├── .gitattributes
├── .github
└── ISSUE_TEMPLATE
│ ├── .bug_report.md.swp
│ ├── bug_report.md
│ └── feature-proposal.md
├── .gitignore
├── CHANGELOG.adoc
├── CONTRIBUTING.adoc
├── Gemfile
├── LICENSE.md
├── README.adoc
├── VERSION.yaml
├── baselines
├── 800-171.yaml
├── 800-53r5_high.yaml
├── 800-53r5_low.yaml
├── 800-53r5_moderate.yaml
├── DISA-STIG.yaml
├── all_rules.yaml
├── cis_lvl1.yaml
├── cis_lvl2.yaml
├── cisv8.yaml
├── cmmc_lvl1.yaml
├── cmmc_lvl2.yaml
├── cnssi-1253_high.yaml
├── cnssi-1253_low.yaml
└── cnssi-1253_moderate.yaml
├── build
└── .gitignore
├── custom
├── .gitignore
├── rules
│ └── .gitignore
└── sections
│ └── .gitignore
├── includes
├── 800-53_baselines.yaml
├── com.apple.alf.private_data.mobileconfig
├── com.apple.security.authorization.mobileconfig
├── enablePF-mscp.sh
├── mscp-data.yaml
├── pwpolicy.xml
└── supported_payloads.yaml
├── requirements.txt
├── rules
├── audit
│ ├── audit_acls_files_configure.yaml
│ ├── audit_acls_folders_configure.yaml
│ ├── audit_alert_processing_fail.yaml
│ ├── audit_auditd_enabled.yaml
│ ├── audit_configure_capacity_notify.yaml
│ ├── audit_control_acls_configure.yaml
│ ├── audit_control_group_configure.yaml
│ ├── audit_control_mode_configure.yaml
│ ├── audit_control_owner_configure.yaml
│ ├── audit_enforce_dual_auth.yaml
│ ├── audit_failure_halt.yaml
│ ├── audit_files_group_configure.yaml
│ ├── audit_files_mode_configure.yaml
│ ├── audit_files_owner_configure.yaml
│ ├── audit_flags_aa_configure.yaml
│ ├── audit_flags_ad_configure.yaml
│ ├── audit_flags_ex_configure.yaml
│ ├── audit_flags_fd_configure.yaml
│ ├── audit_flags_fm_configure.yaml
│ ├── audit_flags_fm_failed_configure.yaml
│ ├── audit_flags_fr_configure.yaml
│ ├── audit_flags_fw_configure.yaml
│ ├── audit_flags_lo_configure.yaml
│ ├── audit_folder_group_configure.yaml
│ ├── audit_folder_owner_configure.yaml
│ ├── audit_folders_mode_configure.yaml
│ ├── audit_off_load_records.yaml
│ ├── audit_record_reduction_report_generation.yaml
│ ├── audit_records_processing.yaml
│ ├── audit_retention_configure.yaml
│ └── audit_settings_failure_notify.yaml
├── auth
│ ├── auth_pam_login_smartcard_enforce.yaml
│ ├── auth_pam_su_smartcard_enforce.yaml
│ ├── auth_pam_sudo_smartcard_enforce.yaml
│ ├── auth_smartcard_allow.yaml
│ ├── auth_smartcard_certificate_trust_enforce_high.yaml
│ ├── auth_smartcard_certificate_trust_enforce_moderate.yaml
│ ├── auth_smartcard_enforce.yaml
│ └── auth_ssh_password_authentication_disable.yaml
├── icloud
│ ├── icloud_addressbook_disable.yaml
│ ├── icloud_appleid_system_settings_disable.yaml
│ ├── icloud_bookmarks_disable.yaml
│ ├── icloud_calendar_disable.yaml
│ ├── icloud_drive_disable.yaml
│ ├── icloud_freeform_disable.yaml
│ ├── icloud_game_center_disable.yaml
│ ├── icloud_keychain_disable.yaml
│ ├── icloud_mail_disable.yaml
│ ├── icloud_notes_disable.yaml
│ ├── icloud_photos_disable.yaml
│ ├── icloud_private_relay_disable.yaml
│ ├── icloud_reminders_disable.yaml
│ └── icloud_sync_disable.yaml
├── os
│ ├── os_access_control_mobile_devices.yaml
│ ├── os_account_modification_disable.yaml
│ ├── os_airdrop_disable.yaml
│ ├── os_allow_info_passed.yaml
│ ├── os_anti_virus_installed.yaml
│ ├── os_appleid_prompt_disable.yaml
│ ├── os_application_sandboxing.yaml
│ ├── os_asl_log_files_owner_group_configure.yaml
│ ├── os_asl_log_files_permissions_configure.yaml
│ ├── os_auth_peripherals.yaml
│ ├── os_authenticated_root_enable.yaml
│ ├── os_blank_bluray_disable.yaml
│ ├── os_blank_cd_disable.yaml
│ ├── os_blank_dvd_disable.yaml
│ ├── os_bluray_read_only_enforce.yaml
│ ├── os_bonjour_disable.yaml
│ ├── os_burn_support_disable.yaml
│ ├── os_calendar_app_disable.yaml
│ ├── os_camera_disable.yaml
│ ├── os_cd_read_only_enforce.yaml
│ ├── os_certificate_authority_trust.yaml
│ ├── os_change_security_attributes.yaml
│ ├── os_config_data_install_enforce.yaml
│ ├── os_config_profile_ui_install_disable.yaml
│ ├── os_continuous_monitoring.yaml
│ ├── os_crypto_audit.yaml
│ ├── os_dictation_disable.yaml
│ ├── os_directory_services_configured.yaml
│ ├── os_disk_image_disable.yaml
│ ├── os_dvdram_disable.yaml
│ ├── os_enforce_access_restrictions.yaml
│ ├── os_erase_content_and_settings_disable.yaml
│ ├── os_error_message.yaml
│ ├── os_ess_installed.yaml
│ ├── os_external_storage_access_defined.yaml
│ ├── os_facetime_app_disable.yaml
│ ├── os_fail_secure_state.yaml
│ ├── os_filevault_authorized_users.yaml
│ ├── os_filevault_autologin_disable.yaml
│ ├── os_firewall_default_deny_require.yaml
│ ├── os_firmware_password_require.yaml
│ ├── os_gatekeeper_enable.yaml
│ ├── os_genmoji_disable.yaml
│ ├── os_grant_privs.yaml
│ ├── os_guest_folder_removed.yaml
│ ├── os_handoff_disable.yaml
│ ├── os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
│ ├── os_hibernate_mode_intel_enable.yaml
│ ├── os_home_folders_default.yaml
│ ├── os_home_folders_secure.yaml
│ ├── os_httpd_disable.yaml
│ ├── os_icloud_storage_prompt_disable.yaml
│ ├── os_identify_non-org_users.yaml
│ ├── os_image_generation_disable.yaml
│ ├── os_implement_cryptography.yaml
│ ├── os_implement_memory_protection.yaml
│ ├── os_information_validation.yaml
│ ├── os_install_log_retention_configure.yaml
│ ├── os_iphone_mirroring_disable.yaml
│ ├── os_ir_support_disable.yaml
│ ├── os_isolate_security_functions.yaml
│ ├── os_library_validation_enabled.yaml
│ ├── os_limit_auditable_events.yaml
│ ├── os_limit_dos_attacks.yaml
│ ├── os_limit_gui_sessions.yaml
│ ├── os_logical_access.yaml
│ ├── os_loginwindow_adminhostinfo_undefined.yaml
│ ├── os_logoff_capability_and_message.yaml
│ ├── os_mail_app_disable.yaml
│ ├── os_mail_summary_disable.yaml
│ ├── os_malicious_code_prevention.yaml
│ ├── os_managed_access_control_points.yaml
│ ├── os_map_pki_identity.yaml
│ ├── os_mdm_require.yaml
│ ├── os_messages_app_disable.yaml
│ ├── os_mfa_network_access.yaml
│ ├── os_mfa_network_non-priv.yaml
│ ├── os_mobile_file_integrity_enable.yaml
│ ├── os_network_storage_restriction.yaml
│ ├── os_newsyslog_files_owner_group_configure.yaml
│ ├── os_newsyslog_files_permissions_configure.yaml
│ ├── os_nfsd_disable.yaml
│ ├── os_non_repudiation.yaml
│ ├── os_nonlocal_maintenance.yaml
│ ├── os_notify_account_created.yaml
│ ├── os_notify_account_disabled.yaml
│ ├── os_notify_account_enable.yaml
│ ├── os_notify_account_modified.yaml
│ ├── os_notify_account_removal.yaml
│ ├── os_notify_unauthorized_baseline_change.yaml
│ ├── os_obscure_password.yaml
│ ├── os_on_device_dictation_enforce.yaml
│ ├── os_parental_controls_enable.yaml
│ ├── os_password_autofill_disable.yaml
│ ├── os_password_hint_remove.yaml
│ ├── os_password_proximity_disable.yaml
│ ├── os_password_sharing_disable.yaml
│ ├── os_peripherals_identify.yaml
│ ├── os_photos_enhanced_search_disable.yaml
│ ├── os_pii_deidentification.yaml
│ ├── os_pii_quality_control.yaml
│ ├── os_policy_banner_loginwindow_enforce.yaml
│ ├── os_policy_banner_ssh_configure.yaml
│ ├── os_policy_banner_ssh_enforce.yaml
│ ├── os_power_nap_disable.yaml
│ ├── os_power_nap_enable.yaml
│ ├── os_predictable_behavior.yaml
│ ├── os_prevent_priv_execution.yaml
│ ├── os_prevent_priv_functions.yaml
│ ├── os_prevent_unauthorized_disclosure.yaml
│ ├── os_privacy_principle_minimization.yaml
│ ├── os_privacy_setup_prompt_disable.yaml
│ ├── os_prohibit_remote_activation_collab_devices.yaml
│ ├── os_protect_dos_attacks.yaml
│ ├── os_provide_automated_account_management.yaml
│ ├── os_provide_disconnect_remote_access.yaml
│ ├── os_rapid_security_response_allow.yaml
│ ├── os_rapid_security_response_removal_disable.yaml
│ ├── os_reauth_devices_change_authenticators.yaml
│ ├── os_reauth_privilege.yaml
│ ├── os_reauth_users_change_authenticators.yaml
│ ├── os_recovery_lock_enable.yaml
│ ├── os_remote_access_methods.yaml
│ ├── os_removable_media_disable.yaml
│ ├── os_remove_software_components_after_updates.yaml
│ ├── os_required_crypto_module.yaml
│ ├── os_root_disable.yaml
│ ├── os_safari_advertising_privacy_protection_enable.yaml
│ ├── os_safari_open_safe_downloads_disable.yaml
│ ├── os_safari_prevent_cross-site_tracking_enable.yaml
│ ├── os_safari_show_full_website_address_enable.yaml
│ ├── os_safari_show_status_bar_enabled.yaml
│ ├── os_safari_warn_fraudulent_website_enable.yaml
│ ├── os_screensaver_loginwindow_enforce.yaml
│ ├── os_screensaver_timeout_loginwindow_enforce.yaml
│ ├── os_secure_boot_verify.yaml
│ ├── os_secure_enclave.yaml
│ ├── os_secure_name_resolution.yaml
│ ├── os_separate_functionality.yaml
│ ├── os_setup_assistant_filevault_enforce.yaml
│ ├── os_show_filename_extensions_enable.yaml
│ ├── os_sip_enable.yaml
│ ├── os_siri_prompt_disable.yaml
│ ├── os_skip_screen_time_prompt_enable.yaml
│ ├── os_skip_unlock_with_watch_enable.yaml
│ ├── os_sleep_and_display_sleep_apple_silicon_enable.yaml
│ ├── os_software_update_deferral.yaml
│ ├── os_ssh_fips_compliant.yaml
│ ├── os_ssh_server_alive_count_max_configure.yaml
│ ├── os_ssh_server_alive_interval_configure.yaml
│ ├── os_sshd_channel_timeout_configure.yaml
│ ├── os_sshd_client_alive_count_max_configure.yaml
│ ├── os_sshd_client_alive_interval_configure.yaml
│ ├── os_sshd_fips_compliant.yaml
│ ├── os_sshd_login_grace_time_configure.yaml
│ ├── os_sshd_permit_root_login_configure.yaml
│ ├── os_sshd_unused_connection_timeout_configure.yaml
│ ├── os_store_encrypted_passwords.yaml
│ ├── os_sudo_log_enforce.yaml
│ ├── os_sudo_timeout_configure.yaml
│ ├── os_sudoers_timestamp_type_configure.yaml
│ ├── os_system_read_only.yaml
│ ├── os_system_wide_applications_configure.yaml
│ ├── os_terminal_secure_keyboard_enable.yaml
│ ├── os_terminate_session.yaml
│ ├── os_tftpd_disable.yaml
│ ├── os_time_offset_limit_configure.yaml
│ ├── os_time_server_enabled.yaml
│ ├── os_touchid_prompt_disable.yaml
│ ├── os_unique_identification.yaml
│ ├── os_unlock_active_user_session_disable.yaml
│ ├── os_user_app_installation_prohibit.yaml
│ ├── os_uucp_disable.yaml
│ ├── os_verify_remote_disconnection.yaml
│ ├── os_world_writable_library_folder_configure.yaml
│ ├── os_world_writable_system_folder_configure.yaml
│ └── os_writing_tools_disable.yaml
├── pwpolicy
│ ├── pwpolicy_50_percent.yaml
│ ├── pwpolicy_account_inactivity_enforce.yaml
│ ├── pwpolicy_account_lockout_enforce.yaml
│ ├── pwpolicy_account_lockout_timeout_enforce.yaml
│ ├── pwpolicy_alpha_numeric_enforce.yaml
│ ├── pwpolicy_custom_regex_enforce.yaml
│ ├── pwpolicy_emergency_accounts_disable.yaml
│ ├── pwpolicy_force_password_change.yaml
│ ├── pwpolicy_history_enforce.yaml
│ ├── pwpolicy_lower_case_character_enforce.yaml
│ ├── pwpolicy_max_lifetime_enforce.yaml
│ ├── pwpolicy_minimum_length_enforce.yaml
│ ├── pwpolicy_minimum_lifetime_enforce.yaml
│ ├── pwpolicy_prevent_dictionary_words.yaml
│ ├── pwpolicy_simple_sequence_disable.yaml
│ ├── pwpolicy_special_character_enforce.yaml
│ ├── pwpolicy_temporary_accounts_disable.yaml
│ ├── pwpolicy_temporary_or_emergency_accounts_disable.yaml
│ └── pwpolicy_upper_case_character_enforce.yaml
├── supplemental
│ ├── supplemental_cis_manual.yaml
│ ├── supplemental_controls.yaml
│ ├── supplemental_filevault.yaml
│ ├── supplemental_firewall_pf.yaml
│ ├── supplemental_password_policy.yaml
│ └── supplemental_smartcard.yaml
└── system_settings
│ ├── system_settings_airplay_receiver_disable.yaml
│ ├── system_settings_apple_watch_unlock_disable.yaml
│ ├── system_settings_automatic_login_disable.yaml
│ ├── system_settings_automatic_logout_enforce.yaml
│ ├── system_settings_bluetooth_disable.yaml
│ ├── system_settings_bluetooth_menu_enable.yaml
│ ├── system_settings_bluetooth_settings_disable.yaml
│ ├── system_settings_bluetooth_sharing_disable.yaml
│ ├── system_settings_content_caching_disable.yaml
│ ├── system_settings_critical_update_install_enforce.yaml
│ ├── system_settings_diagnostics_reports_disable.yaml
│ ├── system_settings_external_intelligence_disable.yaml
│ ├── system_settings_external_intelligence_sign_in_disable.yaml
│ ├── system_settings_filevault_enforce.yaml
│ ├── system_settings_find_my_disable.yaml
│ ├── system_settings_firewall_enable.yaml
│ ├── system_settings_firewall_stealth_mode_enable.yaml
│ ├── system_settings_gatekeeper_identified_developers_allowed.yaml
│ ├── system_settings_gatekeeper_override_disallow.yaml
│ ├── system_settings_guest_access_smb_disable.yaml
│ ├── system_settings_guest_account_disable.yaml
│ ├── system_settings_hot_corners_disable.yaml
│ ├── system_settings_hot_corners_secure.yaml
│ ├── system_settings_improve_assistive_voice_disable.yaml
│ ├── system_settings_improve_search_disable.yaml
│ ├── system_settings_improve_siri_dictation_disable.yaml
│ ├── system_settings_install_macos_updates_enforce.yaml
│ ├── system_settings_internet_accounts_disable.yaml
│ ├── system_settings_internet_sharing_disable.yaml
│ ├── system_settings_location_services_disable.yaml
│ ├── system_settings_location_services_enable.yaml
│ ├── system_settings_location_services_menu_enforce.yaml
│ ├── system_settings_loginwindow_loginwindowtext_enable.yaml
│ ├── system_settings_loginwindow_prompt_username_password_enforce.yaml
│ ├── system_settings_media_sharing_disabled.yaml
│ ├── system_settings_password_hints_disable.yaml
│ ├── system_settings_personalized_advertising_disable.yaml
│ ├── system_settings_printer_sharing_disable.yaml
│ ├── system_settings_rae_disable.yaml
│ ├── system_settings_remote_management_disable.yaml
│ ├── system_settings_screen_sharing_disable.yaml
│ ├── system_settings_screensaver_ask_for_password_delay_enforce.yaml
│ ├── system_settings_screensaver_password_enforce.yaml
│ ├── system_settings_screensaver_timeout_enforce.yaml
│ ├── system_settings_siri_disable.yaml
│ ├── system_settings_siri_listen_disable.yaml
│ ├── system_settings_siri_settings_disable.yaml
│ ├── system_settings_smbd_disable.yaml
│ ├── system_settings_software_update_app_update_enforce.yaml
│ ├── system_settings_software_update_download_enforce.yaml
│ ├── system_settings_software_update_enforce.yaml
│ ├── system_settings_softwareupdate_current.yaml
│ ├── system_settings_ssh_disable.yaml
│ ├── system_settings_ssh_enable.yaml
│ ├── system_settings_system_wide_preferences_configure.yaml
│ ├── system_settings_time_machine_auto_backup_enable.yaml
│ ├── system_settings_time_machine_encrypted_configure.yaml
│ ├── system_settings_time_server_configure.yaml
│ ├── system_settings_time_server_enforce.yaml
│ ├── system_settings_token_removal_enforce.yaml
│ ├── system_settings_touch_id_settings_disable.yaml
│ ├── system_settings_touchid_unlock_disable.yaml
│ ├── system_settings_usb_restricted_mode.yaml
│ ├── system_settings_wake_network_access_disable.yaml
│ ├── system_settings_wallet_applepay_settings_disable.yaml
│ ├── system_settings_wifi_disable.yaml
│ ├── system_settings_wifi_disable_when_connected_to_ethernet.yaml
│ └── system_settings_wifi_menu_enable.yaml
├── scripts
├── KNOWN_ISSUES
├── generate_baseline.py
├── generate_guidance.py
├── generate_mapping.py
├── generate_scap.py
└── util
│ ├── README
│ ├── generate_checklist.py
│ └── mscp_local_report.py
├── sections
├── auditing.yaml
├── authentication.yaml
├── icloud.yaml
├── inherent.yaml
├── macos.yaml
├── not_applicable.yaml
├── passwordpolicy.yaml
├── permanent.yaml
├── srg.yaml
├── supplemental.yaml
└── systemsettings.yaml
└── templates
├── adoc_acronyms.adoc
├── adoc_additional_docs.adoc
├── adoc_authors.adoc
├── adoc_footer.adoc
├── adoc_foreword.adoc
├── adoc_header.adoc
├── adoc_rule.adoc
├── adoc_rule_custom_refs.adoc
├── adoc_rule_ios.adoc
├── adoc_rule_no_setting.adoc
├── adoc_rules_table_footer.adoc
├── adoc_rules_table_header.adoc
├── adoc_rules_table_row.adoc
├── adoc_scope.adoc
├── adoc_section.adoc
├── adoc_supplemental.adoc
├── asciidoctor.css
├── images
├── mscp_banner.png
├── mscp_banner_outline.png
└── mscp_logo.png
└── mscp-theme.yml
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.yaml linguist-detectable=true
2 | *.adoc linguist-detectable=true
3 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/.bug_report.md.swp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/usnistgov/macos_security/30d4a1af0443332772cd8617d01d7dd3463f8072/.github/ISSUE_TEMPLATE/.bug_report.md.swp
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 |
15 |
16 | ### Summary
17 |
18 | (Summarize the bug encountered concisely)
19 |
20 | ### Steps to reproduce
21 |
22 | (How one can reproduce the issue - this is very important)
23 |
24 | ### Operating System version
25 |
26 | (macOS Version and build)
27 |
28 | ### Intel or Apple Silicon
29 |
30 | (Intel based process or Apple Silicon Mac)
31 |
32 | ### What is the current *bug* behavior?
33 |
34 | (What actually happens)
35 |
36 | ### What is the expected *correct* behavior?
