():
def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cisv8, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized):
self.rule_title = title self.rule_title = title
self.rule_id = rule_id self.rule_id = rule_id
self.rule_severity = severity self.rule_severity = severity
@@ -36,6 +36,7 @@ class MacSecurityRule():
self.rule_800171 = nist_171 self.rule_800171 = nist_171
self.rule_disa_stig = disa_stig self.rule_disa_stig = disa_stig
self.rule_srg = srg self.rule_srg = srg
self.rule_cisv8 = cisv8
self.rule_custom_refs = custom_refs self.rule_custom_refs = custom_refs
self.rule_result_value = result_value self.rule_result_value = result_value
self.rule_tags = tags self.rule_tags = tags
@@ -56,6 +57,7 @@ class MacSecurityRule():
rule_cci=self.rule_cci, rule_cci=self.rule_cci,
rule_80053r5=self.rule_80053r5, rule_80053r5=self.rule_80053r5,
rule_disa_stig=self.rule_disa_stig, rule_disa_stig=self.rule_disa_stig,
rule_cisv8=self.rule_cisv8,
rule_srg=self.rule_srg, rule_srg=self.rule_srg,
rule_result=self.rule_result_value rule_result=self.rule_result_value
) )
@@ -389,56 +391,46 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
for sections in baseline_yaml['profile']: for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']: for profile_rule in sections['rules']:
logging.debug(f"checking for rule file for {profile_rule}") for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule_yaml = get_rule_yaml(rule, False)
rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
custom=True
logging.debug(f"{rule}")
elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
custom=False
logging.debug(f"{rule}")
#for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, custom)
if rule_yaml['mobileconfig']: if rule_yaml['mobileconfig']:
for payload_type, info in rule_yaml['mobileconfig_info'].items(): for payload_type, info in rule_yaml['mobileconfig_info'].items():
try: try:
if payload_type not in manifests['payloads_types']: if payload_type not in manifests['payloads_types']:
profile_errors.append(rule)
raise ValueError(
"{}: Payload Type is not supported".format(payload_type))
else:
pass
except (KeyError, ValueError) as e:
profile_errors.append(rule) profile_errors.append(rule)
raise ValueError( #print(e)
"{}: Payload Type is not supported".format(payload_type))
else:
pass pass
except (KeyError, ValueError) as e:
profile_errors.append(rule)
#print(e)
pass
try: try:
if isinstance(info, list): if isinstance(info, list):
raise ValueError( raise ValueError(
"Payload key is non-conforming") "Payload key is non-conforming")
else: else:
pass
except (KeyError, ValueError) as e:
profile_errors.append(rule)
#print(e)
pass pass
except (KeyError, ValueError) as e:
profile_errors.append(rule)
#print(e)
pass
if payload_type == "com.apple.ManagedClient.preferences": if payload_type == "com.apple.ManagedClient.preferences":
for payload_domain, settings in info.items(): for payload_domain, settings in info.items():
for key, value in settings.items(): for key, value in settings.items():
payload_settings = ( payload_settings = (
payload_domain, key, value) payload_domain, key, value)
profile_types.setdefault(
payload_type, []).append(payload_settings)
else:
for profile_key, key_value in info.items():
payload_settings = {profile_key: key_value}
profile_types.setdefault( profile_types.setdefault(
payload_type, []).append(payload_settings) payload_type, []).append(payload_settings)
else:
for profile_key, key_value in info.items():
payload_settings = {profile_key: key_value}
profile_types.setdefault(
payload_type, []).append(payload_settings)
if len(profile_errors) > 0: if len(profile_errors) > 0:
print("There are errors in the following files, please correct the .yaml file(s)!") print("There are errors in the following files, please correct the .yaml file(s)!")
@@ -579,9 +571,6 @@ plb="/usr/libexec/PlistBuddy"
CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}') CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}')
CURR_USER_UID=$(/usr/bin/id -u $CURR_USER) CURR_USER_UID=$(/usr/bin/id -u $CURR_USER)
