diff --git a/CHANGELOG.md b/CHANGELOG.md index acb9f372..c26b81eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,58 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. +## [Tahoe, Revision 2.0] – 2025-12-18 + +* Rules + * Added Rules + * os_loginwindow_adminhostinfo_disabled + * os_safari_clear_history_disable + * os_safari_private_browsing_disable + * os_skip_apple_intelligence_enable + * system_settings_download_software_update_enforce + * system_settings_security_update_install + * Modified Rules + * audit_auditd_enabled + * os_icloud_storage_prompt_disable + * os_privacy_setup_prompt_disable + * os_recovery_lock_enable + * os_secure_boot_verify + * os_siri_prompt_disable + * os_skip_screen_time_prompt_enable + * os_skip_unlock_with_watch_enable + * os_time_server_enabled + * os_touchid_prompt_disable + * os_unlock_active_user_session_disable + * pwpolicy_account_lockout_enforce + * pwpolicy_account_lockout_timeout_enforce + * pwpolicy_history_enforce + * pwpolicy_lower_case_character_enforce + * pwpolicy_upper_case_character_enforce + * pwpolicy_special_character_enforce + * pwpolicy_minimum_length_enforce + * pwpolicy_minimum_lifetime_enforce + * pwpolicy_max_lifetime_enforce + * system_settings_location_services_enable + * system_settings_location_services_disable + * system_settings_screen_sharing_disable + * system_settings_ssh_disable + * system_settings_bluetooth_sharing_disable + * system_settings_hot_corners_secure + * system_settings_time_machine_encrypted_configure + * Removed Rules + * system_settings_software_update_enforce + * Bug Fixes +* Baselines + * Added STIG - Ver 1, Rel 1 + * Modified existing baselines +* Scripts + * generate_guidance + * Bug fixes related to consolidated configuration profile generation + * Improved handling of Declarative Device Management (DDM) nested keys + * Compliance script stability improvements + * generate_scap + * Minor fixes to SCAP/XCCDF output generation + ## [Tahoe, Revision 1.0] - 2025-09-11 * Rules diff --git a/README.md b/README.md index 739927a5..3b9445c6 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Civilian agencies are to use the National Checklist Program as required by [NIST |John Mahlman IV|Leidos |Aaron Kegerreis|DISA |Henry Stamerjohann|Declarative IT GmbH -|Marco A Piñeryo II|State Department +|Marco A Piñeyro II|State Department |Jason Blake|NIST |Blair Heiserman|NIST |Joshua Glemza|NASA diff --git a/VERSION.yaml b/VERSION.yaml index 61983ad8..91cbff15 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,5 +1,5 @@ os: "26.0" platform: macOS -version: "Tahoe Guidance, Revision 1.0" +version: "Tahoe Guidance, Revision 2.0" cpe: o:apple:macos:26.0 -date: "2025-09-11" +date: "2025-12-18" diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 241235e9..a926787d 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -168,6 +168,7 @@ profile: - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - system_settings_smbd_disable + - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable - system_settings_system_wide_preferences_configure diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index 82c008e5..c5c02333 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -189,6 +189,7 @@ profile: - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable + - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable - system_settings_system_wide_preferences_configure diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index eb76f645..5b54e489 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -156,6 +156,7 @@ profile: - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable + - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable - system_settings_time_server_configure diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index 85f2cfd4..09afa86a 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -186,6 +186,7 @@ profile: - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable + - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable - system_settings_system_wide_preferences_configure diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml new file mode 100644 index 00000000..c3ce2387 --- /dev/null +++ b/baselines/DISA-STIG.yaml @@ -0,0 +1,195 @@ +title: "macOS 26.0: Security Configuration - Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1" +description: | + This guide describes the actions to take when securing a macOS 26.0 system against the Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1 security baseline. +authors: | + *macOS Security Compliance Project* + + |=== + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |Bob Gendler|National