37 |
38 | (What you should see instead)
39 |
40 | ### Relevant logs and/or screenshots
41 |
42 | (Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
43 |
44 | ### Output of checks
45 |
46 | (Paste any output that occurs with the bug)
47 |
48 | ### Possible fixes
49 |
50 | (If you can, link to the line of code that might be responsible for the problem)
51 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature-proposal.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature Proposal
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 | ### Problem to solve
11 |
12 |
13 |
14 | ### Intended users
15 |
16 |
17 |
18 | ### Further details
19 |
20 |
21 |
22 | ### Proposal
23 |
24 |
25 |
26 | ### Documentation
27 |
28 |
29 |
30 | ### Testing
31 |
32 |
33 |
34 | ### What does success look like, and how can we measure that?
35 |
36 |
37 |
38 | ### Links / references
39 |
40 |
41 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | .vscode
3 | *.lock
4 | .bundle
5 | bin
6 | mscp_gems
7 |
--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org'
2 |
3 | gem 'rexml', '3.2.6'
4 | gem 'asciidoctor', '2.0.22'
5 | gem 'asciidoctor-pdf'
6 | gem 'rouge', '3.30.0'
7 |
--------------------------------------------------------------------------------
/VERSION.yaml:
--------------------------------------------------------------------------------
1 | os: "15.0"
2 | platform: macOS
3 | version: "Sequoia Guidance, Revision 1.1"
4 | cpe: o:apple:macos:15.0
5 | date: "2024-12-16"
6 |
--------------------------------------------------------------------------------
/build/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore everything in this directory
2 | *
3 | # Except this file
4 | !.gitignore
5 |
--------------------------------------------------------------------------------
/custom/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore everything in this directory
2 | *
3 | # Except this file
4 | !.gitignore
5 | !sections
6 | !rules
--------------------------------------------------------------------------------
/custom/rules/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore everything in this directory
2 | *
3 | # Except this file
4 | !.gitignore
--------------------------------------------------------------------------------
/custom/sections/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore everything in this directory
2 | *
3 | # Except this file
4 | !.gitignore
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pyyaml
2 | xlwt
3 |
--------------------------------------------------------------------------------
/rules/audit/audit_alert_processing_fail.yaml:
--------------------------------------------------------------------------------
1 | id: audit_alert_processing_fail
2 | title: Alert Audit Processing Failure
3 | discussion: |
4 | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
5 | check: |
6 | The technology does not support this requirement. This is an applicable-does not meet finding.
7 | fix: |
8 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
9 | references:
10 | cce:
11 | - CCE-94103-9
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - N/A
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - permanent
26 | mobileconfig: false
27 | mobileconfig_info:
28 |
--------------------------------------------------------------------------------
/rules/audit/audit_configure_capacity_notify.yaml:
--------------------------------------------------------------------------------
1 | id: audit_configure_capacity_notify
2 | title: Configure Audit Capacity Warning
3 | discussion: |
4 | The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.
5 |
6 | This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.
7 | check: |
8 | /usr/bin/awk -F: '/^minfree/{print $2}' /etc/security/audit_control
9 | result:
10 | integer: $ODV
11 | fix: |
12 | [source,bash]
13 | ----
14 | /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s
15 | ----
16 | references:
17 | cce:
18 | - CCE-94105-4
19 | cci:
20 | - CCI-000139
21 | - CCI-001855
22 | 800-53r5:
23 | - AU-5(1)
24 | 800-53r4:
25 | - AU-5(1)
26 | srg:
27 | - SRG-OS-000046-GPOS-00022
28 | - SRG-OS-000343-GPOS-00134
29 | disa_stig:
30 | - APPL-15-001030
31 | macOS:
32 | - '15.0'
33 | odv:
34 | hint: Percentage of free space.
35 | recommended: 25
36 | stig: 25
37 | tags:
38 | - 800-53r5_high
39 | - 800-53r4_high
40 | - cnssi-1253_low
41 | - cnssi-1253_high
42 | - stig
43 | - cnssi-1253_moderate
44 | severity: low
45 | mobileconfig: false
46 | mobileconfig_info:
47 |
--------------------------------------------------------------------------------
/rules/audit/audit_control_acls_configure.yaml:
--------------------------------------------------------------------------------
1 | id: audit_control_acls_configure
2 | title: Configure Audit_Control to Not Contain Access Control Lists
3 | discussion: |
4 | /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs).
5 | check: |
6 | /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/chmod -N /etc/security/audit_control
13 | ----
14 | references:
15 | cce:
16 | - CCE-94106-2
17 | cci:
18 | - CCI-000162
19 | - CCI-000163
20 | - CCI-000164
21 | - CCI-000171
22 | - CCI-001493
23 | - CCI-001494
24 | - CCI-001495
25 | 800-53r5:
26 | - AU-9
27 | 800-53r4:
28 | - AU-9
29 | srg:
30 | - SRG-OS-000256-GPOS-00097
31 | - SRG-OS-000057-GPOS-00027
32 | - SRG-OS-000063-GPOS-00032
33 | - SRG-OS-000059-GPOS-00029
34 | - SRG-OS-000257-GPOS-00098
35 | - SRG-OS-000258-GPOS-00099
36 | - SRG-OS-000058-GPOS-00028
37 | disa_stig:
38 | - APPL-15-001140
39 | 800-171r3:
40 | - 03.03.08
41 | cis:
42 | benchmark:
43 | - 3.5 (level 1)
44 | controls v8:
45 | - 3.3
46 | cmmc:
47 | - AU.L2-3.3.8
48 | macOS:
49 | - '15.0'
50 | tags:
51 | - cis_lvl1
52 | - cis_lvl2
53 | - cisv8
54 | - cnssi-1253_low
55 | - cnssi-1253_high
56 | - cmmc_lvl2
57 | - stig
58 | - cnssi-1253_moderate
59 | severity: medium
60 | mobileconfig: false
61 | mobileconfig_info:
62 |
--------------------------------------------------------------------------------
/rules/audit/audit_control_group_configure.yaml:
--------------------------------------------------------------------------------
1 | id: audit_control_group_configure
2 | title: Configure Audit_Control Group to Wheel
3 | discussion: |
4 | /etc/security/audit_control _MUST_ have the group set to wheel.
5 | check: |
6 | /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/bin/chgrp wheel /etc/security/audit_control
13 | ----
14 | references:
15 | cce:
16 | - CCE-94107-0
17 | cci:
18 | - CCI-000162
19 | - CCI-000163
20 | - CCI-000164
21 | - CCI-000171
22 | - CCI-001493
23 | - CCI-001494
24 | - CCI-001495
25 | 800-53r5:
26 | - AU-9
27 | 800-53r4:
28 | - AU-9
29 | srg:
30 | - SRG-OS-000256-GPOS-00097
31 | - SRG-OS-000057-GPOS-00027
32 | - SRG-OS-000063-GPOS-00032
33 | - SRG-OS-000059-GPOS-00029
34 | - SRG-OS-000257-GPOS-00098
35 | - SRG-OS-000258-GPOS-00099
36 | - SRG-OS-000058-GPOS-00028
37 | disa_stig:
38 | - APPL-15-001110
39 | 800-171r3:
40 | - 03.03.08
41 | cis:
42 | benchmark:
43 | - 3.5 (level 1)
44 | controls v8:
45 | - 3.3
46 | cmmc:
47 | - AU.L2-3.3.8
48 | macOS:
49 | - '15.0'
50 | tags:
51 | - cis_lvl1
52 | - cis_lvl2
53 | - cisv8
54 | - cnssi-1253_low
55 | - cnssi-1253_high
56 | - cmmc_lvl2
57 | - stig
58 | - cnssi-1253_moderate
59 | severity: medium
60 | mobileconfig: false
61 | mobileconfig_info:
62 |
--------------------------------------------------------------------------------
/rules/audit/audit_control_mode_configure.yaml:
--------------------------------------------------------------------------------
1 | id: audit_control_mode_configure
2 | title: Configure Audit_Control Owner to Mode 440 or Less Permissive
3 | discussion: |
4 | /etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel.
5 | check: |
6 | /bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/chmod 440 /etc/security/audit_control
13 | ----
14 | references:
15 | cce:
16 | - CCE-94108-8
17 | cci:
18 | - CCI-000162
19 | - CCI-000163
20 | - CCI-000164
21 | - CCI-000171
22 | - CCI-001493
23 | - CCI-001494
24 | - CCI-001495
25 | 800-53r5:
26 | - AU-9
27 | 800-53r4:
28 | - AU-9
29 | srg:
30 | - SRG-OS-000256-GPOS-00097
31 | - SRG-OS-000057-GPOS-00027
32 | - SRG-OS-000063-GPOS-00032
33 | - SRG-OS-000059-GPOS-00029
34 | - SRG-OS-000257-GPOS-00098
35 | - SRG-OS-000258-GPOS-00099
36 | - SRG-OS-000058-GPOS-00028
37 | disa_stig:
38 | - APPL-15-001130
39 | 800-171r3:
40 | - 03.03.08
41 | cis:
42 | benchmark:
43 | - 3.5 (level 1)
44 | controls v8:
45 | - 3.3
46 | cmmc:
47 | - AU.L2-3.3.8
48 | macOS:
49 | - '15.0'
50 | tags:
51 | - cis_lvl1
52 | - cis_lvl2
53 | - cisv8
54 | - cnssi-1253_low
55 | - cnssi-1253_high
56 | - cmmc_lvl2
57 | - stig
58 | - cnssi-1253_moderate
59 | severity: medium
60 | mobileconfig: false
61 | mobileconfig_info:
62 |
--------------------------------------------------------------------------------
/rules/audit/audit_control_owner_configure.yaml:
--------------------------------------------------------------------------------
1 | id: audit_control_owner_configure
2 | title: Configure Audit_Control Owner to Root
3 | discussion: |
4 | /etc/security/audit_control _MUST_ have the owner set to root.
5 | check: |
6 | /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/sbin/chown root /etc/security/audit_control
13 | ----
14 | references:
15 | cce:
16 | - CCE-94109-6
17 | cci:
18 | - CCI-000162
19 | - CCI-000163
20 | - CCI-000164
21 | - CCI-000171
22 | - CCI-001493
23 | - CCI-001494
24 | - CCI-001495
25 | 800-53r5:
26 | - AU-9
27 | 800-53r4:
28 | - AU-9
29 | srg:
30 | - SRG-OS-000256-GPOS-00097
31 | - SRG-OS-000057-GPOS-00027
32 | - SRG-OS-000063-GPOS-00032
33 | - SRG-OS-000059-GPOS-00029
34 | - SRG-OS-000257-GPOS-00098
35 | - SRG-OS-000258-GPOS-00099
36 | - SRG-OS-000058-GPOS-00028
37 | disa_stig:
38 | - APPL-15-001120
39 | 800-171r3:
40 | - 03.03.08
41 | cis:
42 | benchmark:
43 | - 3.5 (level 1)
44 | controls v8:
45 | - 3.3
46 | cmmc:
47 | - AU.L2-3.3.8
48 | macOS:
49 | - '15.0'
50 | tags:
51 | - cis_lvl1
52 | - cis_lvl2
53 | - cisv8
54 | - cnssi-1253_low
55 | - cnssi-1253_high
56 | - cmmc_lvl2
57 | - stig
58 | - cnssi-1253_moderate
59 | severity: medium
60 | mobileconfig: false
61 | mobileconfig_info:
62 |
--------------------------------------------------------------------------------
/rules/audit/audit_enforce_dual_auth.yaml:
--------------------------------------------------------------------------------
1 | id: audit_enforce_dual_auth
2 | title: Enforce Dual Authorization for Movement and Deletion of Audit Information
3 | discussion: |
4 | All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed.
5 |
6 | An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation.
7 |
8 | To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
9 | check: |
10 | The technology does not support this requirement. This is an applicable-does not meet finding.
11 | fix: |
12 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
13 | references:
14 | cce:
15 | - CCE-94110-4
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AU-9(5)
20 | 800-53r4:
21 | - AU-9(5)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000360-GPOS-00147
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - permanent
30 | - cnssi-1253_high
31 | - srg
32 | mobileconfig: false
33 | mobileconfig_info:
34 |
--------------------------------------------------------------------------------
/rules/audit/audit_failure_halt.yaml:
--------------------------------------------------------------------------------
1 | id: audit_failure_halt
2 | title: Configure System to Shut Down Upon Audit Failure
3 | discussion: |
4 | The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
5 |
6 | Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
7 | check: |
8 | /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
9 | result:
10 | integer: 1
11 | fix: |
12 | [source,bash]
13 | ----
14 | /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s
15 | ----
16 | references:
17 | cce:
18 | - CCE-94111-2
19 | cci:
20 | - CCI-000140
21 | 800-53r5:
22 | - AU-5
23 | 800-53r4:
24 | - AU-5
25 | srg:
26 | - SRG-OS-000047-GPOS-00023
27 | disa_stig:
28 | - APPL-15-001010
29 | 800-171r3:
30 | - 03.03.04
31 | cmmc:
32 | - AU.L2-3.3.4
33 | macOS:
34 | - '15.0'
35 | tags:
36 | - 800-53r5_low
37 | - 800-53r5_moderate
38 | - 800-53r5_high
39 | - 800-53r4_low
40 | - 800-53r4_moderate
41 | - 800-53r4_high
42 | - 800-171
43 | - cnssi-1253_low
44 | - cnssi-1253_high
45 | - cmmc_lvl2
46 | - stig
47 | - cnssi-1253_moderate
48 | severity: medium
49 | mobileconfig: false
50 | mobileconfig_info:
51 |
--------------------------------------------------------------------------------
/rules/audit/audit_off_load_records.yaml:
--------------------------------------------------------------------------------
1 | id: audit_off_load_records
2 | title: Off-Load Audit Records
3 | discussion: |
4 | Audit records should be off-loaded onto a different system or media from the system being audited.
5 |
6 | Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
7 |
8 | To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
9 | check: |
10 | The technology does not support this requirement. This is an applicable-does not meet finding.
11 | fix: |
12 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
13 | references:
14 | cce:
15 | - CCE-94127-8
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AU-4(1)
20 | 800-53r4:
21 | - AU-4(1)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000479-GPOS-00224
26 | - SRG-OS-000342-GPOS-00133
27 | cis:
28 | benchmark:
29 | - N/A
30 | controls v8:
31 | - 8.9
32 | macOS:
33 | - '15.0'
34 | tags:
35 | - permanent
36 | - cisv8
37 | - cnssi-1253_low
38 | - cnssi-1253_high
39 | - srg
40 | - cnssi-1253_moderate
41 | mobileconfig: false
42 | mobileconfig_info:
43 |
--------------------------------------------------------------------------------
/rules/audit/audit_records_processing.yaml:
--------------------------------------------------------------------------------
1 | id: audit_records_processing
2 | title: Audit Record Reduction and Report Generation
3 | discussion: |
4 | The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields.
5 |
6 | Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
7 | check: |
8 | The technology does not support this requirement. This is an applicable-does not meet finding.
9 | fix: |
10 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
11 | references:
12 | cce:
13 | - CCE-94129-4
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - AU-7(1)
18 | 800-53r4:
19 | - N/A
20 | srg:
21 | - SRG-OS-000350-GPOS-00138
22 | - SRG-OS-000054-GPOS-00025
23 | disa_stig:
24 | - N/A
25 | 800-171r3:
26 | - N/A
27 | cmmc:
28 | - AU.L2-3.3.6
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - 800-53r5_high
33 | - 800-53r4_high
34 | - 800-53r5_moderate
35 | - permanent
36 | - cnssi-1253_high
37 | - cmmc_lvl2
38 | - srg
39 | - cnssi-1253_moderate
40 | mobileconfig: false
41 | mobileconfig_info:
42 |
--------------------------------------------------------------------------------
/rules/audit/audit_settings_failure_notify.yaml:
--------------------------------------------------------------------------------
1 | id: audit_settings_failure_notify
2 | title: Configure Audit Failure Notification
3 | discussion: |
4 | The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
5 |
6 | It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected.
7 | check: |
8 | /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn
9 | result:
10 | integer: 1
11 | fix: |
12 | [source,bash]
13 | ----
14 | /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s
15 | ----
16 | references:
17 | cce:
18 | - CCE-94131-0
19 | cci:
20 | - CCI-000140
21 | - CCI-001858
22 | 800-53r5:
23 | - AU-5(2)
24 | - AU-5
25 | 800-53r4:
26 | - AU-5
27 | - AU-5(2)
28 | srg:
29 | - SRG-OS-000047-GPOS-00023
30 | - SRG-OS-000344-GPOS-00135
31 | disa_stig:
32 | - APPL-15-001031
33 | 800-171r3:
34 | - 03.03.04
35 | cmmc:
36 | - AU.L2-3.3.4
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - 800-53r5_low
41 | - 800-53r5_moderate
42 | - 800-53r4_high
43 | - 800-53r5_high
44 | - 800-171
45 | - cnssi-1253_low
46 | - cnssi-1253_high
47 | - cmmc_lvl2
48 | - stig
49 | - cnssi-1253_moderate
50 | severity: medium
51 | mobileconfig: false
52 | mobileconfig_info:
53 |
--------------------------------------------------------------------------------
/rules/icloud/icloud_appleid_system_settings_disable.yaml:
--------------------------------------------------------------------------------
1 | id: icloud_appleid_system_settings_disable
2 | title: Disable the System Setting for Apple ID
3 | discussion: |
4 | The system setting for Apple ID _MUST_ be disabled.
5 |
6 | Disabling the system setting prevents login to Apple ID and iCloud.
7 | check: |
8 | /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.systempreferences.AppleIDSettings"
9 | result:
10 | integer: 1
11 | fix: |
12 | This is implemented by a Configuration Profile.
13 | references:
14 | cce:
15 | - CCE-94141-9
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-20
20 | - AC-20(1)
21 | - CM-7
22 | - CM-7(1)
23 | 800-53r4:
24 | - CM-7
25 | - CM-7(1)
26 | - AC-20
27 | - AC-20(1)
28 | srg:
29 | - N/A
30 | disa_stig:
31 | - N/A
32 | 800-171r3:
33 | - 03.01.20
34 | - 03.04.06
35 | cis:
36 | benchmark:
37 | - N/A
38 | controls v8:
39 | - 4.1
40 | - 4.8
41 | cmmc:
42 | - AC.L1-3.1.20
43 | - CM.L2-3.4.6
44 | - CM.L2-3.4.7
45 | macOS:
46 | - '15.0'
47 | tags:
48 | - 800-53r5_low
49 | - 800-53r5_moderate
50 | - 800-53r5_high
51 | - 800-53r4_low
52 | - 800-53r4_moderate
53 | - 800-53r4_high
54 | - 800-171
55 | - cisv8
56 | - cnssi-1253_low
57 | - cnssi-1253_high
58 | - cmmc_lvl2
59 | - cmmc_lvl1
60 | - cnssi-1253_moderate
61 | severity: high
62 | mobileconfig: true
63 | mobileconfig_info:
64 | com.apple.systempreferences:
65 | DisabledSystemSettings:
66 | - com.apple.systempreferences.AppleIDSettings
67 |
--------------------------------------------------------------------------------
/rules/os/os_allow_info_passed.yaml:
--------------------------------------------------------------------------------
1 | id: os_allow_info_passed
2 | title: Allow Information Transfer with Other Operating Systems
3 | discussion: |
4 | The information system _IS_ configured to allow the transfer of information to and from other operating systems and users.
5 |
6 | The macOS is a UNIX 03-compliant operating system, which allows owners of object to have discretion over who should be authorized to access information.
7 |
8 | link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94157-5
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-3(4)
20 | 800-53r4:
21 | - AC-3(4)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000312-GPOS-00122
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - inherent
30 | - cnssi-1253_low
31 | - cnssi-1253_high
32 | - srg
33 | - cnssi-1253_moderate
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_anti_virus_installed.yaml:
--------------------------------------------------------------------------------
1 | id: os_anti_virus_installed
2 | title: Must Use an Approved Antivirus Program
3 | discussion: |
4 | An approved antivirus product _MUST_ be installed and configured to run.
5 |
6 | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
7 | check: |
8 | /usr/bin/xprotect status | /usr/bin/grep -cE "(launch scans: enabled|background scans: enabled)"
9 | result:
10 | integer: 2
11 | fix: |
12 | [source,bash]
13 | ----
14 | /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist
15 | /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist
16 | ----
17 |
18 | NOTE: These services cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.
19 | references:
20 | cce:
21 | - CCE-94158-3
22 | cci:
23 | - CCI-000366
24 | 800-53r5:
25 | - N/A
26 | 800-53r4:
27 | - SI-2
28 | srg:
29 | - N/A
30 | disa_stig:
31 | - N/A
32 | cis:
33 | benchmark:
34 | - 5.10 (level 1)
35 | controls v8:
36 | - 10.5
37 | - 10.1
38 | - 10.2
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - cis_lvl1
43 | - cis_lvl2
44 | - cisv8
45 | severity: "high"
46 | mobileconfig: false
47 | mobileconfig_info:
48 |
--------------------------------------------------------------------------------
/rules/os/os_appleid_prompt_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_appleid_prompt_disable
2 | title: Disable Apple ID Setup during Setup Assistant
3 | discussion: |
4 | The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled.