# get system architecture
arch=$(/usr/bin/arch)
# configure colors for text # configure colors for text
RED='\e[31m' RED='\e[31m'
STD='\e[39m' STD='\e[39m'
@@ -755,6 +744,8 @@ fi
defaults write "$audit_plist" lastComplianceCheck "$(date)" defaults write "$audit_plist" lastComplianceCheck "$(date)"
""" """
#compliance_script_file.write(check_zsh_header)
# Read all rules in the section and output the check functions # Read all rules in the section and output the check functions
for sections in baseline_yaml['profile']: for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']: for profile_rule in sections['rules']:
@@ -768,20 +759,13 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)"
custom=False custom=False
logging.debug(f"{rule}") logging.debug(f"{rule}")
#for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, custom) rule_yaml = get_rule_yaml(rule, custom)
if rule_yaml['id'].startswith("supplemental"): if rule_yaml['id'].startswith("supplemental"):
continue continue
if "manual" in rule_yaml['tags']: if "manual" in rule_yaml['tags']:
continue continue
if "arm64" in rule_yaml['tags']:
arch="arm64"
elif "intel" in rule_yaml['tags']:
arch="i386"
else:
arch=""
# grab the 800-53 controls # grab the 800-53 controls
try: try:
rule_yaml['references']['800-53r5'] rule_yaml['references']['800-53r5']
@@ -790,6 +774,21 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)"
else: else:
nist_80053r5 = rule_yaml['references']['800-53r5'] nist_80053r5 = rule_yaml['references']['800-53r5']
#try:
# rule_yaml['references']['disa_stig']
#except KeyError:
# stig_ref = rule_yaml['id']
#else:
# if rule_yaml['references']['disa_stig'][0] == "N/A":
# stig_ref = [rule_yaml['id']]
# else:
# stig_ref = rule_yaml['references']['disa_stig']
#
#if "STIG" in baseline_yaml['title']:
# logging.debug(f'Setting STIG reference for logging: {stig_ref}')
# log_reference_id = stig_ref
#else:
# log_reference_id = [rule_yaml['id']]
if reference == "default": if reference == "default":
log_reference_id = [rule_yaml['id']] log_reference_id = [rule_yaml['id']]
else: else:
@@ -848,40 +847,31 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)"
zsh_check_text = """ zsh_check_text = """
#####----- Rule: {0} -----##### #####----- Rule: {0} -----#####
## Addresses the following NIST 800-53 controls: {1} ## Addresses the following NIST 800-53 controls: {1}
rule_arch="{6}" #echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then unset result_value
#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log" result_value=$({2})
unset result_value # expected result {3}
result_value=$({2})
# expected result {3}
# check to see if rule is exempt
unset exempt
unset exempt_reason
exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
# check to see if rule is exempt if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
unset exempt if [[ $result_value == "{4}" ]]; then
unset exempt_reason echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
if [[ $result_value == "{4}" ]]; then
echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO
else
echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool YES
fi
elif [[ ! -z "$exempt_reason" ]];then
echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO defaults write "$audit_plist" {0} -dict-add finding -bool NO
/bin/sleep 1 else
echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool YES
fi fi
else elif [[ ! -z "$exempt_reason" ]];then
echo "$(date -u) {5} does not apply to this architechture" | tee -a "$audit_log" echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO defaults write "$audit_plist" {0} -dict-add finding -bool NO
/bin/sleep 1
fi fi
""".format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id), arch) """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id))
check_function_string = check_function_string + zsh_check_text check_function_string = check_function_string + zsh_check_text
@@ -1124,7 +1114,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
