mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 05:53:24 +00:00
30d4a1af04
* refactor[rules] STIG IDs Initial STIG-IDs added to rule files. * refactor[rules]ccis added New CCIs added to rules * refactor[rules] SRGs added New SRGs added to stig rules * refactor[rule] pwpolicy_custom_regex_enforce Remove unneeded SRG * refactor[rules] Added, Removed, Updated rules - os_authenticated_root_enable, updated check - os_directory_services_configured, removed from stig - os_ess_installed, removed from stig - os_firewall_log_enable, removed from 15.x - os_genmoji_disable, added 800-53 and stig - os_image_generation_disable, added 800-53 and sti.yaml - os_iphone_mirroring_disable - os_password_autofill_disable, added 800-53 and sti - os_ssh_fips_compliant, fixed check/fix - os_ssh_server_alive_count_max_configure, fixed fix - os_ssh_server_alive_interval_configure, fixed fix - os_sshd_fips_compliant, fixed fix/check - os_sudo_log_enforce, added 800-53 and stig - os_writing_tools_disable, added 800-53 and sti - pwpolicy_custom_regex_enforce, updated regex - system_settings_ssh_enable, removed from stig * refactor[rules] Removed from STIG Removed CCI, SRG, STIG ID, and STIG tag * refactor[rules]Added new STIG IDs Added STIG ID to - os_genmoji_disable - os_image_generation_disable - os_sudo_log_enforce - os_writing_tools_disable * Added new rule file * Add APPL-15-002023 * added APPL-15-002024 * fix[rules] removed tags for rules removed removed tags from rules removed from cis * added os_time_server_enable back to cis * Update Gitignore * Updating CIS benchmark and tags in missed rules. * refactor[rules]ssh fips and sshd fips Updated check and fix for ssh and sshd for FIPS * refactor[rules]ssh and sshd fips added check into sshd to not fix if proper * Fixed ODV regression for CIS * added missing path to grep * removed [ ] * Fix to not print, and fix multiple entries in .ssh/config * added dev null redirection, prevention of double entries * Fixed bin to dev and case insensitive sed * 800-171 Rev 2 to Rev 3 * Updated media sharing key * Updated STIG ID * merge from sequoia * refactor[rules] ssh fixes Updated ssh fixes to match os_ssh_fips_compliant * slightly simplier fix. removed unneeded loop * slightly simplier fix. removed unneeded loop * Adjusting CIS numbering. * fix[rule] fixed path Fixed path in system_settings_system_wide_preferences_configure * fix[rule] fixed path on line 63 fixed path in system_settings_system_wide_preferences_configure * fix[rule] added reference Added reference to os_sudo_log_enforce * refactor[rules] Added, Modified and deleted rules Added os_mail_summary_disable Added os_photos_enhanced_search_disable Removed system_settings_cd_dvd_sharing_disable Modified system_settings_improve_search_disable - updated title Modified system_settings_improve_siri_dictation_disable - updated title * renamed .yml to .yaml * changes for upcoming cis release * refactor - DISA STIG references updated to sequoia for DISA STIG baseline file created for disa stig * added os_sleep_and_display_sleep_apple_silicon_enable to all_rules * refactor[rules] CNSSI tags added Added CNSSI1253 low, moderate, high tags * refactor[baselines] Updated baseline files Updated cnssi1253 baseline files Updated all_rules baseline file Updated CIS baseline files * udpdated baseline files * [fix]system_settings_sleep_enforce sleep/displaysleep swap * updated title * fix[rule] remove cis tags and reference remove cis ref & tag from system_settings_improve_search_disable issue #443 * Adding arm64 tag to os_sleep_and_display_sleep_apple_silicon_enable * Fixing Sleep/displaysleep numbers based on CIS changes. * Fixing os_sleep_and_display_sleep_apple_silicon_enable * Removing DRAFT status from CIS * [fix]rule world writable library folder os_world_writable_library_folder_configure issue# 445 * refactor[rules] Added missing CCEs Replaced N/A CCEs for os_mail_summary_disable and os_photos_enhanced_search_disable * fix[rule] updated odv hint pwpolicy_custom_regex_enforce odv hint updated * Update system_settings_improve_assistive_voice_disable Issue #450 * refactor[rules]pwpolicy updates Removed 800-53 and 800-171 tags Updated discussion to reflect NIST SP 800-63 and Executive Order M-22-09 * refactor[rules] Added external intelligence rules Added rules to disable external intelligence features for 15.2 * Issue #450 * updated pwpolicy * Added CCEs * Removed double stig tag * updated baseline files * updated changelog * removed rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml * updated changelog * update[supplemental]: added 800-63 guidance fix[supplemental]: update note about filevault unlock * refactor[rule] pwpolicy_special_character_enforce Updated check to allow greater than ODV. Issue #451 * refactor[rules] ssh rules discussion update Added mention of /usr/libexec/reset-ssh-configuration. * updated release date and version * Added uniq to prevent false negatives * updated authors * updated release date --------- Co-authored-by: Allen Golbig <golbiga@gmail.com> Co-authored-by: mahlmanj <john.mahlman@leidos.com> Co-authored-by: Dan Brodjieski <daniel.brodjieski@nasa.gov>
image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
ifndef::env-github[:icons: font]
ifdef::env-github[]
:status:
//:outfilesuffix: .adoc
:caution-caption: :fire:
:important-caption: :exclamation:
:note-caption: :paperclip:
:tip-caption: :bulb:
:warning-caption: :warning:
endif::[]
:uri-org: https://github.com/usnistgov
:uri-repo: {uri-org}/macos_security
ifdef::status[]
image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"]
image:https://badgen.net/badge/icon/14.0?icon=apple&label[link="https://www.apple.com/macos"]
endif::[]
IMPORTANT: We recommend working off of one of the OS branches, rather than the `main` branch.
The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
This project is the technical implementation of NIST Special Publication, 800-219 (Rev. 1) https://csrc.nist.gov/pubs/sp/800/219/r1/final[Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)]. NIST Special Publication 800-219 is the official guidance from for automated secure configuration for macOS.
Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page.
This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
To learn more about the project, please see the {uri-repo}/wiki[wiki].
If you are interested in supporting the development of the project, refer to the link:CONTRIBUTING.adoc[contributor guidance] for more information.
== Usage
Civilian agencies are to use the National Checklist Program as required by https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final[NIST 800-70].
[NOTE]
====
Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) states, “In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at https://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.”
====
== Authors
[width="100%",cols="1,1"]
|===
|Bob Gendler|NIST
|Allen Golbig|Jamf
|Dan Brodjieski|NASA
|John Mahlman IV|Leidos
|Aaron Kegerreis|DISA
|Henry Stamerjohann|Zentral Pro Services GmbH
|Marco A Piñeryo II|State Department
|Jason Blake|NIST
|Blair Heiserman|NIST
|Joshua Glemza|NASA
|Elyse Anderson|NASA
|Gary Gapinski|NASA
|===
== Changelog
Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
== NIST Disclaimer
Any identification of commercial or open-source software in this document is done so purely in order to specify the methodology adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the software identified are necessarily the best available for the purpose.