5 |
6 | macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
10 | .objectForKey('SkipCloudSetup').js
11 | EOS
12 | result:
13 | string: 'true'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94159-1
19 | cci:
20 | - CCI-000381
21 | 800-53r5:
22 | - AC-20
23 | 800-53r4:
24 | - AC-20
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-002035
29 | 800-171r3:
30 | - 03.01.20
31 | cis:
32 | benchmark:
33 | - N/A
34 | controls v8:
35 | - 4.1
36 | - 4.8
37 | cmmc:
38 | - AC.L1-3.1.20
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - 800-53r4_low
46 | - 800-53r4_moderate
47 | - 800-53r4_high
48 | - 800-171
49 | - cisv8
50 | - cnssi-1253_low
51 | - cnssi-1253_high
52 | - cmmc_lvl2
53 | - cmmc_lvl1
54 | - stig
55 | - cnssi-1253_moderate
56 | severity: medium
57 | mobileconfig: true
58 | mobileconfig_info:
59 | com.apple.SetupAssistant.managed:
60 | SkipCloudSetup: true
61 |
--------------------------------------------------------------------------------
/rules/os/os_application_sandboxing.yaml:
--------------------------------------------------------------------------------
1 | id: os_application_sandboxing
2 | title: Ensure Separate Execution Domain for Processes
3 | discussion: |
4 | The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
5 |
6 | link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[]
7 |
8 | link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94160-9
16 | 800-53r5:
17 | - SC-39
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cci:
25 | - N/A
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - inherent
30 | - 800-53r5_low
31 | - 800-53r5_moderate
32 | - 800-53r5_high
33 | - cnssi-1253_low
34 | - cnssi-1253_high
35 | - cnssi-1253_moderate
36 | mobileconfig: false
37 | mobileconfig_info:
38 |
--------------------------------------------------------------------------------
/rules/os/os_asl_log_files_owner_group_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_asl_log_files_owner_group_configure
2 | title: Configure Apple System Log Files Owned by Root and Group to Wheel
3 | discussion: |
4 | The Apple System Logs (ASL) _MUST_ be owned by root.
5 |
6 | ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated.
7 | check: |
8 | /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
9 | result:
10 | integer: 0
11 | fix: |
12 | [source,bash]
13 | ----
14 | /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
15 | ----
16 | references:
17 | cce:
18 | - CCE-94161-7
19 | cci:
20 | - CCI-001312
21 | - CCI-001314
22 | 800-53r5:
23 | - SI-11
24 | 800-53r4:
25 | - SI-11
26 | srg:
27 | - SRG-OS-000206-GPOS-00084
28 | - SRG-OS-000205-GPOS-00083
29 | disa_stig:
30 | - APPL-15-004001
31 | 800-171r3:
32 | - N/A
33 | macOS:
34 | - '15.0'
35 | tags:
36 | - 800-53r5_moderate
37 | - 800-53r5_high
38 | - cnssi-1253_low
39 | - cnssi-1253_high
40 | - stig
41 | - cnssi-1253_moderate
42 | severity: medium
43 | mobileconfig: false
44 | mobileconfig_info:
45 |
--------------------------------------------------------------------------------
/rules/os/os_asl_log_files_permissions_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_asl_log_files_permissions_configure
2 | title: Configure Apple System Log Files To Mode 640 or Less Permissive
3 | discussion: |
4 | The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
5 | check: |
6 | /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}')
13 | ----
14 | references:
15 | cce:
16 | - CCE-94162-5
17 | cci:
18 | - CCI-001312
19 | - CCI-001314
20 | 800-53r5:
21 | - SI-11
22 | 800-53r4:
23 | - SI-11
24 | srg:
25 | - SRG-OS-000206-GPOS-00084
26 | - SRG-OS-000205-GPOS-00083
27 | disa_stig:
28 | - APPL-15-004002
29 | 800-171r3:
30 | - N/A
31 | macOS:
32 | - '15.0'
33 | tags:
34 | - 800-53r5_moderate
35 | - 800-53r5_high
36 | - cnssi-1253_low
37 | - cnssi-1253_high
38 | - stig
39 | - cnssi-1253_moderate
40 | severity: medium
41 | mobileconfig: false
42 | mobileconfig_info:
43 |
--------------------------------------------------------------------------------
/rules/os/os_bonjour_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_bonjour_disable
2 | title: Disable Bonjour Multicast
3 | discussion: |
4 | Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\
8 | .objectForKey('NoMulticastAdvertisements').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94169-0
17 | cci:
18 | - CCI-000381
19 | 800-53r5:
20 | - CM-7
21 | - CM-7(1)
22 | 800-53r4:
23 | - CM-7
24 | - CM-7(1)
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-002005
29 | 800-171r3:
30 | - 03.04.06
31 | cis:
32 | benchmark:
33 | - 4.1 (level 2)
34 | controls v8:
35 | - 4.1
36 | - 4.8
37 | cmmc:
38 | - CM.L2-3.4.6
39 | - CM.L2-3.4.7
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - 800-53r5_low
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - 800-53r4_low
47 | - 800-53r4_moderate
48 | - 800-53r4_high
49 | - 800-171
50 | - cis_lvl2
51 | - cisv8
52 | - cnssi-1253_low
53 | - cnssi-1253_high
54 | - cmmc_lvl2
55 | - stig
56 | - cnssi-1253_moderate
57 | severity: medium
58 | mobileconfig: true
59 | mobileconfig_info:
60 | com.apple.mDNSResponder:
61 | NoMulticastAdvertisements: true
62 |
--------------------------------------------------------------------------------
/rules/os/os_burn_support_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_burn_support_disable
2 | title: Disable Burn Support
3 | discussion: |
4 | Burn support _MUST_ be disabled.
5 |
6 | [IMPORTANT]
7 | ====
8 | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
9 | ====
10 | check: |
11 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)'
12 | result:
13 | integer: 2
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94170-8
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - MP-7
23 | 800-53r4:
24 | - MP-7(1)
25 | srg:
26 | - N/A
27 | disa_stig:
28 | - N/A
29 | cmmc:
30 | - MP.L2-3.8.7
31 | - MP.L2-3.8.8
32 | 800-171r3:
33 | - 03.08.07
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - 800-171
38 | - cnssi-1253_low
39 | - cnssi-1253_high
40 | - cmmc_lvl2
41 | - cnssi-1253_moderate
42 | severity: low
43 | mobileconfig: true
44 | mobileconfig_info:
45 | com.apple.finder:
46 | ProhibitBurn: true
47 | com.apple.DiscRecording:
48 | BurnSupport: 'off'
49 |
--------------------------------------------------------------------------------
/rules/os/os_certificate_authority_trust.yaml:
--------------------------------------------------------------------------------
1 | id: os_certificate_authority_trust
2 | title: Issue or Obtain Public Key Certificates from an Approved Service Provider
3 | discussion: |
4 | The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.
5 | check: |
6 | /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}'
7 | result:
8 | string: a list containing approved root certificates
9 | fix: |
10 | Obtain the approved certificates from the appropriate authority and install them to the System Keychain.
11 | references:
12 | cce:
13 | - CCE-94174-0
14 | cci:
15 | - CCI-002470
16 | - CCI-000185
17 | - CCI-002450
18 | - CCI-004909
19 | 800-53r5:
20 | - SC-17
21 | 800-53r4:
22 | - SC-17
23 | srg:
24 | - SRG-OS-000403-GPOS-00182
25 | - SRG-OS-000775-GPOS-00230
26 | disa_stig:
27 | - APPL-15-003001
28 | cmmc:
29 | - SC.L2-3.13.10
30 | macOS:
31 | - '15.0'
32 | tags:
33 | - 800-53r5_moderate
34 | - 800-53r5_high
35 | - 800-53r4_moderate
36 | - 800-53r4_high
37 | - manual
38 | - cnssi-1253_low
39 | - cnssi-1253_high
40 | - cmmc_lvl2
41 | - stig
42 | - cnssi-1253_moderate
43 | severity: high
44 | mobileconfig: false
45 | mobileconfig_info:
46 |
--------------------------------------------------------------------------------
/rules/os/os_change_security_attributes.yaml:
--------------------------------------------------------------------------------
1 | id: os_change_security_attributes
2 | title: Allow Administrators to Modify Security Settings and System Attributes
3 | discussion: |
4 | The information system _IS_ configured to allow administrators to modify security settings and system attributes.
5 |
6 | The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. .
7 |
8 | link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94175-7
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-3(4)
20 | 800-53r4:
21 | - AC-3(4)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000312-GPOS-00123
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - inherent
30 | - cnssi-1253_low
31 | - cnssi-1253_high
32 | - srg
33 | - cnssi-1253_moderate
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_config_profile_ui_install_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_config_profile_ui_install_disable
2 | title: Disable Installation of Configuration Profiles through the User Interface
3 | discussion: |
4 | Installation of configuration profiles through the user interface _MUST_ be disabled and only be permitted through an authorized MDM server.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowUIConfigurationProfileInstallation').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94177-3
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - CM-5
21 | 800-171r3:
22 | - 03.04.05
23 | cis:
24 | benchmark:
25 | - N/A
26 | controls v8:
27 | - N/A
28 | cmmc:
29 | - CM.L2-3.4.5
30 | srg:
31 | - N/A
32 | disa_stig:
33 | - N/A
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - 800-53r5_low
38 | - 800-53r5_moderate
39 | - 800-53r5_high
40 | - 800-171
41 | - cnssi-1253_low
42 | - cnssi-1253_high
43 | - cmmc_lvl2
44 | - cnssi-1253_moderate
45 | mobileconfig: true
46 | mobileconfig_info:
47 | com.apple.applicationaccess:
48 | allowUIConfigurationProfileInstallation: false
49 |
--------------------------------------------------------------------------------
/rules/os/os_continuous_monitoring.yaml:
--------------------------------------------------------------------------------
1 | id: os_continuous_monitoring
2 | title: Configure Automated Flaw Remediation
3 | discussion: |
4 | The macOS system _MUST_ be configured to determine the state of system components with regard to flaw remediation.
5 | check: |
6 | The technology does not support this requirement. This is an applicable-does not meet finding.
7 | fix: |
8 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
9 | references:
10 | cce:
11 | - CCE-94178-1
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - SI-2(2)
16 | 800-53r4:
17 | - SI-2(2)
18 | srg:
19 | - SRG-OS-000191-GPOS-00080
20 | disa_stig:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - 800-53r5_moderate
26 | - 800-53r5_high
27 | - 800-53r4_moderate
28 | - 800-53r4_high
29 | - permanent
30 | - cnssi-1253_low
31 | - cnssi-1253_high
32 | - srg
33 | - cnssi-1253_moderate
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_crypto_audit.yaml:
--------------------------------------------------------------------------------
1 | id: os_crypto_audit
2 | title: Protect Audit Integrity with Cryptographic Mechanisms
3 | discussion: |
4 | The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
5 |
6 | The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient.
7 |
8 | link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[]
9 |
10 | NOTE: This will only apply to a Mac that includes a T2 security chip.
11 | check: |
12 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
13 | fix: |
14 | The technology inherently meets this requirement. No fix is required.
15 | references:
16 | cce:
17 | - CCE-94179-9
18 | cci:
19 | - N/A
20 | 800-53r5:
21 | - AU-9(3)
22 | 800-53r4:
23 | - AU-9(3)
24 | disa_stig:
25 | - N/A
26 | srg:
27 | - SRG-OS-000278-GPOS-00108
28 | macOS:
29 | - '15.0'
30 | tags:
31 | - 800-53r5_high
32 | - 800-53r4_high
33 | - inherent
34 | - cnssi-1253_high
35 | - srg
36 | mobileconfig: false
37 | mobileconfig_info:
38 |
--------------------------------------------------------------------------------
/rules/os/os_dictation_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_dictation_disable
2 | title: Disable Dictation
3 | discussion: |
4 | Dictation _MUST_ be disabled on Intel based Macs as the feature On Device Dictation is only available on Apple Silicon devices.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowDictation').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94180-7
17 | cci:
18 | - CCI-000381
19 | 800-53r5:
20 | - AC-20
21 | - CM-7
22 | - CM-7(1)
23 | - SC-7(10)
24 | 800-53r4:
25 | - CM-7
26 | - CM-7(1)
27 | - AC-20
28 | srg:
29 | - SRG-OS-000095-GPOS-00049
30 | disa_stig:
31 | - APPL-15-002230
32 | 800-171r3:
33 | - 03.01.20
34 | - 03.04.06
35 | cis:
36 | benchmark:
37 | - N/A
38 | controls v8:
39 | - 4.1
40 | - 4.8
41 | cmmc:
42 | - AC.L1-3.1.20
43 | - CM.L2-3.4.6
44 | - CM.L2-3.4.7
45 | macOS:
46 | - '15.0'
47 | tags:
48 | - i386
49 | - 800-53r5_low
50 | - 800-53r5_moderate
51 | - 800-53r5_high
52 | - 800-53r4_low
53 | - 800-53r4_moderate
54 | - 800-53r4_high
55 | - 800-171
56 | - cisv8
57 | - cnssi-1253_low
58 | - cnssi-1253_high
59 | - cmmc_lvl2
60 | - cmmc_lvl1
61 | - stig
62 | - cnssi-1253_moderate
63 | severity: medium
64 | mobileconfig: true
65 | mobileconfig_info:
66 | com.apple.applicationaccess:
67 | allowDictation: false
68 |
--------------------------------------------------------------------------------
/rules/os/os_directory_services_configured.yaml:
--------------------------------------------------------------------------------
1 | id: os_directory_services_configured
2 | title: Integrate System into a Directory Services Infrastructure
3 | discussion: |
4 | The macOS system _MUST_ be integrated into a directory services infrastructure.
5 |
6 | A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system.
7 | check: |
8 | /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $?
9 | result:
10 | integer: 0
11 | fix: |
12 | Integrate the system into an existing directory services infrastructure.
13 | references:
14 | cce:
15 | - CCE-94181-5
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - N/A
20 | 800-53r4:
21 | - N/A
22 | srg:
23 | - N/A
24 | disa_stig:
25 | - N/A
26 | cis:
27 | benchmark:
28 | - N/A
29 | controls v8:
30 | - 6.7
31 | macOS:
32 | - '15.0'
33 | tags:
34 | - cisv8
35 | severity: medium
36 | mobileconfig: false
37 | mobileconfig_info:
38 |
--------------------------------------------------------------------------------
/rules/os/os_enforce_access_restrictions.yaml:
--------------------------------------------------------------------------------
1 | id: os_enforce_access_restrictions
2 | title: Enforce Access Restrictions
3 | discussion: |
4 | The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions.
5 |
6 | The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer.
7 |
8 | link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94184-9
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - CM-5(1)
20 | 800-53r4:
21 | - CM-5(1)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000364-GPOS-00151
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-53r5_high
30 | - 800-53r4_high
31 | - inherent
32 | - cnssi-1253_high
33 | - srg
34 | - cnssi-1253_moderate
35 | mobileconfig: false
36 | mobileconfig_info:
37 |
--------------------------------------------------------------------------------
/rules/os/os_erase_content_and_settings_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_erase_content_and_settings_disable
2 | title: Disable Erase Content and Settings
3 | discussion: |
4 | Erase Content and Settings _MUST_ be disabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowEraseContentAndSettings').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94185-6
17 | cci:
18 | - CCI-000366
19 | - CCI-000381
20 | 800-53r5:
21 | - CM-7
22 | - CM-7(1)
23 | 800-53r4:
24 | - CM-7
25 | - CM-7(1)
26 | srg:
27 | - SRG-OS-000480-GPOS-00227
28 | - SRG-OS-000095-GPOS-00049
29 | disa_stig:
30 | - APPL-15-005061
31 | cmmc:
32 | - CM.L2-3.4.6
33 | - CM.L2-3.4.7
34 | 800-171r3:
35 | - 03.04.06
36 | macOS:
37 | - '15.0'
38 | tags:
39 | - 800-171
40 | - cnssi-1253_low
41 | - cnssi-1253_high
42 | - cmmc_lvl2
43 | - stig
44 | - cnssi-1253_moderate
45 | severity: medium
46 | mobileconfig: true
47 | mobileconfig_info:
48 | com.apple.applicationaccess:
49 | allowEraseContentAndSettings: false
50 |
--------------------------------------------------------------------------------
/rules/os/os_error_message.yaml:
--------------------------------------------------------------------------------
1 | id: os_error_message
2 | title: Generate Error Messages without Exploitable Information
3 | discussion: |
4 | The information system _IS_ configured to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94186-4
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - N/A
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | mobileconfig: false
27 | mobileconfig_info:
28 |
--------------------------------------------------------------------------------
/rules/os/os_ess_installed.yaml:
--------------------------------------------------------------------------------
1 | id: os_ess_installed
2 | title: Must Use ESS
3 | discussion: |
4 | The approved ESS solution _MUST_ be installed and configured to run.
5 |
6 | The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET.
7 | check: |
8 | Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system.
9 | If the installed components of the ESS solution are not at the DoD approved minimal versions, this is a finding.
10 | fix: |
11 | Install the approved ESS solution onto the system.
12 | references:
13 | cce:
14 | - CCE-94187-2
15 | cci:
16 | - CCI-001233
17 | 800-53r5:
18 | - N/A
19 | 800-53r4:
20 | - SI-2(2)
21 | srg:
22 | - SRG-OS-000191-GPOS-00080
23 | disa_stig:
24 | - N/A
25 | macOS:
26 | - '15.0'
27 | tags:
28 | - manual
29 | - cisv8
30 | - stig
31 | severity: medium
32 | mobileconfig: false
33 | mobileconfig_info:
34 |
--------------------------------------------------------------------------------
/rules/os/os_external_storage_access_defined.yaml:
--------------------------------------------------------------------------------
1 | id: os_external_storage_access_defined
2 | title: Access to External Storage Must Be Defined
3 | discussion: |-
4 | Access to external storage _MUST_ be managed.
5 |
6 | NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed.
7 | check: |
8 | /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage'
9 | result:
10 | string: $ODV
11 | fix: |
12 | This is implemented by a Declarative Device Management.
13 | references:
14 | cce:
15 | - CCE-94188-0
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - MP-7
20 | srg:
21 | - N/A
22 | disa_stig:
23 | - N/A
24 | 800-171r3:
25 | - 03.08.07
26 | cmmc:
27 | - MP.L2-3.8.7
28 | - MP.L2-3.8.8
29 | odv:
30 | hint: Allowed, ReadOnly, or Disallowed
31 | recommended: Allowed
32 | macOS:
33 | - '15.0'
34 | tags:
35 | - cmmc_lvl2
36 | - 800-53r5_low
37 | - 800-53r5_moderate
38 | - 800-53r5_high
39 | - cnssi-1253_moderate
40 | - cnssi-1253_low
41 | - cnssi-1253_high
42 | mobileconfig: false
43 | mobileconfig_info:
44 | ddm_info:
45 | declarationtype: com.apple.configuration.diskmanagement.settings
46 | ddm_key: ExternalStorage
47 | ddm_value: $ODV
--------------------------------------------------------------------------------
/rules/os/os_fail_secure_state.yaml:
--------------------------------------------------------------------------------
1 | id: os_fail_secure_state
2 | title: Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails
3 | discussion: |
4 | The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort.
5 |
6 | Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources.
7 |
8 | Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state.
9 |
10 | link:https://developer.apple.com/videos/play/wwdc2017/715/[]
11 | check: |
12 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
13 | fix: |
14 | The technology inherently meets this requirement. No fix is required.
15 | references:
16 | cce:
17 | - CCE-94190-6
18 | cci:
19 | - N/A
20 | 800-53r5:
21 | - SC-24
22 | 800-53r4:
23 | - SC-24
24 | disa_stig:
25 | - N/A
26 | srg:
27 | - SRG-OS-000269-GPOS-00103
28 | - SRG-OS-000184-GPOS-00078
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - 800-53r5_high
33 | - 800-53r4_high
34 | - inherent
35 | - cnssi-1253_high
36 | - srg
37 | mobileconfig: false
38 | mobileconfig_info:
39 |
--------------------------------------------------------------------------------
/rules/os/os_filevault_authorized_users.yaml:
--------------------------------------------------------------------------------
1 | id: os_filevault_authorized_users
2 | title: FileVault Authorized Users
3 | discussion: |
4 | macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup.
5 | check: |
6 | /usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}'
7 | result:
8 | string: a list containing authorized users that can unlock FileVault
9 | fix: |
10 | Remove the user that is not authorized to unlock FileVault using the fdesetup command.