top = xlwt.easyxf("align: vert top") top = xlwt.easyxf("align: vert top")
headers = xlwt.easyxf("font: bold on") headers = xlwt.easyxf("font: bold on")
counter = 1 counter = 1
column_counter = 14 column_counter = 15
custom_ref_column = {} custom_ref_column = {}
sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 0, "CCE", headers)
sheet1.write(0, 1, "Rule ID", headers) sheet1.write(0, 1, "Rule ID", headers)
@@ -1138,8 +1128,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.write(0, 9, "800-171", headers) sheet1.write(0, 9, "800-171", headers)
sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 10, "SRG", headers)
sheet1.write(0, 11, "DISA STIG", headers) sheet1.write(0, 11, "DISA STIG", headers)
sheet1.write(0, 12, "CCI", headers) sheet1.write(0, 12, "CIS Controls v8", headers)
sheet1.write(0, 13, "Modifed Rule", headers) sheet1.write(0, 13, "CCI", headers)
sheet1.write(0, 14, "Modifed Rule", headers)
sheet1.set_panes_frozen(True) sheet1.set_panes_frozen(True)
sheet1.set_horz_split_pos(1) sheet1.set_horz_split_pos(1)
sheet1.set_vert_split_pos(2) sheet1.set_vert_split_pos(2)
@@ -1219,14 +1210,20 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
cci = (str(rule.rule_cci)).strip('[]\'') cci = (str(rule.rule_cci)).strip('[]\'')
cci = cci.replace(", ", "\n").replace("\'", "") cci = cci.replace(", ", "\n").replace("\'", "")
sheet1.write(counter, 12, cci, topWrap) cisv8_refs = (str(rule.rule_cisv8)).strip('[]\'')
sheet1.col(12).width = 400 * 15 cisv8_refs = cisv8_refs.replace(", ", "\n").replace("\'", "")
sheet1.write(counter, 12, cisv8_refs, topWrap)
sheet1.col(12).width = 500 * 15
sheet1.write(counter, 13, cci, topWrap)
sheet1.col(13).width = 400 * 15
customized = (str(rule.rule_customized)).strip('[]\'') customized = (str(rule.rule_customized)).strip('[]\'')
customized = customized.replace(", ", "\n").replace("\'", "") customized = customized.replace(", ", "\n").replace("\'", "")
sheet1.write(counter, 13, customized, topWrap) sheet1.write(counter, 14, customized, topWrap)
sheet1.col(13).width = 400 * 15 sheet1.col(14).width = 400 * 15
if rule.rule_custom_refs != ['None']: if rule.rule_custom_refs != ['None']:
for title, ref in rule.rule_custom_refs.items(): for title, ref in rule.rule_custom_refs.items():
@@ -1270,6 +1267,7 @@ def create_rules(baseline_yaml):
'cce', 'cce',
'800-53r5', '800-53r5',
'800-171r2', '800-171r2',
'cisv8',
'srg', 'srg',
'custom'] 'custom']
@@ -1312,6 +1310,7 @@ def create_rules(baseline_yaml):
rule_yaml['references']['800-171r2'], rule_yaml['references']['800-171r2'],
rule_yaml['references']['disa_stig'], rule_yaml['references']['disa_stig'],
rule_yaml['references']['srg'], rule_yaml['references']['srg'],
rule_yaml['references']['cisv8'],
rule_yaml['references']['custom'], rule_yaml['references']['custom'],
rule_yaml['tags'], rule_yaml['tags'],
rule_yaml['result'], rule_yaml['result'],
@@ -1475,7 +1474,8 @@ def main():
"adoc_section", "adoc_section",
"adoc_header", "adoc_header",
"adoc_footer", "adoc_footer",
"adoc_foreword", "adoc_foreword",
"adoc_scope",
"adoc_authors", "adoc_authors",
"adoc_acronyms", "adoc_acronyms",
"adoc_additional_docs" "adoc_additional_docs"
@@ -1514,9 +1514,12 @@ def main():
with open(adoc_templates_dict['adoc_foreword']) as adoc_foreword_file: with open(adoc_templates_dict['adoc_foreword']) as adoc_foreword_file:
adoc_foreword_template = adoc_foreword_file.read() + "\n" adoc_foreword_template = adoc_foreword_file.read() + "\n"
with open(adoc_templates_dict['adoc_scope']) as adoc_scope_file:
adoc_scope_template = Template(adoc_scope_file.read() +"\n")
with open(adoc_templates_dict['adoc_authors']) as adoc_authors_file: with open(adoc_templates_dict['adoc_authors']) as adoc_authors_file:
adoc_authors_template = adoc_authors_file.read() + "\n" adoc_authors_template = Template(adoc_authors_file.read() + "\n")
with open(adoc_templates_dict['adoc_acronyms']) as adoc_acronyms_file: with open(adoc_templates_dict['adoc_acronyms']) as adoc_acronyms_file:
adoc_acronyms_template = adoc_acronyms_file.read() + "\n" adoc_acronyms_template = adoc_acronyms_file.read() + "\n"
