usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
5acbdbd21e8397cdb0a6fb80e7b1dc5c3397b7c0
macos_security/rules/os/os_mail_app_disable.yaml
Dan Brodjieski 5acbdbd21e chore: clean up extraneous trailing whitespace
2023-09-14 14:21:06 -04:00

79 lines
2.2 KiB
YAML
Raw Blame History

id: os_mail_app_disable
title: "Disable Mail App"
discussion: |
The macOS built-in Mail.app _MUST_ be disabled.
The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place.
[IMPORTANT]
====
Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
[IMPORTANT]
====
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('familyControlsEnabled'))
let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('pathBlackList').js
for ( let app in pathlist ) {
if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){
return("true")
}
}
return("false")
}
EOS
result:
string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-92820-0
cci:
- N/A
800-53r5:
- AC-20
- CM-7
- CM-7(1)
800-53r4:
- CM-7
- CM-7(1)
- AC-20
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- 3.1.20
- 3.4.6
cis:
benchmark:
- N/A
controls v8:
- 4.1
- 4.8
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- "14.0"
tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
familyControlsEnabled: true
pathBlackList:
- /Applications/Mail.app
Reference in New Issue View Git Blame Copy Permalink