11 |
12 | [source,bash]
13 | ----
14 | /usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME
15 | ----
16 | references:
17 | cce:
18 | - CCE-94191-4
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - AC-2(11)
23 | 800-53r4:
24 | - N/A
25 | srg:
26 | - N/A
27 | disa_stig:
28 | - N/A
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - 800-53r5_high
33 | - manual
34 | - cnssi-1253_high
35 | severity: medium
36 | mobileconfig: false
37 | mobileconfig_info:
38 |
--------------------------------------------------------------------------------
/rules/os/os_genmoji_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_genmoji_disable
2 | title: Disable Genmoji AI Creation
3 | discussion: |-
4 | Apple Intelligence features that use off device AI _MUST_ be disabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowGenmoji').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94196-3
17 | cci:
18 | - CCI-000381
19 | - CCI-001774
20 | srg:
21 | - SRG-OS-000095-GPOS-00049
22 | disa_stig:
23 | - APPL-15-005140
24 | 800-53r5:
25 | - AC-20
26 | - AC-20(1)
27 | - CM-7
28 | - CM-7(1)
29 | - SC-7(10)
30 | 800-171r3:
31 | - 03.01.20
32 | - 03.04.06
33 | cmmc:
34 | - AC.L1-3.1.20
35 | - CM.L2-3.4.6
36 | - CM.L2-3.4.7
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - 800-53r5_low
41 | - 800-53r5_moderate
42 | - 800-53r5_high
43 | - cnssi-1253_low
44 | - cnssi-1253_high
45 | - stig
46 | - 800-171
47 | - cmmc_lvl2
48 | - cmmc_lvl1
49 | - cnssi-1253_moderate
50 | mobileconfig: true
51 | mobileconfig_info:
52 | com.apple.applicationaccess:
53 | allowGenmoji: false
54 |
--------------------------------------------------------------------------------
/rules/os/os_grant_privs.yaml:
--------------------------------------------------------------------------------
1 | id: os_grant_privs
2 | title: Allow Administrators to Promote Other Users to Administrator Status
3 | discussion: |
4 | The information system _IS_ configured to allow current administrators to promote standard users to administrator user status.
5 |
6 | The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users.
7 |
8 | link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94197-1
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-3(4)
20 | 800-53r4:
21 | - AC-3(4)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000312-GPOS-00124
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - inherent
30 | - cnssi-1253_low
31 | - cnssi-1253_high
32 | - srg
33 | - cnssi-1253_moderate
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_guest_folder_removed.yaml:
--------------------------------------------------------------------------------
1 | id: os_guest_folder_removed
2 | title: Remove Guest Folder if Present
3 | discussion: |
4 | The guest folder _MUST_ be deleted if present.
5 | check: |
6 | /bin/ls /Users/ | /usr/bin/grep -c "Guest"
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/rm -Rf /Users/Guest
13 | ----
14 | references:
15 | cce:
16 | - CCE-94198-9
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 5.9 (level 1)
32 | controls v8:
33 | - 4.1
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - cis_lvl1
38 | - cis_lvl2
39 | mobileconfig: false
40 | mobileconfig_info:
41 |
--------------------------------------------------------------------------------
/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_hibernate_mode_destroyfvkeyonstandby_enable
2 | title: Enable DestroyFVKeyOnStandby on Hibernate
3 | discussion: |
4 | DestroyFVKeyOnStandby on hibernate _MUST_ be enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
8 | .objectForKey('DestroyFVKeyOnStandby').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94201-1
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - N/A
32 | controls v8:
33 | - N/A
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - none
38 | mobileconfig: true
39 | mobileconfig_info:
40 | com.apple.MCX:
41 | DestroyFVKeyOnStandby: true
42 |
--------------------------------------------------------------------------------
/rules/os/os_httpd_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_httpd_disable
2 | title: Disable the Built-in Web Server
3 | discussion: |
4 | The built-in web server is a non-essential service built into macOS and _MUST_ be disabled.
5 |
6 | NOTE: The built in web server service is disabled at startup by default macOS.
7 | check: |
8 | /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => disabled'
9 | result:
10 | integer: 1
11 | fix: |
12 | [source,bash]
13 | ----
14 | /bin/launchctl disable system/org.apache.httpd
15 | ----
16 | references:
17 | cce:
18 | - CCE-94205-2
19 | cci:
20 | - CCI-000213
21 | 800-53r5:
22 | - AC-3
23 | - AC-17
24 | 800-53r4:
25 | - AC-3
26 | srg:
27 | - SRG-OS-000080-GPOS-00048
28 | disa_stig:
29 | - APPL-15-002008
30 | 800-171r3:
31 | - 03.01.02
32 | - 03.04.06
33 | cis:
34 | benchmark:
35 | - 4.2 (level 1)
36 | controls v8:
37 | - 4.1
38 | - 4.8
39 | cmmc:
40 | - AC.L1-3.1.1
41 | macOS:
42 | - '15.0'
43 | tags:
44 | - 800-53r5_low
45 | - 800-53r5_moderate
46 | - 800-53r5_high
47 | - 800-53r4_low
48 | - 800-53r4_moderate
49 | - 800-53r4_high
50 | - 800-171
51 | - cis_lvl1
52 | - cis_lvl2
53 | - cisv8
54 | - cnssi-1253_low
55 | - cnssi-1253_high
56 | - cmmc_lvl2
57 | - cmmc_lvl1
58 | - stig
59 | - cnssi-1253_moderate
60 | severity: medium
61 | mobileconfig: false
62 | mobileconfig_info:
63 |
--------------------------------------------------------------------------------
/rules/os/os_icloud_storage_prompt_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_icloud_storage_prompt_disable
2 | title: Disable iCloud Storage Setup during Setup Assistant
3 | discussion: |
4 | The prompt to set up iCloud storage services during Setup Assistant _MUST_ be disabled.
5 |
6 | The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
10 | .objectForKey('SkipiCloudStorageSetup').js
11 | EOS
12 | result:
13 | string: 'true'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94206-0
19 | cci:
20 | - CCI-000381
21 | 800-53r5:
22 | - AC-20
23 | 800-53r4:
24 | - AC-20
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-002037
29 | 800-171r3:
30 | - 03.01.20
31 | - 03.04.06
32 | cis:
33 | benchmark:
34 | - N/A
35 | controls v8:
36 | - 4.1
37 | - 4.8
38 | cmmc:
39 | - AC.L1-3.1.20
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - 800-53r5_low
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - 800-53r4_low
47 | - 800-53r4_moderate
48 | - 800-53r4_high
49 | - 800-171
50 | - cisv8
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | - cmmc_lvl2
54 | - cmmc_lvl1
55 | - stig
56 | - cnssi-1253_moderate
57 | severity: medium
58 | mobileconfig: true
59 | mobileconfig_info:
60 | com.apple.SetupAssistant.managed:
61 | SkipiCloudStorageSetup: true
62 |
--------------------------------------------------------------------------------
/rules/os/os_identify_non-org_users.yaml:
--------------------------------------------------------------------------------
1 | id: os_identify_non-org_users
2 | title: Configure the System to Uniquely Identify and Authenticate Non-Organizational Users
3 | discussion: |
4 | The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
5 | check: |
6 | This requirement is NA for this technology.
7 | fix: |
8 | The requirement is NA. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94207-8
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - IA-8
16 | 800-53r4:
17 | - IA-8
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - 800-53r5_low
26 | - 800-53r5_moderate
27 | - 800-53r5_high
28 | - 800-53r4_low
29 | - 800-53r4_moderate
30 | - 800-53r4_high
31 | - n_a
32 | - cnssi-1253_low
33 | - cnssi-1253_high
34 | - cnssi-1253_moderate
35 | mobileconfig: false
36 | mobileconfig_info:
37 |
--------------------------------------------------------------------------------
/rules/os/os_image_generation_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_image_generation_disable
2 | title: Disable AI Image Generation
3 | discussion: |-
4 | Apple Intelligence features that use off device AI _MUST_ be disabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowImagePlayground').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94208-6
17 | cci:
18 | - CCI-000381
19 | - CCI-001774
20 | srg:
21 | - SRG-OS-000095-GPOS-00049
22 | disa_stig:
23 | - APPL-15-005150
24 | 800-53r5:
25 | - AC-20
26 | - AC-20(1)
27 | - CM-7
28 | - CM-7(1)
29 | - SC-7(10)
30 | 800-171r3:
31 | - 03.01.20
32 | - 03.04.06
33 | cmmc:
34 | - AC.L1-3.1.20
35 | - CM.L2-3.4.6
36 | - CM.L2-3.4.7
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - 800-53r5_low
41 | - 800-53r5_moderate
42 | - 800-53r5_high
43 | - cnssi-1253_low
44 | - cnssi-1253_high
45 | - stig
46 | - 800-171
47 | - cmmc_lvl2
48 | - cmmc_lvl1
49 | - cnssi-1253_moderate
50 | mobileconfig: true
51 | mobileconfig_info:
52 | com.apple.applicationaccess:
53 | allowImagePlayground: false
--------------------------------------------------------------------------------
/rules/os/os_isolate_security_functions.yaml:
--------------------------------------------------------------------------------
1 | id: os_isolate_security_functions
2 | title: Configure the System to Separate User and System Functionality
3 | discussion: |
4 | The information system _IS_ configured to isolate security functions from non-security functions.
5 |
6 | link:https://support.apple.com/guide/security/welcome/web[]
7 | check: |
8 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
9 | fix: |
10 | The technology inherently meets this requirement. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94215-1
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - SC-3
18 | 800-53r4:
19 | - SC-3
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - SRG-OS-000134-GPOS-00068
24 | cmmc:
25 | - N/A
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-53r5_high
30 | - 800-53r4_high
31 | - inherent
32 | - cnssi-1253_high
33 | - srg
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_library_validation_enabled.yaml:
--------------------------------------------------------------------------------
1 | id: os_library_validation_enabled
2 | title: Enable Library Validation
3 | discussion: Library validation _MUST_ be enabled.
4 | check: |
5 | /usr/bin/osascript -l JavaScript << EOS
6 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.libraryvalidation')\
7 | .objectForKey('DisableLibraryValidation').js
8 | EOS
9 | result:
10 | string: 'false'
11 | fix: |
12 | This is implemented by a Configuration Profile.
13 | references:
14 | cce:
15 | - CCE-94216-9
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - N/A
20 | 800-53r4:
21 | - N/A
22 | srg:
23 | - N/A
24 | disa_stig:
25 | - N/A
26 | 800-171r3:
27 | - N/A
28 | cis:
29 | benchmark:
30 | - N/A
31 | controls v8:
32 | - 2.3
33 | - 2.6
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - cisv8
38 | mobileconfig: true
39 | mobileconfig_info:
40 | com.apple.security.libraryvalidation:
41 | DisableLibraryValidation: false
42 |
--------------------------------------------------------------------------------
/rules/os/os_limit_auditable_events.yaml:
--------------------------------------------------------------------------------
1 | id: os_limit_auditable_events
2 | title: Only allow authorized users to select auditable events
3 | discussion: |
4 | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94217-7
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - N/A
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | mobileconfig: false
27 | mobileconfig_info:
28 |
--------------------------------------------------------------------------------
/rules/os/os_limit_dos_attacks.yaml:
--------------------------------------------------------------------------------
1 | id: os_limit_dos_attacks
2 | title: Limit Impact of Denial of Service Attacks
3 | discussion: |
4 | The macOS should be configured to limit the impact of Denial of Service (DoS) attacks.
5 |
6 | DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
7 |
8 | To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.
9 | check: |
10 | The technology does not support this requirement. This is an applicable-does not meet finding.
11 | fix: |
12 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
13 | references:
14 | cce:
15 | - CCE-94218-5
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - SC-5(2)
20 | 800-53r4:
21 | - SC-5(2)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000142-GPOS-00071
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - permanent
30 | - cnssi-1253_high
31 | - srg
32 | - cnssi-1253_moderate
33 | mobileconfig: false
34 | mobileconfig_info:
35 |
--------------------------------------------------------------------------------
/rules/os/os_limit_gui_sessions.yaml:
--------------------------------------------------------------------------------
1 | id: os_limit_gui_sessions
2 | title: Limit Concurrent GUI Sessions to 10 for all Accounts
3 | discussion: |
4 | The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users.
5 |
6 | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
7 | check: |
8 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
9 | fix: |
10 | The technology inherently meets this requirement. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94219-3
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - AC-10
18 | 800-53r4:
19 | - AC-10
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - SRG-OS-000027-GPOS-00008
24 | macOS:
25 | - '15.0'
26 | tags:
27 | - 800-53r5_high
28 | - 800-53r4_high
29 | - inherent
30 | - cnssi-1253_high
31 | - srg
32 | - cnssi-1253_moderate
33 | mobileconfig: false
34 | mobileconfig_info:
35 |
--------------------------------------------------------------------------------
/rules/os/os_loginwindow_adminhostinfo_undefined.yaml:
--------------------------------------------------------------------------------
1 | id: os_loginwindow_adminhostinfo_undefined
2 | title: Prevent AdminHostInfo from Being Available at LoginWindow
3 | discussion: |
4 | The system _MUST_ be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
8 | .objectIsForcedForKey('AdminHostInfo')
9 | EOS
10 | result:
11 | string: "false"
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94221-9
17 | cci:
18 | - CCI-000060
19 | 800-53r5:
20 | - AC-11(1)
21 | 800-53r4:
22 | - AC-11(1)
23 | srg:
24 | - SRG-OS-000031-GPOS-00012
25 | disa_stig:
26 | - APPL-15-000009
27 | 800-171r3:
28 | - 03.01.10
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - 800-53r5_moderate
33 | - 800-53r5_high
34 | - 800-53r4_moderate
35 | - 800-53r4_high
36 | - 800-171
37 | - cnssi-1253_low
38 | - cnssi-1253_high
39 | - stig
40 | - cnssi-1253_moderate
41 | severity: medium
42 | mobileconfig: false
43 | mobileconfig_info:
44 |
--------------------------------------------------------------------------------
/rules/os/os_logoff_capability_and_message.yaml:
--------------------------------------------------------------------------------
1 | id: os_logoff_capability_and_message
2 | title: Display logoff capability and message to prevent exploitation
3 | discussion: |
4 | Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to the system.
5 |
6 | Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
7 | check: |
8 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
9 | fix: |
10 | The technology inherently meets this requirement. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94222-7
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - AC-12(1)
18 | - AC-12(2)
19 | 800-53r4:
20 | - AC-12(1)
21 | disa_stig:
22 | - N/A
23 | srg:
24 | - SRG-OS-000280-GPOS-00110
25 | - SRG-OS-000281-GPOS-00111
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - inherent
30 | - cnssi-1253_low
31 | - cnssi-1253_high
32 | - srg
33 | - cnssi-1253_moderate
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_mail_summary_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_mail_summary_disable
2 | title: Disable Apple Intelligence Mail Summary
3 | discussion: |-
4 | Apple Intelligence features such as Apple Mail Summary that use off device AI _MUST_ be disabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowMailSummary').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94521-2
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - AC-20
21 | - AC-20(1)
22 | - CM-7
23 | - CM-7(1)
24 | - SC-7(10)
25 | 800-171r3:
26 | - 03.01.20
27 | - 03.04.06
28 | cmmc:
29 | - AC.L1-3.1.20
30 | - CM.L2-3.4.6
31 | - CM.L2-3.4.7
32 | macOS:
33 | - '15.0'
34 | tags:
35 | - 800-53r5_low
36 | - 800-53r5_moderate
37 | - 800-53r5_high
38 | - 800-171
39 | - cmmc_lvl2
40 | - cmmc_lvl1
41 | mobileconfig: true
42 | mobileconfig_info:
43 | com.apple.applicationaccess:
44 | allowMailSummary: false
45 |
--------------------------------------------------------------------------------
/rules/os/os_managed_access_control_points.yaml:
--------------------------------------------------------------------------------
1 | id: os_managed_access_control_points
2 | title: Managed Access Control Points
3 | discussion: |
4 | Route remote accesses through authorized and managed network access control points.
5 |
6 | Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.
7 | check: |
8 | This requirement is NA for this technology.
9 | fix: |
10 | The requirement is NA. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94225-0
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - AC-17(3)
18 | 800-53r4:
19 | - N/A
20 | 800-171r3:
21 | - 03.01.12
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - N/A
26 | cmmc:
27 | - AC.L2-3.1.14
28 | macOS:
29 | - '15.0'
30 | tags:
31 | - 800-53r5_moderate
32 | - 800-53r5_high
33 | - n_a
34 | - cnssi-1253_low
35 | - cnssi-1253_high
36 | - cmmc_lvl2
37 | - cnssi-1253_moderate
38 | mobileconfig: false
39 | mobileconfig_info:
40 |
--------------------------------------------------------------------------------
/rules/os/os_map_pki_identity.yaml:
--------------------------------------------------------------------------------
1 | id: os_map_pki_identity
2 | title: Map identity for PKI based authentication
3 | discussion: |
4 | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
5 | check: |
6 | For directory bound systems, the technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | For directory bound systems, the technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94226-8
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - N/A
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | mobileconfig: false
27 | mobileconfig_info:
28 |
--------------------------------------------------------------------------------
/rules/os/os_mfa_network_access.yaml:
--------------------------------------------------------------------------------
1 | id: os_mfa_network_access
2 | title: Enforce multifactor authentication for network access to privileged accounts
3 | discussion: |
4 | The information system implements multifactor authentication for network access to privileged accounts.
5 | check: |
6 | For directory bound systems:
7 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
8 | fix: |
9 | For directory bound systems, the technology inherently meets this requirement. No fix is required.
10 | references:
11 | cce:
12 | - CCE-94229-2
13 | cci:
14 | - N/A
15 | 800-53r5:
16 | - N/A
17 | 800-53r4:
18 | - N/A
19 | disa_stig:
20 | - N/A
21 | srg:
22 | - N/A
23 | cis:
24 | benchmark:
25 | - N/A
26 | controls v8:
27 | - 5.6
28 | macOS:
29 | - '15.0'
30 | tags:
31 | - inherent
32 | - cisv8
33 | mobileconfig: false
34 | mobileconfig_info:
35 |
--------------------------------------------------------------------------------
/rules/os/os_mfa_network_non-priv.yaml:
--------------------------------------------------------------------------------
1 | id: os_mfa_network_non-priv
2 | title: Enforce multifactor authentication for network access to non-privileged accounts
3 | discussion: |
4 | The information system implements multifactor authentication for network access to non-privileged accounts.
5 | check: |
6 | For directory bound systems:
7 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
8 | fix: |
9 | For directory bound systems, the technology inherently meets this requirement. No fix is required.
10 | references:
11 | cce:
12 | - CCE-94230-0
13 | cci:
14 | - N/A
15 | 800-53r5:
16 | - N/A
17 | 800-53r4:
18 | - N/A
19 | disa_stig:
20 | - N/A
21 | srg:
22 | - N/A
23 | macOS:
24 | - '15.0'
25 | tags:
26 | - inherent
27 | mobileconfig: false
28 | mobileconfig_info:
29 |
--------------------------------------------------------------------------------
/rules/os/os_mobile_file_integrity_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_mobile_file_integrity_enable
2 | title: Enable Apple Mobile File Integrity
3 | discussion: Mobile file integrity _MUST_ be enabled.
4 | check: |
5 | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
6 | result:
7 | integer: 0
8 | fix: |
9 | [source,bash]
10 | ----
11 | /usr/sbin/nvram boot-args=""
12 | ----
13 | references:
14 | cce:
15 | - CCE-94231-8
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - N/A
20 | 800-53r4:
21 | - N/A
22 | srg:
23 | - N/A
24 | disa_stig:
25 | - N/A
26 | 800-171r3:
27 | - N/A
28 | cis:
29 | benchmark:
30 | - 5.1.3 (level 1)
31 | controls v8:
32 | - 2.3
33 | - 2.6
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - cis_lvl1
38 | - cis_lvl2
39 | - cisv8
40 | mobileconfig: false
41 | mobileconfig_info:
42 |
--------------------------------------------------------------------------------
/rules/os/os_network_storage_restriction.yaml:
--------------------------------------------------------------------------------
1 | id: os_network_storage_restriction
2 | title: Network Storage Must Be Restricted
3 | discussion: |-
4 | Network Storage _MUST_ be restricted.
5 |
6 | NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed.
7 | check: |
8 | /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage'
9 | result:
10 | string: $ODV
11 | fix: |
12 | This is implemented by a Declarative Device Management.
13 | references:
14 | cce:
15 | - CCE-94232-6
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-20(4)
20 | srg:
21 | - N/A
22 | disa_stig:
23 | - N/A
24 | 800-171r3:
25 | - N/A
26 | cmmc:
27 | - N/A
28 | macOS:
29 | - '15.0'
30 | tags:
31 | - none
32 | odv:
33 | hint: Allowed, ReadOnly, or Disallowed
34 | recommended: Allowed
35 | mobileconfig: false
36 | mobileconfig_info:
37 | ddm_info:
38 | declarationtype: com.apple.configuration.diskmanagement.settings
39 | ddm_key: NetworkStorage
40 | ddm_value: $ODV
--------------------------------------------------------------------------------
/rules/os/os_newsyslog_files_owner_group_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_newsyslog_files_owner_group_configure
2 | title: Configure System Log Files Owned by Root and Group to Wheel
3 | discussion: |
4 | The system log files _MUST_ be owned by root.