@@ -1535,6 +1538,11 @@ def main():
else: else:
adoc_STIG_show=":show_STIG!:" adoc_STIG_show=":show_STIG!:"
if "CIS" in baseline_yaml['title'].upper():
adoc_cisv8_show=":show_cisv8:"
else:
adoc_cisv8_show=":show_cisv8!:"
if "800" in baseline_yaml['title']: if "800" in baseline_yaml['title']:
adoc_171_show=":show_171:" adoc_171_show=":show_171:"
else: else:
@@ -1551,17 +1559,29 @@ def main():
tag_attribute=adoc_tag_show, tag_attribute=adoc_tag_show,
nist171_attribute=adoc_171_show, nist171_attribute=adoc_171_show,
stig_attribute=adoc_STIG_show, stig_attribute=adoc_STIG_show,
cisv8_attribute=adoc_cisv8_show,
version=version_yaml['version'], version=version_yaml['version'],
os_version=version_yaml['os'], os_version=version_yaml['os'],
release_date=version_yaml['date'] release_date=version_yaml['date']
) )
# Create scope
scope_adoc = adoc_scope_template.substitute(
scope_description=baseline_yaml['description']
)
# Create author
authors_adoc = adoc_authors_template.substitute(
authors_list=baseline_yaml['authors']
)
# Output header # Output header
adoc_output_file.write(header_adoc) adoc_output_file.write(header_adoc)
# write foreword, authors, acronyms, supporting docs # write foreword, authors, acronyms, supporting docs
adoc_output_file.write(adoc_foreword_template) adoc_output_file.write(adoc_foreword_template)
adoc_output_file.write(adoc_authors_template) adoc_output_file.write(scope_adoc)
adoc_output_file.write(authors_adoc)
adoc_output_file.write(adoc_acronyms_template) adoc_output_file.write(adoc_acronyms_template)
adoc_output_file.write(adoc_additional_docs_template) adoc_output_file.write(adoc_additional_docs_template)
@@ -1653,6 +1673,13 @@ def main():
else: else:
disa_stig = ulify(rule_yaml['references']['disa_stig']) disa_stig = ulify(rule_yaml['references']['disa_stig'])
try:
rule_yaml['references']['cisv8']
except KeyError:
cisv8 = '- N/A'
else:
cisv8 = ulify(rule_yaml['references']['cisv8'])
try: try:
rule_yaml['references']['srg'] rule_yaml['references']['srg']
except KeyError: except KeyError:
@@ -1735,6 +1762,7 @@ def main():
rule_80053r5=nist_controls, rule_80053r5=nist_controls,
rule_800171=nist_800171, rule_800171=nist_800171,
rule_disa_stig=disa_stig, rule_disa_stig=disa_stig,
rule_cisv8=cisv8,
rule_cce=cce, rule_cce=cce,
rule_tags=tags, rule_tags=tags,
rule_srg=srg rule_srg=srg
@@ -1750,6 +1778,7 @@ def main():
rule_80053r5=nist_controls, rule_80053r5=nist_controls,
rule_800171=nist_800171, rule_800171=nist_800171,
rule_disa_stig=disa_stig, rule_disa_stig=disa_stig,
rule_cisv8=cisv8,
rule_cce=cce, rule_cce=cce,
rule_custom_refs=custom_refs, rule_custom_refs=custom_refs,
rule_tags=tags, rule_tags=tags,
@@ -1767,6 +1796,7 @@ def main():
rule_80053r5=nist_controls, rule_80053r5=nist_controls,
rule_800171=nist_800171, rule_800171=nist_800171,
rule_disa_stig=disa_stig, rule_disa_stig=disa_stig,
rule_cisv8=cisv8,
rule_cce=cce, rule_cce=cce,
rule_tags=tags, rule_tags=tags,
rule_srg=srg, rule_srg=srg,
@@ -1805,16 +1835,14 @@ def main():
else: else:
print("If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor") print("If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor")
# Don't create PDF if we are generating SCAP asciidoctorPDF_path = is_asciidoctor_pdf_installed()
if not args.gary: if asciidoctorPDF_path != "":
asciidoctorPDF_path = is_asciidoctor_pdf_installed() print('Generating PDF file from AsciiDoc...')
if asciidoctorPDF_path != "": cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'"
print('Generating PDF file from AsciiDoc...') process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'" process.communicate()
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) else:
process.communicate() print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf")
else:
print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf")
# finally revert back to the prior directory # finally revert back to the prior directory
os.chdir(original_working_directory) os.chdir(original_working_directory)

