mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 05:53:24 +00:00
117 lines
2.8 KiB
YAML
117 lines
2.8 KiB
YAML
id: os_sip_enable
|
|
title: Ensure System Integrity Protection is Enabled
|
|
discussion: |
|
|
System Integrity Protection (SIP) _MUST_ be enabled.
|
|
|
|
SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders.
|
|
|
|
NOTE: SIP is enabled by default in macOS.
|
|
check: |
|
|
/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'
|
|
result:
|
|
integer: 1
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/bin/csrutil enable
|
|
----
|
|
NOTE: To re-enable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
|
|
references:
|
|
cce:
|
|
- CCE-95298-6
|
|
cci:
|
|
- CCI-000154
|
|
- CCI-000158
|
|
- CCI-000169
|
|
- CCI-001493
|
|
- CCI-001494
|
|
- CCI-001495
|
|
- CCI-001499
|
|
- CCI-001875
|
|
- CCI-001876
|
|
- CCI-001877
|
|
- CCI-001878
|
|
- CCI-001879
|
|
- CCI-001880
|
|
- CCI-001881
|
|
- CCI-001882
|
|
- CCI-001090
|
|
- CCI-001496
|
|
800-53r5:
|
|
- AC-3
|
|
- AU-9
|
|
- AU-9(3)
|
|
- CM-5
|
|
- CM-5(6)
|
|
- SC-4
|
|
- SI-2
|
|
- SI-7
|
|
800-53r4:
|
|
- AC-3
|
|
- AU-6(4)
|
|
- AU-7(1)
|
|
- AU-7
|
|
- AU-9
|
|
- AU-9(3)
|
|
- CM-5(6)
|
|
- CM-5
|
|
- SC-4
|
|
srg:
|
|
- SRG-OS-000256-GPOS-00097
|
|
- SRG-OS-000057-GPOS-00027
|
|
- SRG-OS-000062-GPOS-00031
|
|
- SRG-OS-000051-GPOS-00024
|
|
- SRG-OS-000054-GPOS-00025
|
|
- SRG-OS-000278-GPOS-00108
|
|
- SRG-OS-000080-GPOS-00048
|
|
- SRG-OS-000059-GPOS-00029
|
|
- SRG-OS-000138-GPOS-00069
|
|
- SRG-OS-000257-GPOS-00098
|
|
- SRG-OS-000258-GPOS-00099
|
|
- SRG-OS-000259-GPOS-00100
|
|
- SRG-OS-000122-GPOS-00063
|
|
- SRG-OS-000058-GPOS-00028
|
|
disa_stig:
|
|
- APPL-26-005001
|
|
800-171r3:
|
|
- 03.01.02
|
|
- 03.03.08
|
|
- 03.04.05
|
|
- 03.13.04
|
|
cis:
|
|
benchmark:
|
|
- 5.1.2 (level 1)
|
|
controls v8:
|
|
- 2.3
|
|
- 2.6
|
|
- 10.5
|
|
cmmc:
|
|
- AC.L1-3.1.1
|
|
- AU.L2-3.3.8
|
|
- CM.L2-3.4.5
|
|
- SC.L2-3.13.4
|
|
- SI.L1-3.14.1
|
|
- SI.L1-3.14.4
|
|
macOS:
|
|
- '26.0'
|
|
tags:
|
|
- 800-53r5_low
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|
|
- 800-53r4_low
|
|
- 800-53r4_moderate
|
|
- 800-53r4_high
|
|
- 800-171
|
|
- cisv8
|
|
- cis_lvl1
|
|
- cis_lvl2
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- cmmc_lvl1
|
|
- stig
|
|
- cnssi-1253_moderate
|
|
severity: high
|
|
mobileconfig: false
|
|
mobileconfig_info:
|