5 |
6 | System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
7 | check: |
8 | /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
9 | result:
10 | integer: 0
11 | fix: |
12 | [source,bash]
13 | ----
14 | /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
15 | ----
16 | references:
17 | cce:
18 | - CCE-94233-4
19 | cci:
20 | - CCI-001312
21 | - CCI-001314
22 | 800-53r5:
23 | - SI-11
24 | 800-53r4:
25 | - SI-11
26 | srg:
27 | - SRG-OS-000206-GPOS-00084
28 | - SRG-OS-000205-GPOS-00083
29 | disa_stig:
30 | - APPL-15-004030
31 | 800-171r3:
32 | - N/A
33 | macOS:
34 | - '15.0'
35 | tags:
36 | - 800-53r5_moderate
37 | - 800-53r5_high
38 | - cnssi-1253_low
39 | - cnssi-1253_high
40 | - stig
41 | - cnssi-1253_moderate
42 | severity: medium
43 | mobileconfig: false
44 | mobileconfig_info:
45 |
--------------------------------------------------------------------------------
/rules/os/os_newsyslog_files_permissions_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_newsyslog_files_permissions_configure
2 | title: Configure System Log Files to Mode 640 or Less Permissive
3 | discussion: |
4 | The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
5 | check: |
6 | /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}')
13 | ----
14 | references:
15 | cce:
16 | - CCE-94234-2
17 | cci:
18 | - CCI-001312
19 | - CCI-001314
20 | 800-53r5:
21 | - SI-11
22 | 800-53r4:
23 | - SI-11
24 | srg:
25 | - SRG-OS-000206-GPOS-00084
26 | - SRG-OS-000205-GPOS-00083
27 | disa_stig:
28 | - APPL-15-004040
29 | 800-171r3:
30 | - N/A
31 | macOS:
32 | - '15.0'
33 | tags:
34 | - 800-53r5_moderate
35 | - 800-53r5_high
36 | - cnssi-1253_low
37 | - cnssi-1253_high
38 | - stig
39 | - cnssi-1253_moderate
40 | severity: medium
41 | mobileconfig: false
42 | mobileconfig_info:
43 |
--------------------------------------------------------------------------------
/rules/os/os_nfsd_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_nfsd_disable
2 | title: Disable Network File System Service
3 | discussion: |
4 | Support for Network File Systems (NFS) services is non-essential and, therefore, _MUST_ be disabled.
5 | check: |
6 | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => disabled'
7 | result:
8 | integer: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/launchctl disable system/com.apple.nfsd
13 | ----
14 | The system may need to be restarted for the update to take effect.
15 | references:
16 | cce:
17 | - CCE-94235-9
18 | cci:
19 | - CCI-000213
20 | 800-53r5:
21 | - AC-3
22 | - AC-17
23 | 800-53r4:
24 | - AC-3
25 | srg:
26 | - SRG-OS-000080-GPOS-00048
27 | disa_stig:
28 | - APPL-15-002003
29 | 800-171r3:
30 | - 03.01.02
31 | - 03.04.06
32 | cis:
33 | benchmark:
34 | - 4.3 (level 1)
35 | controls v8:
36 | - 4.1
37 | - 4.8
38 | cmmc:
39 | - AC.L1-3.1.1
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - 800-53r5_low
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - 800-53r4_low
47 | - 800-53r4_moderate
48 | - 800-53r4_high
49 | - 800-171
50 | - cis_lvl1
51 | - cis_lvl2
52 | - cisv8
53 | - cnssi-1253_low
54 | - cnssi-1253_high
55 | - cmmc_lvl2
56 | - cmmc_lvl1
57 | - stig
58 | - cnssi-1253_moderate
59 | severity: medium
60 | mobileconfig: false
61 | mobileconfig_info:
62 |
--------------------------------------------------------------------------------
/rules/os/os_non_repudiation.yaml:
--------------------------------------------------------------------------------
1 | id: os_non_repudiation
2 | title: Non-Repudiation
3 | discussion: |
4 | Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions to be covered by non-repudiation.
5 |
6 | Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
7 | check: |
8 | This requirement is NA for this technology.
9 | fix: |
10 | The requirement is NA. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94236-7
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - AU-10
18 | 800-53r4:
19 | - N/A
20 | 800-171r3:
21 | - N/A
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - N/A
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-53r5_high
30 | - n_a
31 | - cnssi-1253_high
32 | - cnssi-1253_moderate
33 | mobileconfig: false
34 | mobileconfig_info:
35 |
--------------------------------------------------------------------------------
/rules/os/os_nonlocal_maintenance.yaml:
--------------------------------------------------------------------------------
1 | id: os_nonlocal_maintenance
2 | title: Configure the System for Non-local Maintenance
3 | discussion: |
4 | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network.
5 | check: |
6 | This requirement is NA for this technology.
7 | fix: |
8 | The requirement is NA. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94237-5
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - MA-4
16 | 800-53r4:
17 | - MA-4
18 | 800-171r3:
19 | - 03.07.05
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cmmc:
25 | - MA.L2-3.7.5
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-53r5_low
30 | - 800-53r5_moderate
31 | - 800-53r5_high
32 | - 800-53r4_low
33 | - 800-53r4_moderate
34 | - 800-53r4_high
35 | - 800-171
36 | - n_a
37 | - cnssi-1253_low
38 | - cnssi-1253_high
39 | - cmmc_lvl2
40 | - cnssi-1253_moderate
41 | mobileconfig: false
42 | mobileconfig_info:
43 |
--------------------------------------------------------------------------------
/rules/os/os_obscure_password.yaml:
--------------------------------------------------------------------------------
1 | id: os_obscure_password
2 | title: Obscure Passwords
3 | discussion: |
4 | The information system _IS_ configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals.
5 |
6 | The inherent configuration of a macOS uses NSSecureTextField for any text field that receives a password, which automatically obscures text which is entered.
7 |
8 | link:https://developer.apple.com/documentation/appkit/nssecuretextfield[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94244-1
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - IA-6
20 | - IA-5
21 | 800-53r4:
22 | - IA-5
23 | - IA-6
24 | disa_stig:
25 | - N/A
26 | srg:
27 | - SRG-OS-000079-GPOS-00047
28 | 800-171r3:
29 | - 03.05.11
30 | cis:
31 | benchmark:
32 | - N/A
33 | controls v8:
34 | - 4.1
35 | cmmc:
36 | - IA.L2-3.5.8
37 | - IA.L2-3.5.9
38 | - IA.L2-3.5.11
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - 800-53r4_low
46 | - 800-53r4_moderate
47 | - 800-53r4_high
48 | - 800-171
49 | - inherent
50 | - cisv8
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | - cmmc_lvl2
54 | - srg
55 | - cnssi-1253_moderate
56 | mobileconfig: false
57 | mobileconfig_info:
58 |
--------------------------------------------------------------------------------
/rules/os/os_parental_controls_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_parental_controls_enable
2 | title: Enable Parental Controls
3 | discussion: |
4 | Parental Controls _MUST_ be enabled.
5 |
6 | Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline.
7 |
8 | Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
9 | check: |
10 | /usr/bin/osascript -l JavaScript << EOS
11 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
12 | .objectForKey('familyControlsEnabled').js
13 | EOS
14 | result:
15 | string: 'true'
16 | fix: |
17 | This is implemented by a Configuration Profile.
18 | references:
19 | cce:
20 | - CCE-94246-6
21 | cci:
22 | - N/A
23 | 800-53r5:
24 | - CM-7(2)
25 | 800-53r4:
26 | - CM-7(2)
27 | srg:
28 | - N/A
29 | disa_stig:
30 | - N/A
31 | 800-171r3:
32 | - 3.4.7
33 | cis:
34 | benchmark:
35 | - N/A
36 | controls v8:
37 | - 4.8
38 | macOS:
39 | - '15.0'
40 | tags:
41 | - cnssi-1253_low
42 | - cnssi-1253_high
43 | - cnssi-1253_moderate
44 | mobileconfig: true
45 | mobileconfig_info:
46 | com.apple.applicationaccess.new:
47 | familyControlsEnabled: true
48 |
--------------------------------------------------------------------------------
/rules/os/os_password_autofill_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_password_autofill_disable
2 | title: Disable Password Autofill
3 | discussion: |
4 | Password Autofill _MUST_ be disabled.
5 |
6 | macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
10 | .objectForKey('allowPasswordAutoFill').js
11 | EOS
12 | result:
13 | string: 'false'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94247-4
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - N/A
23 | srg:
24 | - SRG-OS-000095-GPOS-00049
25 | 800-171r3:
26 | - 03.04.06
27 | cis:
28 | benchmark:
29 | - N/A
30 | controls v8:
31 | - 4.1
32 | - 4.8
33 | cmmc:
34 | - CM.L2-3.4.6
35 | - CM.L2-3.4.7
36 | - IA.L2-3.5.8
37 | - IA.L2-3.5.9
38 | macOS:
39 | - '15.0'
40 | tags:
41 | - none
42 | - cnssi-1253_moderate
43 | - cnssi-1253_low
44 | - cnssi-1253_high
45 | mobileconfig: true
46 | mobileconfig_info:
47 | com.apple.applicationaccess:
48 | allowPasswordAutoFill: false
49 |
--------------------------------------------------------------------------------
/rules/os/os_password_hint_remove.yaml:
--------------------------------------------------------------------------------
1 | id: os_password_hint_remove
2 | title: Remove Password Hint From User Accounts
3 | discussion: |
4 | User accounts _MUST_ not contain password hints.
5 | check: |
6 | HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')
7 |
8 | if [ -z "$HINT" ]; then
9 | echo "PASS"
10 | else
11 | echo "FAIL"
12 | fi
13 | result:
14 | string: PASS
15 | fix: |
16 | [source,bash]
17 | ----
18 | for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
19 | /usr/bin/dscl . -delete /Users/$u hint
20 | done
21 | ----
22 | references:
23 | cce:
24 | - CCE-94248-2
25 | cci:
26 | - CCI-000206
27 | 800-53r5:
28 | - IA-6
29 | 800-53r4:
30 | - IA-6
31 | 800-171r3:
32 | - 03.05.11
33 | cis:
34 | benchmark:
35 | - 2.11.1 (level 1)
36 | controls v8:
37 | - 5.2
38 | cmmc:
39 | - IA.L2-3.5.11
40 | srg:
41 | - SRG-OS-000079-GPOS-00047
42 | disa_stig:
43 | - APPL-15-003014
44 | macOS:
45 | - '15.0'
46 | tags:
47 | - cis_lvl1
48 | - cis_lvl2
49 | - cisv8
50 | - cnssi-1253_low
51 | - cnssi-1253_high
52 | - cmmc_lvl2
53 | - stig
54 | - cnssi-1253_moderate
55 | severity: medium
56 | mobileconfig: false
57 | mobileconfig_info:
58 |
--------------------------------------------------------------------------------
/rules/os/os_password_proximity_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_password_proximity_disable
2 | title: Disable Proximity Based Password Sharing Requests
3 | discussion: |
4 | Proximity based password sharing requests _MUST_ be disabled.
5 |
6 | The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
10 | .objectForKey('allowPasswordProximityRequests').js
11 | EOS
12 | result:
13 | string: 'false'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94249-0
19 | cci:
20 | - CCI-000381
21 | 800-53r5:
22 | - IA-5
23 | 800-53r4:
24 | - IA-5
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-005060
29 | 800-171r3:
30 | - 03.05.12
31 | cis:
32 | benchmark:
33 | - N/A
34 | controls v8:
35 | - 4.1
36 | - 4.8
37 | cmmc:
38 | - IA.L2-3.5.8
39 | - IA.L2-3.5.9
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - 800-53r5_low
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - 800-53r4_low
47 | - 800-53r4_moderate
48 | - 800-53r4_high
49 | - 800-171
50 | - cisv8
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | - cmmc_lvl2
54 | - stig
55 | - cnssi-1253_moderate
56 | severity: medium
57 | mobileconfig: true
58 | mobileconfig_info:
59 | com.apple.applicationaccess:
60 | allowPasswordProximityRequests: false
61 |
--------------------------------------------------------------------------------
/rules/os/os_password_sharing_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_password_sharing_disable
2 | title: Disable Password Sharing
3 | discussion: |
4 | Password Sharing _MUST_ be disabled.
5 |
6 | The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
10 | .objectForKey('allowPasswordSharing').js
11 | EOS
12 | result:
13 | string: 'false'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94250-8
19 | 800-53r5:
20 | - IA-5
21 | 800-53r4:
22 | - IA-5
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - 03.05.12
29 | cis:
30 | benchmark:
31 | - N/A
32 | controls v8:
33 | - 4.1
34 | - 4.8
35 | cmmc:
36 | - IA.L2-3.5.8
37 | - IA.L2-3.5.9
38 | cci:
39 | - N/A
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - 800-53r5_low
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - 800-53r4_low
47 | - 800-53r4_moderate
48 | - 800-53r4_high
49 | - 800-171
50 | - cisv8
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | - cmmc_lvl2
54 | - cnssi-1253_moderate
55 | mobileconfig: true
56 | mobileconfig_info:
57 | com.apple.applicationaccess:
58 | allowPasswordSharing: false
59 |
--------------------------------------------------------------------------------
/rules/os/os_peripherals_identify.yaml:
--------------------------------------------------------------------------------
1 | id: os_peripherals_identify
2 | title: The macOS system must uniquely identify peripherals before establishing a connection.
3 | discussion: |
4 | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
5 |
6 | Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
7 | check: |
8 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
9 | fix: |
10 | The technology inherently meets this requirement. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94251-6
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | srg:
21 | - N/A
22 | disa_stig:
23 | - N/A
24 | 800-171r3:
25 | - N/A
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - inherent
30 | mobileconfig: false
31 | mobileconfig_info:
32 |
--------------------------------------------------------------------------------
/rules/os/os_photos_enhanced_search_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_photos_enhanced_search_disable
2 | title: Disable Photos Enhanced Visual Search
3 | discussion: |-
4 | Enhanced Visualed Search _MUST_ be disabled in the Photos app.
5 |
6 | The information system _MUST_ be configured to provide only essential capabilities. Disabling Enhanced Visual Search will mitigate the risk of unwanted data being sent to Apple.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.photos.shareddefaults')\
10 | .objectForKey('IPXDefaultEnhancedVisualSearchEnabled').js
11 | EOS
12 | result:
13 | string: 'false'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94522-0
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - AC-20
23 | - AC-20(1)
24 | - CM-7
25 | - CM-7(1)
26 | - SC-7(10)
27 | 800-171r3:
28 | - 03.01.20
29 | - 03.04.06
30 | cmmc:
31 | - AC.L1-3.1.20
32 | - CM.L2-3.4.6
33 | - CM.L2-3.4.7
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - 800-53r5_low
38 | - 800-53r5_moderate
39 | - 800-53r5_high
40 | - 800-171
41 | - cmmc_lvl2
42 | - cmmc_lvl1
43 | mobileconfig: true
44 | mobileconfig_info:
45 | com.apple.photos.shareddefaults:
46 | IPXDefaultEnhancedVisualSearchEnabled: false
47 |
--------------------------------------------------------------------------------
/rules/os/os_power_nap_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_power_nap_disable
2 | title: Disable Power Nap
3 | discussion: |
4 | Power Nap _MUST_ be disabled.
5 |
6 | NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems.
7 |
8 | The following Macs support Power Nap:
9 |
10 | * MacBook (Early 2015 and later)
11 | * MacBook Air (Late 2010 and later)
12 | * MacBook Pro (all models with Retina display)
13 | * Mac mini (Late 2012 and later)
14 | * iMac (Late 2012 and later)
15 | * Mac Pro (Late 2013 and later)
16 | check: |
17 | /usr/bin/pmset -g custom | /usr/bin/awk '/powernap/ { sum+=$2 } END {print sum}'
18 | result:
19 | integer: 0
20 | fix: |
21 | [source,bash]
22 | ----
23 | /usr/bin/pmset -a powernap 0
24 | ----
25 | references:
26 | cce:
27 | - CCE-94257-3
28 | cci:
29 | - N/A
30 | 800-53r5:
31 | - CM-7
32 | - CM-7(1)
33 | 800-53r4:
34 | - CM-7
35 | - CM-7(1)
36 | disa_stig:
37 | - N/A
38 | srg:
39 | - N/A
40 | 800-171r3:
41 | - 03.04.06
42 | cis:
43 | benchmark:
44 | - 2.9.2 (level 1)
45 | controls v8:
46 | - 4.1
47 | - 4.8
48 | cmmc:
49 | - CM.L2-3.4.6
50 | - CM.L2-3.4.7
51 | macOS:
52 | - '15.0'
53 | tags:
54 | - cis_lvl1
55 | - cis_lvl2
56 | - cisv8
57 | - i386
58 | - cnssi-1253_low
59 | - cnssi-1253_high
60 | - cmmc_lvl2
61 | - cnssi-1253_moderate
62 | mobileconfig: false
63 | mobileconfig_info:
64 |
--------------------------------------------------------------------------------
/rules/os/os_power_nap_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_power_nap_enable
2 | title: Enable Power Nap
3 | discussion: |
4 | Power Nap _MUST_ be enabled.
5 |
6 | NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot.
7 |
8 | The following Macs support Power Nap:
9 |
10 | * MacBook (Early 2015 and later)
11 | * MacBook Air (Late 2010 and later)
12 | * MacBook Pro (all models with Retina display)
13 | * Mac mini (Late 2012 and later)
14 | * iMac (Late 2012 and later)
15 | * Mac Pro (Late 2013 and later)
16 | check: |
17 | /usr/bin/pmset -g custom | /usr/bin/awk '/powernap/ { sum+=$2 } END {print sum}'
18 | result:
19 | integer: 1
20 | fix: |
21 | [source,bash]
22 | ----
23 | /usr/bin/pmset -a powernap 1
24 | ----
25 | references:
26 | cce:
27 | - CCE-94258-1
28 | cci:
29 | - N/A
30 | 800-53r5:
31 | - N/A
32 | 800-53r4:
33 | - N/A
34 | disa_stig:
35 | - N/A
36 | srg:
37 | - N/A
38 | 800-171r3:
39 | - N/A
40 | cis:
41 | benchmark:
42 | - N/A
43 | controls v8:
44 | - N/A
45 | macOS:
46 | - '15.0'
47 | tags:
48 | - none
49 | mobileconfig: false
50 | mobileconfig_info:
51 |
--------------------------------------------------------------------------------
/rules/os/os_predictable_behavior.yaml:
--------------------------------------------------------------------------------
1 | id: os_predictable_behavior
2 | title: Must behave in predictable and documented manner
3 | discussion: |
4 | The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94259-9
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - SI-10(3)
16 | 800-53r4:
17 | - SI-10(3)
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - SRG-OS-000432-GPOS-00191
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | - cnssi-1253_low
27 | - cnssi-1253_high
28 | - srg
29 | - cnssi-1253_moderate
30 | mobileconfig: false
31 | mobileconfig_info:
32 |
--------------------------------------------------------------------------------
/rules/os/os_prevent_priv_functions.yaml:
--------------------------------------------------------------------------------
1 | id: os_prevent_priv_functions
2 | title: Configure the System to Block Non-Privileged Users from Executing Privileged Functions
3 | discussion: |
4 | The information system _IS_ configured to block standard users from executing privileged functions.
5 |
6 | Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures.
7 |
8 | The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege.
9 |
10 | link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[]
11 | check: |
12 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
13 | fix: |
14 | The technology inherently meets this requirement. No fix is required.
15 | references:
16 | cce:
17 | - CCE-94261-5
18 | cci:
19 | - N/A
20 | 800-53r5:
21 | - AC-6(10)
22 | 800-53r4:
23 | - AC-6(10)
24 | disa_stig:
25 | - N/A
26 | srg:
27 | - SRG-OS-000324-GPOS-00125
28 | 800-171r3:
29 | - 03.01.07
30 | cmmc:
31 | - AC.L2-3.1.7
32 | macOS:
33 | - '15.0'
34 | tags:
35 | - 800-53r5_moderate
36 | - 800-53r5_high
37 | - 800-53r4_moderate
38 | - 800-53r4_high
39 | - 800-171
40 | - inherent
41 | - cnssi-1253_low
42 | - cnssi-1253_high
43 | - cmmc_lvl2
44 | - srg
45 | - cnssi-1253_moderate
46 | mobileconfig: false
47 | mobileconfig_info:
48 |
--------------------------------------------------------------------------------
/rules/os/os_prevent_unauthorized_disclosure.yaml:
--------------------------------------------------------------------------------
1 | id: os_prevent_unauthorized_disclosure
2 | title: Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources
3 | discussion: |
4 | The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared.
5 |
6 | The inherent configuration of the macOS does not allow for resources to be shared between users without authorization.
7 |
8 | link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94262-3
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - SC-4
20 | 800-53r4:
21 | - SC-4
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000138-GPOS-00069
26 | 800-171r3:
27 | - 03.13.04
28 | cmmc:
29 | - SC.L2-3.13.4
30 | macOS:
31 | - '15.0'
32 | tags:
33 | - 800-53r5_moderate
34 | - 800-53r5_high
35 | - 800-53r4_moderate
36 | - 800-53r4_high
37 | - 800-171
38 | - inherent
39 | - cnssi-1253_low
40 | - cnssi-1253_high
41 | - cmmc_lvl2
42 | - srg
43 | - cnssi-1253_moderate
44 | mobileconfig: false
45 | mobileconfig_info:
46 |
--------------------------------------------------------------------------------
/rules/os/os_privacy_principle_minimization.yaml:
--------------------------------------------------------------------------------
1 | id: os_privacy_principle_minimization
2 | title: Implement the Privacy Principle of Minimization
3 | discussion: |
4 | Implement the privacy principle of minimization using organization-defined processes.