Institute of Standards and Technology + |Aaron Kegerreis|Defense Information Systems Agency + |=== +parent_values: "stig" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_bonjour_disable + - os_camera_disable + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_dictation_disable + - os_erase_content_and_settings_disable + - os_facetime_app_disable + - os_filevault_autologin_disable + - os_gatekeeper_enable + - os_genmoji_disable + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_image_playground_disable + - os_install_log_retention_configure + - os_iphone_mirroring_disable + - os_loginwindow_adminhostinfo_disabled + - os_mdm_require + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_hint_remove + - os_password_proximity_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_privacy_setup_prompt_disable + - os_recovery_lock_enable + - os_root_disable + - os_secure_boot_verify + - os_sip_enable + - os_siri_prompt_disable + - os_skip_apple_intelligence_enable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_login_grace_time_configure + - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure + - os_sudo_log_enforce + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - os_writing_tools_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_settings_disable + - system_settings_bluetooth_sharing_disable + - system_settings_content_caching_disable + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_improve_assistive_voice_disable + - system_settings_improve_search_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_siri_settings_disable + - system_settings_smbd_disable + - system_settings_softwareupdate_current + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wallet_applepay_settings_disable + - section: "Inherent" + rules: + - os_supported_operating_system + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 3efa6d7d..78af27e9 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -317,6 +317,7 @@ profile: - os_secure_enclave - os_separate_functionality - os_store_encrypted_passwords + - os_supported_operating_system - os_terminate_session - os_unique_identification - os_verify_remote_disconnection diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index ca3c90a9..a3c8adf1 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT" +title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1)" description: | - This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) security baseline. authors: | *macOS Security Compliance Project* @@ -101,6 +101,7 @@ profile: - system_settings_remote_management_disable - system_settings_screen_sharing_disable - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - system_settings_smbd_disable diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index d9aa6558..fd167b2d 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT" +title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2)" description: | - This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT security baseline. + This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) security baseline. authors: | *macOS Security Compliance Project* @@ -123,6 +123,7 @@ profile: - system_settings_remote_management_disable - system_settings_screen_sharing_disable - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable - system_settings_smbd_disable diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index 0a634e92..068b6dec 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -99,6 +99,7 @@ profile: - system_settings_security_update_install - system_settings_siri_disable - system_settings_smbd_disable + - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable - system_settings_system_wide_preferences_configure diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 1e2e5bc5..226974ce 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -205,6 +205,7 @@ profile: - system_settings_siri_disable - system_settings_siri_settings_disable - system_settings_smbd_disable + - system_settings_softwareupdate_current - system_settings_ssh_disable - system_settings_ssh_enable - system_settings_system_wide_preferences_configure diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 59ebeed2..32c575d5 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -83,15 +83,15 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 3 - cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT - cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT + cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low) cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate) cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High) - stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 