11
scripts/yaml-to-oval.py
View File

@@ -348,15 +348,8 @@ def main():
<instance datatype="int" operation="equals">1</instance> <instance datatype="int" operation="equals">1</instance>
</plist510_object> </plist510_object>
'''.format(rule_yaml['id'],x,key,payload_type) '''.format(rule_yaml['id'],x,key,payload_type)
state_kind = ""
if type(value) == bool:
state_kind = "boolean"
elif type(value) == int:
state_kind = "int"
elif type(value) == str:
state_kind = "string"
oval_state = oval_state + ''' oval_state = oval_state + '''
<plist510_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="{}_state" id="oval:mscp:ste:{}" version="1"> <plist510_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="{}_state" id="oval:mscp:ste:{}" version="1">
<value datatype="{}" operation="equals">{}</value> <value datatype="{}" operation="equals">{}</value>
@@ -1130,7 +1123,7 @@ def main():
</file_test>'''.format(x,rule_yaml['id'],x,x) </file_test>'''.format(x,rule_yaml['id'],x,x)
if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*":
behavior = '<behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"></behaviors>' behavior = '<behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"></behaviors>'
if "audit" in rule_file: if "audit" in rule_file:
filename = '<filename datatype="string" operation="not equal">current</filename>' filename = '<filename datatype="string" operation="not equal">current</filename>'
else: else:

3
templates/adoc_acronyms.adoc
View File

@@ -6,9 +6,11 @@
|ABM|Apple Business Manager |ABM|Apple Business Manager
|AFP|Apple Filing Protocol |AFP|Apple Filing Protocol
|ALF|Application Layer Firewall |ALF|Application Layer Firewall
|AO|Authorizing Official
|API|Application Programming Interface |API|Application Programming Interface
|ARD|Apple Remote Desktop |ARD|Apple Remote Desktop
|CA|Certificate Authority |CA|Certificate Authority
|CIS|Center for Internet Security
|CRL|Certificate Revocation List |CRL|Certificate Revocation List
|DISA|Defense Information Systems Agency |DISA|Defense Information Systems Agency
|DMA|Direct Memory Access |DMA|Direct Memory Access
@@ -31,6 +33,7 @@
|SIP|System Integrity Protection |SIP|System Integrity Protection
|SMB|Server Message Block |SMB|Server Message Block
|SSH|Secure Shell |SSH|Secure Shell
|SSP|System Security Plan
|STIG|Security Technical Implementation Guide |STIG|Security Technical Implementation Guide
|UAMDM|User Approved MDM |UAMDM|User Approved MDM
|UUCP|Unix-to-Unix Copy Protocol |UUCP|Unix-to-Unix Copy Protocol