5 |
6 | The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.
7 | check: |
8 | This requirement is NA for this technology.
9 | fix: |
10 | The requirement is NA. No fix is required.
11 | references:
12 | cce:
13 | - CCE-94263-1
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - SA-8(33)
18 | 800-53r4:
19 | - N/A
20 | 800-171r3:
21 | - N/A
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - N/A
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-53r5_privacy
30 | - n_a
31 | mobileconfig: false
32 | mobileconfig_info:
33 |
--------------------------------------------------------------------------------
/rules/os/os_provide_automated_account_management.yaml:
--------------------------------------------------------------------------------
1 | id: os_provide_automated_account_management
2 | title: Employ Automated Mechanisms for Account Management Functions
3 | discussion: |
4 | The organization should employ automated mechanisms to support the management of information system accounts.
5 |
6 | The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management.
7 |
8 | To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement.
9 | check: |
10 | The technology does not support this requirement. This is an applicable-does not meet finding.
11 | fix: |
12 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
13 | references:
14 | cce:
15 | - CCE-94267-2
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-2(1)
20 | 800-53r4:
21 | - AC-2(1)
22 | disa_stig:
23 | - N/A
24 | srg:
25 | - SRG-OS-000001-GPOS-00001
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-53r5_moderate
30 | - 800-53r5_high
31 | - 800-53r4_moderate
32 | - 800-53r4_high
33 | - permanent
34 | - cnssi-1253_high
35 | - srg
36 | - cnssi-1253_moderate
37 | mobileconfig: false
38 | mobileconfig_info:
39 |
--------------------------------------------------------------------------------
/rules/os/os_provide_disconnect_remote_access.yaml:
--------------------------------------------------------------------------------
1 | id: os_provide_disconnect_remote_access
2 | title: Provide Ability to Disconnect or Disable Remote Access
3 | discussion: |
4 | Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., SSH) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94268-0
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - AC-17(9)
16 | 800-53r4:
17 | - AC-17(9)
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - SRG-OS-000298-GPOS-00116
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | - cnssi-1253_low
27 | - cnssi-1253_high
28 | - srg
29 | - cnssi-1253_moderate
30 | mobileconfig: false
31 | mobileconfig_info:
32 |
--------------------------------------------------------------------------------
/rules/os/os_rapid_security_response_allow.yaml:
--------------------------------------------------------------------------------
1 | id: os_rapid_security_response_allow
2 | title: Enforce Rapid Security Response Mechanism
3 | discussion: |
4 | Rapid security response mechanism _MUST_ be enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowRapidSecurityResponseInstallation').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94269-8
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - SI-2
21 | - SI-2(5)
22 | - SI-3
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - 03.14.01
29 | - 03.14.02
30 | cis:
31 | benchmark:
32 | - N/A
33 | controls v8:
34 | - N/A
35 | cmmc:
36 | - SI.L1-3.14.1
37 | - SI.L1-3.14.2
38 | - SI.L1-3.14.4
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - 800-171
46 | - cnssi-1253_low
47 | - cnssi-1253_high
48 | - cmmc_lvl2
49 | - cmmc_lvl1
50 | - cnssi-1253_moderate
51 | mobileconfig: true
52 | mobileconfig_info:
53 | com.apple.applicationaccess:
54 | allowRapidSecurityResponseInstallation: true
55 |
--------------------------------------------------------------------------------
/rules/os/os_rapid_security_response_removal_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_rapid_security_response_removal_disable
2 | title: Disable User Ability from Being Able to Undo Rapid Security Responses
3 | discussion: |
4 | Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowRapidSecurityResponseRemoval').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94270-6
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - SI-2
21 | - SI-2(5)
22 | - SI-3
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - 03.14.01
29 | - 03.14.02
30 | cis:
31 | benchmark:
32 | - N/A
33 | controls v8:
34 | - N/A
35 | cmmc:
36 | - SI.L1-3.14.1
37 | - SI.L1-3.14.2
38 | - SI.L1-3.14.4
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - 800-171
46 | - cnssi-1253_low
47 | - cnssi-1253_high
48 | - cmmc_lvl2
49 | - cmmc_lvl1
50 | - cnssi-1253_moderate
51 | mobileconfig: true
52 | mobileconfig_info:
53 | com.apple.applicationaccess:
54 | allowRapidSecurityResponseRemoval: false
55 |
--------------------------------------------------------------------------------
/rules/os/os_reauth_devices_change_authenticators.yaml:
--------------------------------------------------------------------------------
1 | id: os_reauth_devices_change_authenticators
2 | title: Require Devices to Reauthenticate when Changing Authenticators
3 | discussion: |
4 | The macOS should be configured to require users to reauthenticate when the device authenticator is changed.
5 |
6 | Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate.
7 | check: |
8 | The technology does not support this requirement. This is an applicable-does not meet finding.
9 | fix: |
10 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
11 | references:
12 | cce:
13 | - CCE-94271-4
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - IA-11
18 | 800-53r4:
19 | - IA-11
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - SRG-OS-000374-GPOS-00159
24 | 800-171r3:
25 | - 03.05.01
26 | macOS:
27 | - '15.0'
28 | tags:
29 | - 800-171
30 | - 800-53r5_low
31 | - 800-53r5_moderate
32 | - 800-53r5_high
33 | - permanent
34 | - cnssi-1253_low
35 | - cnssi-1253_high
36 | - srg
37 | - cnssi-1253_moderate
38 | mobileconfig: false
39 | mobileconfig_info:
40 |
--------------------------------------------------------------------------------
/rules/os/os_reauth_privilege.yaml:
--------------------------------------------------------------------------------
1 | id: os_reauth_privilege
2 | title: Require users to reauthenticate for privilege escalation
3 | discussion: |
4 | Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94272-2
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - IA-11
16 | 800-53r4:
17 | - IA-11
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - SRG-OS-000373-GPOS-00157
22 | - SRG-OS-000373-GPOS-00156
23 | 800-171r3:
24 | - 03.05.01
25 | macOS:
26 | - '15.0'
27 | tags:
28 | - 800-171
29 | - inherent
30 | - cnssi-1253_low
31 | - cnssi-1253_high
32 | - srg
33 | - cnssi-1253_moderate
34 | mobileconfig: false
35 | mobileconfig_info:
36 |
--------------------------------------------------------------------------------
/rules/os/os_reauth_users_change_authenticators.yaml:
--------------------------------------------------------------------------------
1 | id: os_reauth_users_change_authenticators
2 | title: Require users to reauthenticate when changing authenticators
3 | discussion: |
4 | Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change user authenticators, it is critical the user reauthenticate.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94273-0
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - IA-11
16 | 800-53r4:
17 | - IA-11
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - SRG-OS-000373-GPOS-00158
22 | 800-171r3:
23 | - 03.05.01
24 | macOS:
25 | - '15.0'
26 | tags:
27 | - 800-171
28 | - inherent
29 | - 800-53r5_low
30 | - 800-53r5_moderate
31 | - 800-53r5_high
32 | - cnssi-1253_low
33 | - cnssi-1253_high
34 | - srg
35 | - cnssi-1253_moderate
36 | mobileconfig: false
37 | mobileconfig_info:
38 |
--------------------------------------------------------------------------------
/rules/os/os_recovery_lock_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_recovery_lock_enable
2 | title: Enable Recovery Lock
3 | discussion: |
4 | A recovery lock password _MUST_ be enabled and set.
5 |
6 | Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools.
7 |
8 | IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.
9 | check: |
10 | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1"
11 | result:
12 | integer: 1
13 | fix: |
14 | NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM.
15 | references:
16 | cce:
17 | - CCE-94274-8
18 | cci:
19 | - CCI-000366
20 | 800-53r5:
21 | - AC-6
22 | 800-53r4:
23 | - AC-6
24 | srg:
25 | - SRG-OS-000480-GPOS-00227
26 | disa_stig:
27 | - APPL-15-005120
28 | 800-171r3:
29 | - 03.01.05
30 | cmmc:
31 | - AC.L1-3.1.1
32 | - AC.L2-3.1.5
33 | macOS:
34 | - '15.0'
35 | tags:
36 | - 800-53r5_moderate
37 | - 800-53r5_high
38 | - 800-53r4_moderate
39 | - 800-53r4_high
40 | - 800-171
41 | - arm64
42 | - cnssi-1253_low
43 | - cnssi-1253_high
44 | - cmmc_lvl2
45 | - cmmc_lvl1
46 | - stig
47 | - cnssi-1253_moderate
48 | severity: medium
49 | mobileconfig: false
50 | mobileconfig_info:
51 |
--------------------------------------------------------------------------------
/rules/os/os_remote_access_methods.yaml:
--------------------------------------------------------------------------------
1 | id: os_remote_access_methods
2 | title: Control remote access methods
3 | discussion: |
4 | The information system monitors and controls remote access methods.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94275-5
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - N/A
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | mobileconfig: false
27 | mobileconfig_info:
28 |
--------------------------------------------------------------------------------
/rules/os/os_remove_software_components_after_updates.yaml:
--------------------------------------------------------------------------------
1 | id: os_remove_software_components_after_updates
2 | title: Must remove all software components after updated versions installed
3 | discussion: |
4 | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94277-1
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - SI-2(6)
16 | 800-53r4:
17 | - SI-2(6)
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - SRG-OS-000437-GPOS-00194
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | - cnssi-1253_low
27 | - cnssi-1253_high
28 | - srg
29 | - cnssi-1253_moderate
30 | mobileconfig: false
31 | mobileconfig_info:
32 |
--------------------------------------------------------------------------------
/rules/os/os_safari_advertising_privacy_protection_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_safari_advertising_privacy_protection_enable
2 | title: Ensure Advertising Privacy Protection in Safari Is Enabled
3 | discussion: |
4 | Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari.
5 | check: |
6 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94280-5
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - 6.3.6 (level 1)
27 | controls v8:
28 | - 9.1
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - cis_lvl1
33 | - cis_lvl2
34 | - cisv8
35 | mobileconfig: true
36 | mobileconfig_info:
37 | com.apple.Safari:
38 | WebKitPreferences.privateClickMeasurementEnabled: true
39 |
--------------------------------------------------------------------------------
/rules/os/os_safari_open_safe_downloads_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_safari_open_safe_downloads_disable
2 | title: Disable Automatic Opening of Safe Files in Safari
3 | discussion: |
4 | Open "safe" files after downloading _MUST_ be disabled in Safari.
5 | check: |
6 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94281-3
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - 6.3.1 (level 1)
27 | controls v8:
28 | - 9.1
29 | - 9.6
30 | macOS:
31 | - '15.0'
32 | tags:
33 | - cis_lvl1
34 | - cis_lvl2
35 | - cisv8
36 | mobileconfig: true
37 | mobileconfig_info:
38 | com.apple.Safari:
39 | AutoOpenSafeDownloads: false
40 |
--------------------------------------------------------------------------------
/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_safari_prevent_cross-site_tracking_enable
2 | title: Ensure Prevent Cross-site Tracking in Safari Is Enabled
3 | discussion: |
4 | Prevent cross-site tracking _MUST_ be enabled in Safari.
5 | check: |
6 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -cE '"WebKitPreferences.storageBlockingPolicy" = 1|"WebKitStorageBlockingPolicy" = 1|"BlockStoragePolicy" =2' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94282-1
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - 6.3.4 (level 1)
27 | controls v8:
28 | - 9.1
29 | - 9.3
30 | macOS:
31 | - '15.0'
32 | tags:
33 | - cis_lvl1
34 | - cis_lvl2
35 | - cisv8
36 | mobileconfig: true
37 | mobileconfig_info:
38 | com.apple.Safari:
39 | WebKitPreferences.storageBlockingPolicy: 1
40 | WebKitStorageBlockingPolicy: 1
41 | BlockStoragePolicy: 2
42 |
--------------------------------------------------------------------------------
/rules/os/os_safari_show_full_website_address_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_safari_show_full_website_address_enable
2 | title: Ensure Show Full Website Address in Safari Is Enabled
3 | discussion: |
4 | Show full website address _MUST_ be enabled in Safari.
5 | check: |
6 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowFullURLInSmartSearchField = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94283-9
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - 6.3.7 (level 1)
27 | controls v8:
28 | - 9.1
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - cis_lvl1
33 | - cis_lvl2
34 | - cisv8
35 | mobileconfig: true
36 | mobileconfig_info:
37 | com.apple.Safari:
38 | ShowFullURLInSmartSearchField: true
39 |
--------------------------------------------------------------------------------
/rules/os/os_safari_show_status_bar_enabled.yaml:
--------------------------------------------------------------------------------
1 | id: os_safari_show_status_bar_enabled
2 | title: "Ensure Show Safari shows the Status Bar is Enabled"
3 | discussion: |
4 | Safari _MUST_ be configured to show the status bar.
5 | check: |
6 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowOverlayStatusBar = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94284-7
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - 6.3.10 (level 1)
27 | controls v8:
28 | - 9.1
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - cis_lvl1
33 | - cis_lvl2
34 | - cisv8
35 | mobileconfig: true
36 | mobileconfig_info:
37 | com.apple.Safari:
38 | ShowOverlayStatusBar: true
39 |
--------------------------------------------------------------------------------
/rules/os/os_safari_warn_fraudulent_website_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_safari_warn_fraudulent_website_enable
2 | title: Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
3 | discussion: |
4 | Warn when visiting a fraudulent website _MUST_ be enabled in Safari.
5 | check: |
6 | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WarnAboutFraudulentWebsites = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94285-4
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - N/A
18 | 800-53r4:
19 | - N/A
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - 6.3.3 (level 1)
27 | controls v8:
28 | - 9.1
29 | - 9.3
30 | macOS:
31 | - '15.0'
32 | tags:
33 | - cis_lvl1
34 | - cis_lvl2
35 | - cisv8
36 | mobileconfig: true
37 | mobileconfig_info:
38 | com.apple.Safari:
39 | WarnAboutFraudulentWebsites: true
40 |
--------------------------------------------------------------------------------
/rules/os/os_screensaver_loginwindow_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: os_screensaver_loginwindow_enforce
2 | title: Enforce Screen Saver at Login Window
3 | discussion: |
4 | A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
8 | .objectForKey('moduleName').js
9 | EOS
10 | result:
11 | string: Sequoia
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94286-2
17 | cci:
18 | - CCI-000060
19 | 800-53r5:
20 | - AC-11(1)
21 | 800-53r4:
22 | - AC-11(1)
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - 03.01.10
29 | cmmc:
30 | - AC.L2-3.1.10
31 | macOS:
32 | - '15.0'
33 | tags:
34 | - 800-53r5_moderate
35 | - 800-53r5_high
36 | - 800-53r4_moderate
37 | - 800-53r4_high
38 | - 800-171
39 | - cnssi-1253_low
40 | - cnssi-1253_high
41 | - cmmc_lvl2
42 | - cnssi-1253_moderate
43 | severity: medium
44 | mobileconfig: true
45 | mobileconfig_info:
46 | com.apple.screensaver:
47 | moduleName: Sequoia
48 |
--------------------------------------------------------------------------------
/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: os_screensaver_timeout_loginwindow_enforce
2 | title: Enforce Screen Saver Timeout at LoginWindow
3 | discussion: |
4 | The screen saver timeout at LoginWindow _MUST_ be set to $ODV seconds or a shorter length of time.
5 |
6 | This rule ensures that a full session lock is triggered within no more than $ODV seconds of inactivity.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | function run() {
10 | let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
11 | .objectForKey('loginWindowIdleTime'))
12 | if ( timeout <= $ODV ) {
13 | return("true")
14 | } else {
15 | return("false")
16 | }
17 | }
18 | EOS
19 | result:
20 | string: 'true'
21 | fix: |
22 | This is implemented by a Configuration Profile.
23 | references:
24 | cce:
25 | - CCE-94287-0
26 | cci:
27 | - CCI-000057
28 | 800-53r5:
29 | - N/A
30 | srg:
31 | - N/A
32 | disa_stig:
33 | - N/A
34 | 800-171r3:
35 | - N/A
36 | cis:
37 | benchmark:
38 | - N/A
39 | controls v8:
40 | - 4.3
41 | cmmc:
42 | - AC.L2-3.1.10
43 | macOS:
44 | - '15.0'
45 | odv:
46 | hint: Number of seconds.
47 | recommended: 1200
48 | tags:
49 | - none
50 | severity: medium
51 | mobileconfig: true
52 | mobileconfig_info:
53 | com.apple.screensaver:
54 | loginWindowIdleTime: $ODV
55 |
--------------------------------------------------------------------------------
/rules/os/os_secure_boot_verify.yaml:
--------------------------------------------------------------------------------
1 | id: os_secure_boot_verify
2 | title: Ensure Secure Boot Level Set to Full
3 | discussion: |
4 | The Secure Boot security setting _MUST_ be set to full.
5 |
6 | Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot.
7 |
8 | NOTE: This will only return a proper result on a T2 or Apple Silicon Macs.
9 | check: |
10 | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full"
11 | result:
12 | integer: 1
13 | fix: |
14 | NOTE: Boot into Recovery Mode and enable Full Secure Boot
15 | references:
16 | cce:
17 | - CCE-94288-8
18 | cci:
19 | - CCI-002696
20 | - CCI-002699
21 | - CCI-002702
22 | 800-53r5:
23 | - SI-7
24 | - SI-7(1)
25 | - SI-7(5)
26 | - SI-6
27 | 800-53r4:
28 | - SI-6
29 | srg:
30 | - SRG-OS-000447-GPOS-00201
31 | - SRG-OS-000445-GPOS-00199
32 | - SRG-OS-000446-GPOS-00200
33 | disa_stig:
34 | - APPL-15-005100
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - 800-53r5_high
39 | - 800-53r5_moderate
40 | - 800-53r4_high
41 | - cnssi-1253_high
42 | - stig
43 | - cnssi-1253_moderate
44 | severity: medium
45 | mobileconfig: false
46 | mobileconfig_info:
47 |
--------------------------------------------------------------------------------
/rules/os/os_secure_enclave.yaml:
--------------------------------------------------------------------------------
1 | id: os_secure_enclave
2 | title: Protected Storage for Cryptographic Keys
3 | discussion: |
4 | A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard.
5 |
6 | Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave.
7 |
8 | link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[]
9 |
10 | NOTE: This will only return a proper result on a T2 or Apple Silicon Macs.
11 | check: |
12 | /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $?
13 | result:
14 | integer: 0
15 | fix: |
16 | The hardware does not support the requirement.
17 | references:
18 | cce:
19 | - CCE-94289-6
20 | cci:
21 | - N/A
22 | 800-53r5:
23 | - SC-28(3)
24 | 800-53r4:
25 | - N/A
26 | disa_stig:
27 | - N/A
28 | srg:
29 | - SRG-OS-000404-GPOS-00183
30 | - SRG-OS-000405-GPOS-00184
31 | cmmc:
32 | - SC.L2-3.13.10
33 | macOS:
34 | - '15.0'
35 | tags:
36 | - inherent
37 | - cnssi-1253_low
38 | - cnssi-1253_high
39 | - cmmc_lvl2
40 | - srg
41 | - cnssi-1253_moderate
42 | mobileconfig: false
43 | mobileconfig_info:
44 |
--------------------------------------------------------------------------------
/rules/os/os_secure_name_resolution.yaml:
--------------------------------------------------------------------------------
1 | id: os_secure_name_resolution
2 | title: Secure Name Address Resolution Service
3 | discussion: |
4 | The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
5 |
6 | NOTE: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[]
7 | check: |
8 | The technology does not support this requirement. This is an applicable-does not meet finding.
9 | fix: |
10 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
11 | references:
12 | cce:
13 | - CCE-94290-4
14 | cci:
15 | - N/A
16 | 800-53r5:
17 | - SC-21
18 | 800-53r4:
19 | - SC-21
20 | disa_stig:
21 | - N/A
22 | srg:
23 | - N/A
24 | cis:
25 | benchmark:
26 | - N/A
27 | controls v8:
28 | - 4.9
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - 800-53r5_low
33 | - 800-53r5_moderate
34 | - 800-53r5_high
35 | - 800-53r4_low
36 | - 800-53r4_moderate
37 | - 800-53r4_high
38 | - permanent
39 | - cisv8
40 | - cnssi-1253_low
41 | - cnssi-1253_high
42 | - cnssi-1253_moderate
43 | mobileconfig: false
44 | mobileconfig_info:
45 |
--------------------------------------------------------------------------------
/rules/os/os_setup_assistant_filevault_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: os_setup_assistant_filevault_enforce
2 | title: Enforce FileVault in Setup Assistant
3 | discussion: |
4 | FileVault _MUST_ be enforced in Setup Assistant.
5 |
6 | The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX.FileVault2')\
10 | .objectForKey('ForceEnableInSetupAssistant')
11 | EOS
12 | result:
13 | integer: 1
14 | fix: |
15 | NOTE: See the FileVault supplemental to implement this rule.