4 + stig: Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1 ddm: supported_types: - com.apple.configuration.services.configuration-files diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index bd1e1d81..123425bf 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000047-GPOS-00023 disa_stig: - - APPL-26-001010 + - N/A 800-171r3: - 03.03.04 cmmc: @@ -43,7 +43,6 @@ tags: - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - - stig - cnssi-1253_moderate severity: medium mobileconfig: false diff --git a/rules/os/os_external_storage_access_defined.yaml b/rules/os/os_external_storage_access_defined.yaml index 975b34bc..e7831c46 100644 --- a/rules/os/os_external_storage_access_defined.yaml +++ b/rules/os/os_external_storage_access_defined.yaml @@ -3,7 +3,7 @@ title: Access to External Storage Must Be Defined discussion: |- Access to external storage _MUST_ be managed. - NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed. + NOTE: Apple's built in method using declarative device management method only allows you to set external storage management to Allowed, ReadOnly, and Disallowed. check: | /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.ExternalStorage' result: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index d40758c8..38d8c335 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -20,7 +20,7 @@ check: | result: integer: 1 fix: | - NOTE: See discussion on remediation and how to enable firmware password. + NOTE: See discussion on how to enable firmware password. references: cce: - CCE-95194-7 @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - APPL-26-003013 + - N/A 800-171r3: - 03.01.05 cmmc: @@ -52,7 +52,6 @@ tags: - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig - cnssi-1253_moderate severity: medium mobileconfig: false diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 15d5a45b..a98c1bc5 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,7 +5,7 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicion will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicon will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] diff --git a/rules/os/os_iphone_mirroring_disable.yaml b/rules/os/os_iphone_mirroring_disable.yaml index dad216e6..f626345b 100644 --- a/rules/os/os_iphone_mirroring_disable.yaml +++ b/rules/os/os_iphone_mirroring_disable.yaml @@ -10,7 +10,7 @@ check: | result: string: 'false' fix: | - This is implemented by a Configuration Profile + This is implemented by a Configuration Profile. references: cce: - CCE-95212-7 diff --git a/rules/os/os_network_storage_restriction.yaml b/rules/os/os_network_storage_restriction.yaml index ec8d3103..224b6fc2 100644 --- a/rules/os/os_network_storage_restriction.yaml +++ b/rules/os/os_network_storage_restriction.yaml @@ -3,7 +3,7 @@ title: Network Storage Must Be Restricted discussion: |- Network Storage _MUST_ be restricted. - NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed. + NOTE: Apple's built in method using declarative device management method only allows you to set network storage management to Allowed, ReadOnly, and Disallowed. check: | /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.NetworkStorage' result: diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index 717c2d90..31dc0660 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -4,6 +4,8 @@ discussion: | Dictation _MUST_ be restricted to on device only to prevent potential data exfiltration. The information system _MUST_ be configured to provide only essential capabilities. + + IMPORTANT: This rule only applies to Apple Silicon devices. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ diff --git a/rules/os/os_photos_enhanced_search_disable.yaml b/rules/os/os_photos_enhanced_search_disable.yaml index cf92f80f..979b2686 100644 --- a/rules/os/os_photos_enhanced_search_disable.yaml +++ b/rules/os/os_photos_enhanced_search_disable.yaml @@ -1,7 +1,7 @@ id: os_photos_enhanced_search_disable title: Disable Photos Enhanced Visual Search discussion: |- - Enhanced Visualed Search _MUST_ be disabled in the Photos app. + Enhanced Visual Search _MUST_ be disabled in the Photos app. The information system _MUST_ be configured to provide only essential capabilities. Disabling Enhanced Visual Search will mitigate the risk of unwanted data being sent to Apple. check: | diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 9e021115..554c1082 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -5,7 +5,7 @@ discussion: | macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. - Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicion will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation. + Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicon will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] diff --git a/rules/os/os_safari_clear_history_disable.yaml b/rules/os/os_safari_clear_history_disable.yaml index 9fcd1513..35feb516 100644 --- a/rules/os/os_safari_clear_history_disable.yaml +++ b/rules/os/os_safari_clear_history_disable.yaml @@ -1,5 +1,5 @@ id: os_safari_clear_history_disable -title: Ensure Clearning of Browsing History in Safari Is Disabled +title: Ensure Clearing of Browsing History in Safari Is Disabled discussion: | Clearing of browser history _MUST_ be disabled in Safari. check: | @@ -36,4 +36,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.applicationaccess: - allowSafariHistoryClearing: false \ No newline at end of file + allowSafariHistoryClearing: false diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 4461a7a2..f8039528 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -15,7 +15,7 @@ fix: | ---- /usr/bin/csrutil enable ---- - NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. + NOTE: To re-enable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - CCE-95298-6 diff --git a/rules/os/os_skip_apple_intelligence_enable.yaml b/rules/os/os_skip_apple_intelligence_enable.yaml index f1488904..21bcb81e 100644 --- a/rules/os/os_skip_apple_intelligence_enable.yaml +++ b/rules/os/os_skip_apple_intelligence_enable.yaml @@ -15,7 +15,7 @@ references: cce: - CCE-95603-7 cci: - - N/A + - CCI-000381 800-53r5: - AC-4 - AC-20 @@ -23,9 +23,9 @@ references: 800-53r4: - AC-20 srg: - - N/A + - SRG-OS-000095-GPOS-000049 disa_stig: - - N/A + - APPL-26-005170 800-171r3: - 03.01.20 - 03.04.06 @@ -49,6 +49,7 @@ tags: - cmmc_lvl2 - cmmc_lvl1 - cnssi-1253_moderate + - stig severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml index 9751dd16..b9f79293 100644 --- a/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml +++ b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml @@ -4,15 +4,17 @@ discussion: | Apple Silicon MacBooks should set sleep timeout to 15 minutes (900 seconds) or less and the display sleep timeout should be 10 minutes (600 seconds) or less but less than the sleep setting. check: | error_count=0 - if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') - displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') - - if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then - ((error_count++)) - fi - if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then - ((error_count++)) + if /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -q "MacBook"; then + cpuType=$(/usr/sbin/sysctl -n machdep.cpu.brand_string) + if echo "$cpuType" | grep -q "Apple"; then + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then + ((error_count++)) + fi fi fi echo "$error_count" diff --git a/rules/os/os_software_update_app_update_enforce.yaml b/rules/os/os_software_update_app_update_enforce.yaml index d514c34a..bd1412d4 100644 --- a/rules/os/os_software_update_app_update_enforce.yaml +++ b/rules/os/os_software_update_app_update_enforce.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 1.5 (level 1) + - 1.4 (level 1) controls v8: - 7.3 - 7.4 diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index 85497caa..ed7ce490 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -2,6 +2,8 @@ id: os_software_update_deferral title: Ensure Software Update Deferment Is Less Than or Equal to $ODV Days discussion: | Software updates _MUST_ be deferred for $ODV days or less. + + If you need to defer software updates, create a Restrictions profile using the com.apple.applicationaccess domain and the key enforcedSoftwareUpdateDelay. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -49,7 +51,5 @@ odv: tags: - cis_lvl1 - cis_lvl2 -mobileconfig: true +mobileconfig: false mobileconfig_info: - com.apple.applicationaccess: - enforcedSoftwareUpdateDelay: $ODV diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index 9d507609..8bfe6ebd 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -23,7 +23,7 @@ result: fix: | [source,bash] ---- - if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/sshd_config.d/100-macos.conf 2>/bin/null; then + if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/sshd_config.d/100-macos.conf 2>/dev/null; then /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf fi diff --git a/rules/os/os_sshd_per_source_penalties_configure.yaml b/rules/os/os_sshd_per_source_penalties_configure.yaml index bc617ffc..4d5949d2 100644 --- a/rules/os/os_sshd_per_source_penalties_configure.yaml +++ b/rules/os/os_sshd_per_source_penalties_configure.yaml @@ -3,7 +3,7 @@ title: Configure SSHD PerSourcePenalties discussion: | If SSHD is enabled then it _MUST_ be configured with the Per Source Penalties configured. - Per Source Penalities controls penalties for various conditions that may represent attacks on sshd. + Per Source Penalties controls penalties for various conditions that may represent attacks on sshd. Penalties are enabled by default. diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 026174d3..0f308ed2 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -11,6 +11,7 @@ fix: | ---- /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; /bin/echo "Defaults timestamp_timeout=$ODV" >> /etc/sudoers.d/mscp + /bin/chmod 440 /etc/sudoers.d/mscp ---- references: cce: diff --git a/rules/os/os_supported_operating_system.yaml b/rules/os/os_supported_operating_system.yaml new file mode 100644 index 00000000..6c1e1c34 --- /dev/null +++ b/rules/os/os_supported_operating_system.yaml @@ -0,0 +1,32 @@ +id: os_supported_operating_system +title: The macOS Version Must Be Supported by the Vendor +discussion: | + Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. + + Software and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. + + When maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned. +check: | + The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. +fix: | + The technology inherently meets this requirement. No fix is required. +references: + cce: + - CCE-95604-5 + cci: + - CCI-003376 + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - APPL-26-006000 + srg: + - SRG-OS-000830-GPOS-00300 +macOS: + - '26.0' +tags: + - inherent + - stig +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index c418030f..afa60bab 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. A configuration profile will be generated to include the setting that restores the expected behavior. You can also apply the settings using `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. - WARNING: This rule may cause issues when platformSSO is configured. + WARNING: Do not apply this rule if your organization uses smartcards and Platform Single Sign-On (PSSO). check: | RESULT="FAIL" SS_RULE=$(/usr/bin/security -q authorizationdb read system.login.screensaver 2>&1 | /usr/bin/xmllint --xpath "//dict/key[.='rule']/following-sibling::array[1]/string/text()" -) diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index d2c0c295..ec5c3411 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -3,7 +3,7 @@ title: Prohibit Password Reuse for a Minimum of $ODV Generations discussion: | The macOS _MUST_ be configured to enforce a password history of at least $ODV previous passwords when a password is created. - This rule ensures that users are not allowed to re-use a password that was used in any of the $ODV previous password generations. + This rule ensures that users are not allowed to reuse a password that was used in any of the $ODV previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 8dbbae91..3f5086b9 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -13,7 +13,7 @@ discussion: | * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plist` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. diff --git a/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml b/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml index a5e10231..cae5159d 100644 --- a/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml +++ b/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_external_intelligence_sign_in_disable title: Disable External Intelligence Integration Sign In discussion: | - The ability to sign into an external intelligence systems _MUST_ be disabled unless approved by the organiztion. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party. + The ability to sign into an external intelligence systems _MUST_ be disabled unless approved by the organization. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party. The information system _MUST_ be configured to provide only essential capabilities. check: | diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 563f7073..0ebca429 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -31,6 +31,11 @@ references: - 03.05.01 cmmc: - AC.L2-3.1.10 + cis: + benchmark: + - 2.11.2 (level 1) + controls v8: + - 4.7 macOS: - '26.0' tags: @@ -44,6 +49,8 @@ tags: - cmmc_lvl2 - stig - cnssi-1253_moderate + - cis_lvl1 + - cis_lvl2 severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 73576924..bd61feca 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -2,11 +2,11 @@ id: system_settings_softwareupdate_current title: Ensure Software Update is Updated and Current discussion: | Make