8
templates/adoc_additional_docs.adoc
View File

@@ -50,4 +50,12 @@ ASSOCIATED DOCUMENTS
|link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_ |link:https://support.apple.com/guide/mdm/welcome/web[Mobile Device Management Settings]|_Mobile Device Management Settings_
|link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_ |link:https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys[Profile-Specific Payload Keys]|_Profile-Specific Payload Keys_
|link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_ |link:https://support.apple.com/guide/sccc/welcome/web[Security Certifications and Compliance Center]|_Security Certifications and Compliance Center_
|===
[%header, cols=2*a]
.Center for Internet Security
|===
|Document Number or Descriptor
|Document Title
|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 11.0]|_CIS Apple macOS 11.0 Benchmark version 1.2.0_
|=== |===

7
templates/adoc_authors.adoc
View File

@@ -1,5 +1,9 @@
== Authors == Authors
[width="100%",cols="1,3"] [width="100%",cols="1,3"]
$authors_list
////
|=== |===
|Bob Gendler|National Institute of Standards and Technology |Bob Gendler|National Institute of Standards and Technology
|Allen Golbig|National Aeronautics and Space Administration |Allen Golbig|National Aeronautics and Space Administration
@@ -9,4 +13,5 @@
|Joshua Glemza|National Aeronautics and Space Administration |Joshua Glemza|National Aeronautics and Space Administration
|Elyse Anderson|National Aeronautics and Space Administration |Elyse Anderson|National Aeronautics and Space Administration
|Gary Gapinski|National Aeronautics and Space Administration |Gary Gapinski|National Aeronautics and Space Administration
|=== |===
////

2
templates/adoc_foreword.adoc
View File

@@ -5,3 +5,5 @@ The macOS Security Compliance Project is an open source effort to provide a prog
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organizations specific security needs. The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organizations specific security needs.
Any and all risk based decisions to tailor the content produced by this project in order to meet the needs of a specific organization shall be approved by the responsible Information System Owner (ISO) and Authorizing Official (AO) and formally documented in their System Security Plan (SSP). While the project attempts to provide settings to meet compliance requirements, it is recommended that each rule be reviewed by your organization's Information System Security Officer (ISSO) prior to implementation.

1
templates/adoc_header.adoc
View File

@@ -14,6 +14,7 @@
:nofooter: :nofooter:
$nist171_attribute $nist171_attribute
$stig_attribute $stig_attribute
$cisv8_attribute
ifdef::backend-pdf[] ifdef::backend-pdf[]
= $profile_title = $profile_title
$version ($release_date) $version ($release_date)

5
templates/adoc_rule.adoc
View File

@@ -45,6 +45,11 @@ ifdef::show_STIG[]
!$rule_disa_stig !$rule_disa_stig
endif::[] endif::[]
ifdef::show_CISv8[]
!CIS Controls V8
!$rule_cisv8
endif::[]
!CCE !CCE
!$rule_cce !$rule_cce

5
templates/adoc_rule_custom_refs.adoc
View File

@@ -45,6 +45,11 @@ ifdef::show_STIG[]
!$rule_disa_stig !$rule_disa_stig
endif::[] endif::[]
ifdef::show_CISv8[]
!CIS Controls V8
!$rule_cisv8
endif::[]
!CCE !CCE
!$rule_cce !$rule_cce

5
templates/adoc_rule_no_setting.adoc
View File

@@ -31,6 +31,11 @@ ifdef::show_STIG[]
!$rule_disa_stig !$rule_disa_stig
endif::[] endif::[]
ifdef::show_CISv8[]
!CIS Controls V8
!$rule_cisv8
endif::[]
ifdef::show_tags[] ifdef::show_tags[]
!CCE !CCE
!$rule_cce !$rule_cce

3
templates/adoc_scope.adoc Normal file
View File

@@ -0,0 +1,3 @@
== Scope
$scope_description