16 | references:
17 | cce:
18 | - CCE-94292-0
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - SC-28
23 | - SC-28(1)
24 | 800-53r4:
25 | - SC-28
26 | - SC-28(1)
27 | srg:
28 | - N/A
29 | disa_stig:
30 | - N/A
31 | 800-171r3:
32 | - 03.13.08
33 | cis:
34 | benchmark:
35 | - N/A
36 | controls v8:
37 | - 3.6
38 | - 3.11
39 | cmmc:
40 | - SC.L2-3.13.16
41 | macOS:
42 | - '15.0'
43 | tags:
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - cisv8
47 | - cmmc_lvl2
48 | - cnssi-1253_moderate
49 | - cnssi-1253_low
50 | - cnssi-1253_high
51 | severity: high
52 | mobileconfig: true
53 | mobileconfig_info:
54 | com.apple.MCX.FileVault2:
55 | ForceEnableInSetupAssistant: true
56 |
--------------------------------------------------------------------------------
/rules/os/os_show_filename_extensions_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_show_filename_extensions_enable
2 | title: Enable Show All Filename Extensions
3 | discussion: |
4 | Show all filename extensions _MUST_ be enabled in the Finder.
5 |
6 | [NOTE]
7 | ====
8 | The check and fix are for the currently logged in user. To get the currently logged in user, run the following.
9 | [source,bash]
10 | ----
11 | CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
12 | ----
13 | ====
14 | check: |
15 | /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null
16 | result:
17 | boolean: 1
18 | fix: |
19 | [source,bash]
20 | ----
21 | /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true
22 | ----
23 | references:
24 | cce:
25 | - CCE-94293-8
26 | cci:
27 | - N/A
28 | 800-53r5:
29 | - N/A
30 | 800-53r4:
31 | - N/A
32 | srg:
33 | - N/A
34 | disa_stig:
35 | - N/A
36 | 800-171r3:
37 | - N/A
38 | cis:
39 | benchmark:
40 | - 6.1.1 (level 1)
41 | controls v8:
42 | - 2.3
43 | macOS:
44 | - '15.0'
45 | tags:
46 | - cis_lvl1
47 | - cis_lvl2
48 | - cisv8
49 | mobileconfig: false
50 | mobileconfig_info:
51 |
--------------------------------------------------------------------------------
/rules/os/os_skip_screen_time_prompt_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_skip_screen_time_prompt_enable
2 | title: Disable Screen Time Prompt During Setup Assistant
3 | discussion: The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled.
4 | check: |
5 | /usr/bin/osascript -l JavaScript << EOS
6 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
7 | .objectForKey('SkipScreenTime').js
8 | EOS
9 | result:
10 | string: 'true'
11 | fix: |
12 | This is implemented by a Configuration Profile.
13 | references:
14 | cce:
15 | - CCE-94296-1
16 | cci:
17 | - CCI-000381
18 | 800-53r5:
19 | - CM-7
20 | - CM-7(1)
21 | 800-53r4:
22 | - CM-7
23 | - CM-7(1)
24 | srg:
25 | - SRG-OS-000095-GPOS-00049
26 | disa_stig:
27 | - APPL-15-005055
28 | cmmc:
29 | - CM.L2-3.4.6
30 | - CM.L2-3.4.7
31 | 800-171r3:
32 | - 03.04.06
33 | macOS:
34 | - '15.0'
35 | tags:
36 | - 800-171
37 | - cnssi-1253_low
38 | - cnssi-1253_high
39 | - cmmc_lvl2
40 | - stig
41 | - cnssi-1253_moderate
42 | severity: low
43 | mobileconfig: true
44 | mobileconfig_info:
45 | com.apple.SetupAssistant.managed:
46 | SkipScreenTime: true
47 |
--------------------------------------------------------------------------------
/rules/os/os_skip_unlock_with_watch_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_skip_unlock_with_watch_enable
2 | title: Disable Unlock with Apple Watch During Setup Assistant
3 | discussion: |
4 | The prompt for Apple Watch unlock setup during Setup Assistant _MUST_ be disabled.
5 |
6 | Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
10 | .objectForKey('SkipUnlockWithWatch').js
11 | EOS
12 | result:
13 | string: 'true'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94297-9
19 | cci:
20 | - CCI-000381
21 | 800-53r5:
22 | - AC-20
23 | 800-53r4:
24 | - AC-20
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-005056
29 | 800-171r3:
30 | - 03.01.20
31 | - 03.04.06
32 | cis:
33 | benchmark:
34 | - N/A
35 | controls v8:
36 | - 4.1
37 | cmmc:
38 | - AC.L1-3.1.20
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - 800-53r4_low
46 | - 800-53r4_moderate
47 | - 800-53r4_high
48 | - 800-171
49 | - cisv8
50 | - cnssi-1253_low
51 | - cnssi-1253_high
52 | - cmmc_lvl2
53 | - cmmc_lvl1
54 | - stig
55 | - cnssi-1253_moderate
56 | severity: medium
57 | mobileconfig: true
58 | mobileconfig_info:
59 | com.apple.SetupAssistant.managed:
60 | SkipUnlockWithWatch: true
61 |
--------------------------------------------------------------------------------
/rules/os/os_software_update_deferral.yaml:
--------------------------------------------------------------------------------
1 | id: os_software_update_deferral
2 | title: Ensure Software Update Deferment Is Less Than or Equal to $ODV Days
3 | discussion: |
4 | Software updates _MUST_ be deferred for $ODV days or less.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | function run() {
8 | let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
9 | .objectForKey('enforcedSoftwareUpdateDelay')) || 0
10 | if ( timeout <= $ODV ) {
11 | return("true")
12 | } else {
13 | return("false")
14 | }
15 | }
16 | EOS
17 | result:
18 | string: 'true'
19 | fix: |
20 | This is implemented by a Configuration Profile.
21 | references:
22 | cce:
23 | - CCE-94298-7
24 | cci:
25 | - N/A
26 | 800-53r5:
27 | - N/A
28 | 800-53r4:
29 | - N/A
30 | srg:
31 | - N/A
32 | disa_stig:
33 | - N/A
34 | 800-171r3:
35 | - N/A
36 | cis:
37 | benchmark:
38 | - 1.7 (level 1)
39 | controls v8:
40 | - 7.3
41 | - 7.4
42 | macOS:
43 | - '15.0'
44 | odv:
45 | hint: Number of days.
46 | recommended: 30
47 | cis_lvl1: 30
48 | cis_lvl2: 30
49 | tags:
50 | - cis_lvl1
51 | - cis_lvl2
52 | mobileconfig: true
53 | mobileconfig_info:
54 | com.apple.applicationaccess:
55 | enforcedSoftwareUpdateDelay: $ODV
56 |
--------------------------------------------------------------------------------
/rules/os/os_store_encrypted_passwords.yaml:
--------------------------------------------------------------------------------
1 | id: os_store_encrypted_passwords
2 | title: Encrypt Stored Passwords
3 | discussion: |
4 | The information system _IS_ configured to encrypt stored passwords.
5 |
6 | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
7 |
8 | link:https://developer.apple.com/documentation/opendirectory/kodattributetypeauthenticationauthority[]
9 | check: |
10 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
11 | fix: |
12 | The technology inherently meets this requirement. No fix is required.
13 | references:
14 | cce:
15 | - CCE-94309-2
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - IA-5(1)
20 | - IA-5(1)(c)
21 | 800-53r4:
22 | - IA-5(1)
23 | - IA-5(1)(c)
24 | disa_stig:
25 | - N/A
26 | srg:
27 | - SRG-OS-000073-GPOS-00041
28 | 800-171r3:
29 | - 03.05.07
30 | cis:
31 | benchmark:
32 | - N/A
33 | controls v8:
34 | - 3.11
35 | cmmc:
36 | - IA.L2-3.5.7
37 | - IA.L2-3.5.8
38 | - IA.L2-3.5.9
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - 800-53r4_low
46 | - 800-53r4_moderate
47 | - 800-53r4_high
48 | - 800-171
49 | - inherent
50 | - cisv8
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | - cmmc_lvl2
54 | - srg
55 | - cnssi-1253_moderate
56 | mobileconfig: false
57 | mobileconfig_info:
58 |
--------------------------------------------------------------------------------
/rules/os/os_sudo_log_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: os_sudo_log_enforce
2 | title: Configure Sudo To Log Events
3 | discussion: |
4 | Sudo _MUST_ be configured to log privilege escalation.
5 | check: |
6 | /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers"
7 | result:
8 | integer: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
13 | /bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp
14 | ----
15 | references:
16 | cce:
17 | - CCE-94310-0
18 | cci:
19 | - CCI-000172
20 | 800-53r5:
21 | - AC-6(9)
22 | 800-53r4:
23 | - N/A
24 | 800-171r3:
25 | - 03.01.07
26 | srg:
27 | - SRG-OS-000064-GPOS-00033
28 | disa_stig:
29 | - APPL-15-000190
30 | cis:
31 | benchmark:
32 | - 5.11 (level 1)
33 | controls v8:
34 | - N/A
35 | cmmc:
36 | - AU.L2-3.3.3
37 | - AU.L2-3.3.6
38 | - SI.L2-3.14.3
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_moderate
43 | - 800-53r5_high
44 | - stig
45 | - cis_lvl1
46 | - cis_lvl2
47 | - cisv8
48 | - cmmc_lvl2
49 | - 800-171
50 | - cnssi-1253_moderate
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | severity: medium
54 | mobileconfig: false
55 | mobileconfig_info:
56 | ddm_info:
57 | declarationtype: com.apple.configuration.services.configuration-files
58 | service: com.apple.sudo
59 | config_file: sudoers
60 | configuration_key: Defaults
61 | configuration_value: log_allowed
--------------------------------------------------------------------------------
/rules/os/os_sudo_timeout_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_sudo_timeout_configure
2 | title: Configure Sudo Timeout Period to $ODV
3 | discussion: |
4 | The file /etc/sudoers _MUST_ include a timestamp_timeout of $ODV.
5 | check: |
6 | /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: $ODV.0 minutes"
7 | result:
8 | integer: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \;
13 | /bin/echo "Defaults timestamp_timeout=$ODV" >> /etc/sudoers.d/mscp
14 | ----
15 | references:
16 | cce:
17 | - CCE-94311-8
18 | cci:
19 | - CCI-002038
20 | 800-53r5:
21 | - N/A
22 | 800-53r4:
23 | - N/A
24 | srg:
25 | - SRG-OS-000373-GPOS-00156
26 | disa_stig:
27 | - APPL-15-004022
28 | cis:
29 | benchmark:
30 | - 5.4 (level 1)
31 | controls v8:
32 | - 4.3
33 | macOS:
34 | - '15.0'
35 | odv:
36 | hint: Number of minutes.
37 | recommended: 0
38 | cis_lvl1: 0
39 | cis_lvl2: 0
40 | stig: 0
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - cis_lvl1
46 | - cis_lvl2
47 | - cisv8
48 | - stig
49 | severity: medium
50 | mobileconfig: false
51 | mobileconfig_info:
52 | ddm_info:
53 | declarationtype: com.apple.configuration.services.configuration-files
54 | service: com.apple.sudo
55 | config_file: sudoers
56 | configuration_key: Defaults timestamp_timeout=
57 | configuration_value: $ODV
--------------------------------------------------------------------------------
/rules/os/os_system_read_only.yaml:
--------------------------------------------------------------------------------
1 | id: os_system_read_only
2 | title: Ensure System Volume is Read Only
3 | discussion: |
4 | The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable.
5 |
6 | NOTE: The system volume is read only by default in macOS.
7 | check: |
8 | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}'
9 | result:
10 | string: 'No'
11 | fix: |
12 | NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only.
13 | references:
14 | cce:
15 | - CCE-94313-4
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - SC-34
20 | - MA-4(1)
21 | - SI-7
22 | 800-53r4:
23 | - SC-34
24 | - SI-7
25 | srg:
26 | - N/A
27 | disa_stig:
28 | - N/A
29 | macOS:
30 | - '15.0'
31 | tags:
32 | - 800-53r5_moderate
33 | - 800-53r5_high
34 | - 800-53r4_moderate
35 | - 800-53r4_high
36 | - cnssi-1253_low
37 | - cnssi-1253_high
38 | - cnssi-1253_moderate
39 | mobileconfig: false
40 | mobileconfig_info:
41 |
--------------------------------------------------------------------------------
/rules/os/os_system_wide_applications_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_system_wide_applications_configure
2 | title: Ensure Appropriate Permissions Are Enabled for System Wide Applications
3 | discussion: |
4 | Applications in the System Applications Directory (/Applications) _MUST_ not be world-writable.
5 | check: |
6 | /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | /usr/bin/wc -l | /usr/bin/xargs
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | IFS=$'\n'
13 | for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); do
14 | /bin/chmod -R o-w "$apps"
15 | done
16 | ----
17 | references:
18 | cce:
19 | - CCE-94314-2
20 | cci:
21 | - N/A
22 | 800-53r5:
23 | - N/A
24 | 800-53r4:
25 | - N/A
26 | srg:
27 | - N/A
28 | disa_stig:
29 | - N/A
30 | 800-171r3:
31 | - N/A
32 | cis:
33 | benchmark:
34 | - 5.1.5 (level 1)
35 | controls v8:
36 | - 3.3
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - cis_lvl1
41 | - cis_lvl2
42 | - cisv8
43 | mobileconfig: false
44 | mobileconfig_info:
45 |
--------------------------------------------------------------------------------
/rules/os/os_terminal_secure_keyboard_enable.yaml:
--------------------------------------------------------------------------------
1 | id: os_terminal_secure_keyboard_enable
2 | title: Ensure Secure Keyboard Entry Terminal.app is Enabled
3 | discussion: |
4 | Secure keyboard entry _MUST_ be enabled in Terminal.app.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\
8 | .objectForKey('SecureKeyboardEntry').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94315-9
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | disa_stig:
24 | - N/A
25 | srg:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 6.4.1 (level 1)
32 | controls v8:
33 | - 4.8
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - cis_lvl1
38 | - cis_lvl2
39 | - cisv8
40 | mobileconfig: true
41 | mobileconfig_info:
42 | com.apple.Terminal:
43 | SecureKeyboardEntry: true
44 |
--------------------------------------------------------------------------------
/rules/os/os_terminate_session.yaml:
--------------------------------------------------------------------------------
1 | id: os_terminate_session
2 | title: Terminate all sessions and network connections when maintenance is completed
3 | discussion: |
4 | Terminates session and network connections when non-local maintenance is completed.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94316-7
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - N/A
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | mobileconfig: false
27 | mobileconfig_info:
28 |
--------------------------------------------------------------------------------
/rules/os/os_time_offset_limit_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_time_offset_limit_configure
2 | title: Ensure Time Offset Within Limits
3 | discussion: |
4 | The macOS system time _MUST_ be monitored to not drift more than four minutes and thirty seconds.
5 | check: |
6 | /usr/bin/sntp $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') | /usr/bin/awk -F'.' '/\+\/\-/{if (substr($1,2) >= 270) {print "No"} else {print "Yes"}}'
7 | result:
8 | string: 'Yes'
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/bin/sntp -Ss $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}')
13 | ----
14 | references:
15 | cce:
16 | - CCE-94318-3
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - N/A
32 | controls v8:
33 | - N/A
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - none
38 | mobileconfig: false
39 | mobileconfig_info:
40 |
--------------------------------------------------------------------------------
/rules/os/os_touchid_prompt_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_touchid_prompt_disable
2 | title: Disable TouchID Prompt during Setup Assistant
3 | discussion: |
4 | The prompt for TouchID during Setup Assistant _MUST_ be disabled.
5 |
6 | macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
10 | .objectForKey('SkipTouchIDSetup').js
11 | EOS
12 | result:
13 | string: 'true'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94320-9
19 | cci:
20 | - CCI-000381
21 | 800-53r5:
22 | - CM-6
23 | 800-53r4:
24 | - CM-6
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-005054
29 | 800-171r3:
30 | - 03.04.02
31 | cis:
32 | benchmark:
33 | - N/A
34 | controls v8:
35 | - 4.1
36 | cmmc:
37 | - CM.L2-3.4.2
38 | macOS:
39 | - '15.0'
40 | tags:
41 | - 800-53r5_low
42 | - 800-53r5_moderate
43 | - 800-53r5_high
44 | - 800-53r4_low
45 | - 800-53r4_moderate
46 | - 800-53r4_high
47 | - 800-171
48 | - cisv8
49 | - cnssi-1253_low
50 | - cnssi-1253_high
51 | - cmmc_lvl2
52 | - stig
53 | - cnssi-1253_moderate
54 | severity: medium
55 | mobileconfig: true
56 | mobileconfig_info:
57 | com.apple.SetupAssistant.managed:
58 | SkipTouchIDSetup: true
59 |
--------------------------------------------------------------------------------
/rules/os/os_unique_identification.yaml:
--------------------------------------------------------------------------------
1 | id: os_unique_identification
2 | title: Uniquely Identify Users and Processes
3 | discussion: |
4 | The macOS is a UNIX 03-compliant operating system. The system uniquely identifies and authenticates organizational users or processes.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94321-7
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - IA-4
16 | 800-53r4:
17 | - N/A
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - N/A
22 | cis:
23 | benchmark:
24 | - N/A
25 | controls v8:
26 | - 5.1
27 | - 6.1
28 | cmmc:
29 | - IA.L2-3.5.5
30 | 800-171r3:
31 | - 03.05.05
32 | macOS:
33 | - '15.0'
34 | tags:
35 | - 800-171
36 | - 800-53r5_low
37 | - 800-53r5_moderate
38 | - 800-53r5_high
39 | - inherent
40 | - cisv8
41 | - cnssi-1253_low
42 | - cnssi-1253_high
43 | - cmmc_lvl2
44 | - cnssi-1253_moderate
45 | mobileconfig: false
46 | mobileconfig_info:
47 |
--------------------------------------------------------------------------------
/rules/os/os_verify_remote_disconnection.yaml:
--------------------------------------------------------------------------------
1 | id: os_verify_remote_disconnection
2 | title: Verify remote disconnection of sessions
3 | discussion: |
4 | The information system implements remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.
5 | check: |
6 | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
7 | fix: |
8 | The technology inherently meets this requirement. No fix is required.
9 | references:
10 | cce:
11 | - CCE-94325-8
12 | cci:
13 | - N/A
14 | 800-53r5:
15 | - MA-4(7)
16 | 800-53r4:
17 | - MA-4(7)
18 | disa_stig:
19 | - N/A
20 | srg:
21 | - SRG-OS-000395-GPOS-00175
22 | macOS:
23 | - '15.0'
24 | tags:
25 | - inherent
26 | - cnssi-1253_low
27 | - cnssi-1253_high
28 | - srg
29 | - cnssi-1253_moderate
30 | mobileconfig: false
31 | mobileconfig_info:
32 |
--------------------------------------------------------------------------------
/rules/os/os_world_writable_library_folder_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_world_writable_library_folder_configure
2 | title: Ensure No World Writable Files Exist in the Library Folder
3 | discussion: |
4 | Folders in /System/Volumes/Data/Library _MUST_ not be world-writable.
5 |
6 | NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment.
7 | check: |
8 | /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs
9 | result:
10 | integer: 0
11 | fix: |
12 | [source,bash]
13 | ----
14 | IFS=$'\n'
15 | for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do
16 | /bin/chmod -R o-w "$libPermissions"
17 | done
18 | ----
19 | references:
20 | cce:
21 | - CCE-94326-6
22 | cci:
23 | - N/A
24 | 800-53r5:
25 | - N/A
26 | 800-53r4:
27 | - N/A
28 | srg:
29 | - N/A
30 | disa_stig:
31 | - N/A
32 | 800-171r3:
33 | - N/A
34 | cis:
35 | benchmark:
36 | - 5.1.7 (level 2)
37 | controls v8:
38 | - 3.3
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - cis_lvl2
43 | - cisv8
44 | mobileconfig: false
45 | mobileconfig_info:
46 |
--------------------------------------------------------------------------------
/rules/os/os_world_writable_system_folder_configure.yaml:
--------------------------------------------------------------------------------
1 | id: os_world_writable_system_folder_configure
2 | title: Ensure No World Writable Files Exist in the System Folder
3 | discussion: |
4 | Folders in /System/Volumes/Data/System _MUST_ not be world-writable.