sure Software Update is updated and current. - - NOTE: Automatic fix can cause unplanned restarts and may lose work. + + link:https://support.apple.com/en-us/108382[Update macOS on Mac] or if enrolled in an MDM consult your MDM's documentation for automated methods. check: | softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s") - thirty_days_epoch=$(/bin/date -v -30d "+%s") + thirty_days_epoch=$(/bin/date -v -$ODV "+%s") if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then /bin/echo "0" else @@ -15,38 +15,50 @@ check: | result: integer: 1 fix: | - [source,bash] - ---- - /usr/sbin/softwareupdate -i -a - ---- - NOTE - This will apply to the whole system + NOTE: See discussion on how to install software updates. references: cce: - CCE-95405-7 cci: - - N/A + - CCI-002605 800-53r5: - - N/A - 800-53r4: - - N/A + - SI-2 srg: - - N/A + - SRG-OS-000439-GPOS-00195 disa_stig: - - N/A + - APPL-26-999999 800-171r3: - - N/A + - 03.14.01 + - 03.14.02 cis: benchmark: - 1.1 (level 1) controls v8: - 7.3 - 7.4 + cmmc: + - SI.L1-3.14.1 + - SI.L1-3.14.2 + - SI.L1-3.14.4 macOS: - '26.0' +odv: + hint: Maximum Days of Deferral + recommended: 30 + cis_lvl1: 30 + cis_lvl2: 30 + stig: 30 tags: - cis_lvl1 - cis_lvl2 - cisv8 + - stig + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cmmc_lvl2 + - cmmc_lvl1 severity: medium mobileconfig: false mobileconfig_info: diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 38dbe8ef..661152e3 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -515,7 +515,7 @@ def main(): print("No rules found for the keyword provided, please verify from the following list:") available_tags(all_rules) else: - _established_benchmarks = ['stig', 'cis_lvl1', 'cis_lvl2'] + _established_benchmarks = ['nlmapgov_base', 'nlmapgov_plus', 'stig', 'cis_lvl1', 'cis_lvl2'] if any(bm in args.keyword for bm in _established_benchmarks): benchmark = args.keyword else: diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 18fdb852..c7107238 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -402,7 +402,7 @@ def concatenate_payload_settings(settings): def generate_profiles( - baseline_name, build_path, parent_dir, baseline_yaml, signing, hash="" + baseline_name, build_path, parent_dir, baseline_yaml, signing, hash="", generate_domain=True, generate_consolidated=True ): """Generate the configuration profiles for the rules in the provided baseline YAML file""" @@ -525,6 +525,15 @@ def generate_profiles( ) for error in profile_errors: print(error) + + consolidated_profile = PayloadDict( + identifier="consolidated." + baseline_name, + uuid=False, + organization="macOS Security Compliance Project", + displayname=f"{baseline_name} settings", + description=f"Consolidated configuration settings for {baseline_name}." + ) + # process the payloads from the yaml file and generate new config profile for each type for payload, settings in profile_types.items(): if payload.startswith("."): @@ -572,35 +581,35 @@ def generate_profiles( if payload == "com.apple.ManagedClient.preferences": for item in settings: newProfile.addMCXPayload(item, baseline_name) + consolidated_profile.addMCXPayload(item, baseline_name) # handle these payloads for array settings elif ( (payload == "com.apple.applicationaccess.new") or (payload == "com.apple.systempreferences") or (payload == "com.apple.SetupAssistant.managed") ): - newProfile.addNewPayload( - payload, concatenate_payload_settings(settings), baseline_name - ) + newProfile.addNewPayload(payload, concatenate_payload_settings(settings), baseline_name) + consolidated_profile.addNewPayload(payload, concatenate_payload_settings(settings), baseline_name) else: newProfile.addNewPayload(payload, settings, baseline_name) + consolidated_profile.addNewPayload(payload, settings, baseline_name) + + if generate_domain: + with open(settings_plist_file_path, "wb") as settings_plist_file: + newProfile.finalizeAndSavePlist(settings_plist_file) + with open(unsigned_mobileconfig_file_path, "wb") as unsigned_mobileconfig_file: + newProfile.finalizeAndSave(unsigned_mobileconfig_file) + if signing: + sign_config_profile(unsigned_mobileconfig_file_path, signed_mobileconfig_file_path, hash) + + if generate_consolidated: + consolidated_mobileconfig_file_path = os.path.join(unsigned_mobileconfig_output_path, f"{baseline_name}.mobileconfig") + with open(consolidated_mobileconfig_file_path, "wb") as consolidated_mobileconfig_file: + consolidated_profile.finalizeAndSave(consolidated_mobileconfig_file) if signing: - unsigned_file_path = os.path.join(unsigned_mobileconfig_file_path) - unsigned_config_file = open(unsigned_file_path, "wb") - newProfile.finalizeAndSave(unsigned_config_file) - settings_config_file = open(settings_plist_file_path, "wb") - newProfile.finalizeAndSavePlist(settings_config_file) - unsigned_config_file.close() - # sign the profiles - sign_config_profile(unsigned_file_path, signed_mobileconfig_file_path, hash) - # delete the unsigned - - else: - config_file = open(unsigned_mobileconfig_file_path, "wb") - settings_config_file = open(settings_plist_file_path, "wb") - newProfile.finalizeAndSave(config_file) - newProfile.finalizeAndSavePlist(settings_config_file) - config_file.close() + signed_consolidated_mobileconfig_path = os.path.join(signed_mobileconfig_output_path, f"{baseline_name}.mobileconfig") + sign_config_profile(consolidated_mobileconfig_file_path, signed_consolidated_mobileconfig_path, hash) print( f""" @@ -889,17 +898,16 @@ def default_audit_plist(baseline_name, build_path, baseline_yaml): plist_output_path, "org." + baseline_name + ".audit.plist" ) - plist_file = open(plist_file_path, "wb") + with open(plist_file_path, "wb") as plist_file: + plist_dict = {} - plist_dict = {} + for sections in baseline_yaml["profile"]: + for profile_rule in sections["rules"]: + if profile_rule.startswith("supplemental"): + continue + plist_dict[profile_rule] = {"exempt": False} - for sections in baseline_yaml["profile"]: - for profile_rule in sections["rules"]: - if profile_rule.startswith("supplemental"): - continue - plist_dict[profile_rule] = {"exempt": False} - - plistlib.dump(plist_dict, plist_file) + plistlib.dump(plist_dict, plist_file) def generate_script(baseline_name, audit_name, build_path, baseline_yaml, reference): @@ -945,14 +953,6 @@ if [[ $EUID -ne 0 ]]; then exit 1 fi -ssh_key_check=0 -if /usr/sbin/sshd -T &> /dev/null || /usr/sbin/sshd -G &>/dev/null; then - ssh_key_check=0 -else - /usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key - ssh_key_check=1 -fi - # path to PlistBuddy plb="/usr/libexec/PlistBuddy" @@ -1514,12 +1514,6 @@ else read_options done fi - -if [[ "$ssh_key_check" -ne 0 ]]; then - /bin/rm /etc/ssh/ssh_host_rsa_key - /bin/rm /etc/ssh/ssh_host_rsa_key.pub - ssh_key_check=0 -fi """ # write out the compliance script @@ -2065,7 +2059,14 @@ def create_args(): "-p", "--profiles", default=None, - help="Generate configuration profiles for the rules.", + help="Generate domain-specific configuration profiles for the rules.", + action="store_true", + ) + parser.add_argument( + "-P", + "--consolidated-profile", + default=None, + help="Generate consolidated configuration profile for all rules.", action="store_true", ) parser.add_argument( @@ -2730,10 +2731,20 @@ def main(): else: audit_name = baseline_name - if args.profiles: - print("Generating configuration profiles...") + if args.profiles or args.consolidated_profile: + # Build message based on what's being generated + messages = [] + if args.profiles: + messages.append("domain-specific") + if args.consolidated_profile: + messages.append("consolidated") + + print(f"Generating {' and '.join(messages)} configuration profiles...") + + # Single call to generate_profiles with both parameters generate_profiles( - baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash + baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash, + generate_domain=args.profiles, generate_consolidated=args.consolidated_profile ) if args.ddm: diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index 938bb6aa..85720226 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -505,10 +505,10 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve try: - if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: - os.mkdir("../build/" + other_header.lower() + "/baseline") + if os.path.isdir("../build/baselines/") == False: + os.mkdir("../build/baselines") - with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw: + with open("../build/baselines/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw: fw.write(full_baseline) print(other_header.lower().replace(" ","_") + ".yaml baseline file created in build/" + other_header + "/baseline/") diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index e016e486..210a1036 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R3_STIG.zip[STIG Ver 1, Rel 4]|_Apple macOS 15 (Sequoia) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_26_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 26 (Tahoe) STIG_ |=== [%header, cols=2*a] @@ -64,5 +64,5 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 15.0]|_CIS Apple macOS 15.0 Benchmark version 1.1.0_ +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 26.0]|_CIS Apple macOS 26.0 Benchmark version 1.0.0_ |=== \ No newline at end of file