5 | check: |
6 | /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -vE "downloadDir|locks" | /usr/bin/wc -l | /usr/bin/xargs
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | IFS=$'\n'
13 | for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -vE "downloadDir|locks" ); do
14 | /bin/chmod -R o-w "$sysPermissions"
15 | done
16 | ----
17 | references:
18 | cce:
19 | - CCE-94327-4
20 | cci:
21 | - N/A
22 | 800-53r5:
23 | - N/A
24 | 800-53r4:
25 | - N/A
26 | srg:
27 | - N/A
28 | disa_stig:
29 | - N/A
30 | 800-171r3:
31 | - N/A
32 | cis:
33 | benchmark:
34 | - 5.1.6 (level 1)
35 | controls v8:
36 | - 3.3
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - cis_lvl1
41 | - cis_lvl2
42 | - cisv8
43 | mobileconfig: false
44 | mobileconfig_info:
45 |
--------------------------------------------------------------------------------
/rules/os/os_writing_tools_disable.yaml:
--------------------------------------------------------------------------------
1 | id: os_writing_tools_disable
2 | title: Disable Apple Intelligence Writing Tools
3 | discussion: |-
4 | Apple Intelligence features such as writing tools that use off device AI _MUST_ be disabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
8 | .objectForKey('allowWritingTools').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94328-2
17 | cci:
18 | - CCI-000381
19 | - CCI-001774
20 | srg:
21 | - SRG-OS-000095-GPOS-00049
22 | disa_stig:
23 | - APPL-15-005160
24 | 800-53r5:
25 | - AC-20
26 | - AC-20(1)
27 | - CM-7
28 | - CM-7(1)
29 | - SC-7(10)
30 | 800-171r3:
31 | - 03.01.20
32 | - 03.04.06
33 | cmmc:
34 | - AC.L1-3.1.20
35 | - CM.L2-3.4.6
36 | - CM.L2-3.4.7
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - 800-53r5_low
41 | - 800-53r5_moderate
42 | - 800-53r5_high
43 | - 800-171
44 | - cnssi-1253_low
45 | - cnssi-1253_high
46 | - stig
47 | - cmmc_lvl2
48 | - cmmc_lvl1
49 | - cnssi-1253_moderate
50 | mobileconfig: true
51 | mobileconfig_info:
52 | com.apple.applicationaccess:
53 | allowWritingTools: false
54 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_bluetooth_menu_enable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_bluetooth_menu_enable
2 | title: Enable Bluetooth Menu
3 | discussion: |
4 | The bluetooth menu _MUST_ be enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\
8 | .objectForKey('Bluetooth').js
9 | EOS
10 | result:
11 | integer: 18
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94353-0
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 2.4.2 (level 1)
32 | controls v8:
33 | - 4.8
34 | - 13.9
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - cis_lvl1
39 | - cis_lvl2
40 | - cisv8
41 | mobileconfig: true
42 | mobileconfig_info:
43 | com.apple.controlcenter:
44 | Bluetooth: 18
45 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_bluetooth_settings_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_bluetooth_settings_disable
2 | title: Disable the Bluetooth System Settings Pane
3 | discussion: |
4 | The Bluetooth System Setting pane _MUST_ be disabled to prevent access to the bluetooth configuration.
5 | check: |
6 | /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.BluetoothSettings
7 | result:
8 | integer: 1
9 | fix: |
10 | This is implemented by a Configuration Profile.
11 | references:
12 | cce:
13 | - CCE-94354-8
14 | cci:
15 | - CCI-000381
16 | 800-53r5:
17 | - CM-7
18 | - CM-7(1)
19 | 800-53r4:
20 | - SC-8
21 | srg:
22 | - SRG-OS-000095-GPOS-00049
23 | disa_stig:
24 | - APPL-15-002260
25 | 800-171r3:
26 | - 03.04.06
27 | cis:
28 | benchmark:
29 | - N/A
30 | controls v8:
31 | - 4.1
32 | - 4.8
33 | cmmc:
34 | - CM.L2-3.4.6
35 | - CM.L2-3.4.7
36 | macOS:
37 | - '15.0'
38 | tags:
39 | - 800-53r5_low
40 | - 800-53r5_moderate
41 | - 800-53r5_high
42 | - cisv8
43 | - cmmc_lvl2
44 | - stig
45 | - cnssi-1253_moderate
46 | - cnssi-1253_low
47 | - cnssi-1253_high
48 | severity: medium
49 | mobileconfig: true
50 | mobileconfig_info:
51 | com.apple.systempreferences:
52 | DisabledSystemSettings:
53 | - com.apple.BluetoothSettings
54 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_content_caching_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_content_caching_disable
2 | title: Disable Content Caching Service
3 | discussion: |
4 | Content caching _MUST_ be disabled.
5 |
6 | Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
10 | .objectForKey('allowContentCaching').js
11 | EOS
12 | result:
13 | string: 'false'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94357-1
19 | cci:
20 | - CCI-000381
21 | 800-53r5:
22 | - CM-7
23 | - CM-7(1)
24 | 800-53r4:
25 | - CM-7
26 | - CM-7(1)
27 | srg:
28 | - SRG-OS-000095-GPOS-00049
29 | disa_stig:
30 | - APPL-15-002140
31 | 800-171r3:
32 | - 03.04.06
33 | cis:
34 | benchmark:
35 | - 2.3.3.9 (level 2)
36 | controls v8:
37 | - 4.8
38 | cmmc:
39 | - CM.L2-3.4.6
40 | - CM.L2-3.4.7
41 | macOS:
42 | - '15.0'
43 | tags:
44 | - 800-53r5_low
45 | - 800-53r5_moderate
46 | - 800-53r5_high
47 | - 800-53r4_low
48 | - 800-53r4_moderate
49 | - 800-53r4_high
50 | - 800-171
51 | - cis_lvl2
52 | - cisv8
53 | - cnssi-1253_low
54 | - cnssi-1253_high
55 | - cmmc_lvl2
56 | - stig
57 | - cnssi-1253_moderate
58 | severity: medium
59 | mobileconfig: true
60 | mobileconfig_info:
61 | com.apple.applicationaccess:
62 | allowContentCaching: false
63 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_critical_update_install_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_critical_update_install_enforce
2 | title: Enforce Critical Security Updates to be Installed
3 | discussion: |
4 | Ensure that security updates are installed as soon as they are available from Apple.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
8 | .objectForKey('CriticalUpdateInstall').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94358-9
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - SI-2
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - 03.14.01
29 | cis:
30 | benchmark:
31 | - 1.6 (level 1)
32 | controls v8:
33 | - 7.3
34 | - 7.4
35 | - 7.7
36 | cmmc:
37 | - SI.L1-3.14.1
38 | - SI.L1-3.14.4
39 | macOS:
40 | - '15.0'
41 | tags:
42 | - 800-53r5_low
43 | - 800-53r5_moderate
44 | - 800-53r5_high
45 | - cis_lvl1
46 | - cis_lvl2
47 | - cisv8
48 | - cnssi-1253_low
49 | - cnssi-1253_high
50 | - cmmc_lvl2
51 | - cmmc_lvl1
52 | - cnssi-1253_moderate
53 | mobileconfig: true
54 | mobileconfig_info:
55 | com.apple.SoftwareUpdate:
56 | CriticalUpdateInstall: true
57 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_gatekeeper_override_disallow
2 | title: Configure Gatekeeper to Disallow End User Override
3 | discussion: |
4 | Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings.
5 |
6 | If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\
10 | .objectForKey('DisableOverride').js
11 | EOS
12 | result:
13 | string: 'true'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94365-4
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - CM-5
23 | - SI-7(15)
24 | 800-53r4:
25 | - CM-5
26 | - SI-7(15)
27 | srg:
28 | - N/A
29 | disa_stig:
30 | - N/A
31 | 800-171r3:
32 | - 03.14.02
33 | cmmc:
34 | - CM.L2-3.4.5
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - 800-53r5_low
39 | - 800-53r5_moderate
40 | - 800-53r5_high
41 | - 800-53r4_moderate
42 | - 800-53r4_high
43 | - 800-171
44 | - cnssi-1253_low
45 | - cnssi-1253_high
46 | - cmmc_lvl2
47 | - cnssi-1253_moderate
48 | severity: medium
49 | mobileconfig: true
50 | mobileconfig_info:
51 | com.apple.systempolicy.managed:
52 | DisableOverride: true
53 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_guest_access_smb_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_guest_access_smb_disable
2 | title: Disable Guest Access to Shared SMB Folders
3 | discussion: |
4 | Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled.
5 |
6 | Turning off guest access prevents anonymous users from accessing files shared via SMB.
7 | check: |
8 | /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess
9 | result:
10 | boolean: 0
11 | fix: |
12 | [source,bash]
13 | ----
14 | /usr/sbin/sysadminctl -smbGuestAccess off
15 | ----
16 | references:
17 | cce:
18 | - CCE-94366-2
19 | cci:
20 | - N/A
21 | 800-171r3:
22 | - 03.01.01
23 | r5:
24 | - AC-2(9)
25 | - AC-2
26 | 800-53r4:
27 | - AC-2
28 | - AC-2(9)
29 | disa_stig:
30 | - N/A
31 | srg:
32 | - N/A
33 | cis:
34 | benchmark:
35 | - 2.12.2 (level 1)
36 | controls v8:
37 | - 3.3
38 | cmmc:
39 | - AC.L1-3.1.2
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - 800-53r5_low
44 | - 800-53r5_moderate
45 | - 800-53r5_high
46 | - 800-53r4_low
47 | - 800-53r4_moderate
48 | - 800-53r4_high
49 | - 800-171
50 | - cis_lvl1
51 | - cis_lvl2
52 | - cisv8
53 | - cnssi-1253_low
54 | - cnssi-1253_high
55 | - cmmc_lvl2
56 | - cmmc_lvl1
57 | mobileconfig: false
58 | mobileconfig_info:
59 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_install_macos_updates_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_install_macos_updates_enforce
2 | title: Enforce macOS Updates are Automatically Installed
3 | discussion: |
4 | Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
8 | .objectForKey('AutomaticallyInstallMacOSUpdates').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94373-8
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 1.4 (level 1)
32 | controls v8:
33 | - 7.3
34 | - 7.4
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - cis_lvl1
39 | - cis_lvl2
40 | - cisv8
41 | mobileconfig: true
42 | mobileconfig_info:
43 | com.apple.SoftwareUpdate:
44 | AutomaticallyInstallMacOSUpdates: true
45 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_location_services_enable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_location_services_enable
2 | title: Enable Location Services
3 | discussion: |
4 | Location Services _MUST_ be enabled.
5 | check: |
6 | /usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\
8 | .objectForKey('LocationServicesEnabled').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | [source,bash]
14 | ----
15 | /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true;
16 | pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }')
17 | kill -9 $pid
18 | ----
19 | references:
20 | cce:
21 | - CCE-94377-9
22 | cci:
23 | - N/A
24 | 800-53r5:
25 | - N/A
26 | 800-53r4:
27 | - N/A
28 | srg:
29 | - N/A
30 | disa_stig:
31 | - N/A
32 | 800-171r3:
33 | - N/A
34 | cis:
35 | benchmark:
36 | - 2.6.1.1 (level 2)
37 | controls v8:
38 | - 4.1
39 | - 4.8
40 | macOS:
41 | - '15.0'
42 | tags:
43 | - cis_lvl2
44 | - cisv8
45 | mobileconfig: false
46 | mobileconfig_info:
47 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_location_services_menu_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_location_services_menu_enforce
2 | title: Ensure Location Services Is In the Menu Bar
3 | discussion: |
4 | Location Services menu item _MUST_ be enabled.
5 | check: |
6 | /usr/bin/defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices
7 | result:
8 | boolean: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true
13 | ----
14 | references:
15 | cce:
16 | - CCE-94378-7
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 2.6.1.2 (level 2)
32 | controls v8:
33 | - 4.1
34 | - 4.8
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - cis_lvl2
39 | mobileconfig: false
40 | mobileconfig_info:
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_loginwindow_loginwindowtext_enable
2 | title: Configure Login Window to Show A Custom Message
3 | discussion: |
4 | The login window _MUST_ be configured to show a custom access warning message.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS | /usr/bin/base64
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
8 | .objectForKey('LoginwindowText').js
9 | EOS
10 | result:
11 | base64: $ODV
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94379-5
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 2.10.3 (level 1)
32 | controls v8:
33 | - 4.1
34 | macOS:
35 | - '15.0'
36 | odv:
37 | hint: Organization's approved message.
38 | recommended: Center for Internet Security Test Message
39 | cis_lvl1: Center for Internet Security Test Message
40 | cis_lvl2: Center for Internet Security Test Message
41 | tags:
42 | - cis_lvl1
43 | - cis_lvl2
44 | - cisv8
45 | mobileconfig: true
46 | mobileconfig_info:
47 | com.apple.loginwindow:
48 | LoginwindowText: $ODV
49 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_password_hints_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_password_hints_disable
2 | title: Disable Password Hints
3 | discussion: |
4 | Password hints _MUST_ be disabled.
5 |
6 | Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
10 | .objectForKey('RetriesUntilHint').js
11 | EOS
12 | result:
13 | integer: 0
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94382-9
19 | cci:
20 | - CCI-000206
21 | 800-53r5:
22 | - IA-6
23 | 800-53r4:
24 | - IA-6
25 | srg:
26 | - SRG-OS-000079-GPOS-00047
27 | disa_stig:
28 | - APPL-15-003012
29 | 800-171r3:
30 | - 03.05.11
31 | cis:
32 | benchmark:
33 | - 2.10.5 (level 1)
34 | controls v8:
35 | - 4.1
36 | cmmc:
37 | - IA.L2-3.5.11
38 | macOS:
39 | - '15.0'
40 | tags:
41 | - 800-53r5_low
42 | - 800-53r5_moderate
43 | - 800-53r5_high
44 | - 800-53r4_low
45 | - 800-53r4_moderate
46 | - 800-53r4_high
47 | - 800-171
48 | - cis_lvl1
49 | - cis_lvl2
50 | - cisv8
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | - cmmc_lvl2
54 | - stig
55 | - cnssi-1253_moderate
56 | severity: medium
57 | mobileconfig: true
58 | mobileconfig_info:
59 | com.apple.loginwindow:
60 | RetriesUntilHint: 0
61 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_printer_sharing_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_printer_sharing_disable
2 | title: Disable Printer Sharing
3 | discussion: |
4 | Printer Sharing _MUST_ be disabled.
5 | check: |
6 | /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0"
7 | result:
8 | boolean: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/sbin/cupsctl --no-share-printers
13 | /usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false
14 | ----
15 | references:
16 | cce:
17 | - CCE-94384-5
18 | cci:
19 | - CCI-000381
20 | 800-53r5:
21 | - CM-7
22 | - CM-7(1)
23 | 800-53r4:
24 | - CM-7
25 | - CM-7(1)
26 | srg:
27 | - SRG-OS-000095-GPOS-00049
28 | disa_stig:
29 | - APPL-15-002240
30 | 800-171r3:
31 | - 03.04.06
32 | cis:
33 | benchmark:
34 | - 2.3.3.4 (level 1)
35 | controls v8:
36 | - 4.1
37 | - 4.8
38 | cmmc:
39 | - CM.L2-3.4.6
40 | - CM.L2-3.4.7
41 | macOS:
42 | - '15.0'
43 | tags:
44 | - 800-53r5_low
45 | - 800-53r5_moderate
46 | - 800-53r5_high
47 | - 800-53r4_low
48 | - 800-53r4_moderate
49 | - 800-53r4_high
50 | - cis_lvl1
51 | - cis_lvl2
52 | - cisv8
53 | - cnssi-1253_low
54 | - cnssi-1253_high
55 | - cmmc_lvl2
56 | - stig
57 | - cnssi-1253_moderate
58 | severity: medium
59 | mobileconfig: false
60 | mobileconfig_info:
61 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_remote_management_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_remote_management_disable
2 | title: Disable Remote Management
3 | discussion: |
4 | Remote Management _MUST_ be disabled.
5 | check: |
6 | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0"
7 | result:
8 | integer: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
13 | ----
14 | references:
15 | cce:
16 | - CCE-94386-0
17 | cci:
18 | - CCI-000381
19 | 800-53r5:
20 | - CM-7
21 | - CM-7(1)
22 | 800-53r4:
23 | - CM-7
24 | - CM-7(1)
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-002250
29 | 800-171r3:
30 | - 03.01.02
31 | - 03.04.06
32 | cis:
33 | benchmark:
34 | - 2.3.3.6 (level 1)
35 | controls v8:
36 | - 4.1
37 | - 4.8
38 | - 5.4
39 | cmmc:
40 | - CM.L2-3.4.6
41 | - CM.L2-3.4.7
42 | macOS:
43 | - '15.0'
44 | tags:
45 | - 800-53r5_low
46 | - 800-53r5_moderate
47 | - 800-53r5_high
48 | - 800-53r4_low
49 | - 800-53r4_moderate
50 | - 800-53r4_high
51 | - cis_lvl1
52 | - cis_lvl2
53 | - cisv8
54 | - cnssi-1253_low
55 | - cnssi-1253_high
56 | - cmmc_lvl2
57 | - stig
58 | - cnssi-1253_moderate
59 | severity: medium
60 | mobileconfig: false
61 | mobileconfig_info:
62 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_screensaver_password_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_screensaver_password_enforce
2 | title: Enforce Screen Saver Password
3 | discussion: |
4 | Users _MUST_ authenticate when unlocking the screen saver.
5 |
6 | The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
10 | .objectForKey('askForPassword').js
11 | EOS
12 | result:
13 | string: 'true'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94389-4
19 | cci:
20 | - CCI-000056
21 | 800-53r5:
22 | - AC-11
23 | 800-53r4:
24 | - AC-11
25 | srg:
26 | - SRG-OS-000028-GPOS-00009
27 | disa_stig:
28 | - APPL-15-000002
29 | 800-171r3:
30 | - 03.01.10
31 | - 03.05.01
32 | cmmc:
33 | - AC.L2-3.1.10
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - 800-53r5_moderate
38 | - 800-53r5_high
39 | - 800-53r4_moderate
40 | - 800-53r4_high
41 | - 800-171
42 | - cnssi-1253_low
43 | - cnssi-1253_high
44 | - cmmc_lvl2
45 | - stig
46 | - cnssi-1253_moderate
47 | severity: medium
48 | mobileconfig: true
49 | mobileconfig_info:
50 | com.apple.screensaver:
51 | askForPassword: true
52 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_siri_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_siri_disable
2 | title: Disable Siri
3 | discussion: |
4 | Support for Siri is non-essential and _MUST_ be disabled.
5 |
6 | The information system _MUST_ be configured to provide only essential capabilities.
7 | check: |
8 | /usr/bin/osascript -l JavaScript << EOS
9 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
10 | .objectForKey('allowAssistant').js
11 | EOS
12 | result:
13 | string: 'false'
14 | fix: |
15 | This is implemented by a Configuration Profile.
16 | references:
17 | cce:
18 | - CCE-94391-0
19 | cci:
20 | - CCI-000381
21 | - CCI-001774
22 | 800-53r5:
23 | - AC-20
24 | - CM-7
25 | - CM-7(1)
26 | - SC-7(10)
27 | 800-53r4:
28 | - CM-7
29 | - CM-7(1)
30 | - AC-20
31 | srg:
32 | - SRG-OS-000095-GPOS-00049
33 | disa_stig:
34 | - APPL-15-002020
35 | 800-171r3:
36 | - 03.01.20
37 | - 03.04.06
38 | - 03.04.08
39 | cis:
40 | benchmark:
41 | - N/A
42 | controls v8:
43 | - 4.1
44 | - 4.8
45 | cmmc:
46 | - AC.L1-3.1.20
47 | - CM.L2-3.4.6
48 | - CM.L2-3.4.7
49 | macOS:
50 | - '15.0'
51 | tags:
52 | - 800-53r5_low
53 | - 800-53r5_moderate
54 | - 800-53r5_high
55 | - 800-53r4_low
56 | - 800-53r4_moderate
57 | - 800-53r4_high
58 | - 800-171
59 | - cisv8
60 | - cnssi-1253_low
61 | - cnssi-1253_high
62 | - cmmc_lvl2
63 | - cmmc_lvl1
64 | - stig
65 | - cnssi-1253_moderate
66 | severity: medium
67 | mobileconfig: true
68 | mobileconfig_info:
69 | com.apple.applicationaccess:
70 | allowAssistant: false
71 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_siri_listen_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_siri_listen_disable
2 | title: "Ensure Siri Listen For is Disabled"
3 | discussion: |
4 | Siri has the ability to listen for "Hey Siri" or "Siri". Listen for _MUST_ be disabled.
5 | check: |
6 | /usr/bin/sudo /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Siri')\
8 | .objectForKey('VoiceTriggerUserEnabled').js
9 | EOS
10 | result:
11 | string: 'false'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94392-8
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | disa_stig:
24 | - N/A
25 | srg:
26 | - N/A
27 | cis:
28 | benchmark:
29 | - 2.5.2 (level 1)
30 | controls v8:
31 | - 4.1
32 | - 4.8
33 | macOS:
34 | - "15.0"
35 | tags:
36 | - cis_lvl1
37 | - cis_lvl2
38 | - cisv8
39 | mobileconfig: true
40 | mobileconfig_info:
41 | com.apple.Siri:
42 | VoiceTriggerUserEnabled: false
43 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_siri_settings_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_siri_settings_disable
2 | title: Disable the System Settings Pane for Siri
3 | discussion: |
4 | The System Settings pane for Siri _MUST_ be hidden.
5 |
6 | Hiding the System Settings pane prevents the users from configuring Siri.
7 |
8 | NOTE: Disabling the Siri System Settings pane blocks the user from opting into Apple Intelligence.
9 | check: |
10 | /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension
11 | result:
12 | integer: 1
13 | fix: |
14 | This is implemented by a Configuration Profile.
15 | references:
16 | cce:
17 | - CCE-94393-6
18 | cci:
19 | - CCI-000381
20 | 800-53r5:
21 | - CM-7
22 | - CM-7(1)
23 | - CM-7(5)
24 | 800-53r4:
25 | - CM-7
26 | - CM-7(5)
27 | srg:
28 | - SRG-OS-000095-GPOS-00049
29 | disa_stig:
30 | - APPL-15-002053
31 | 800-171r3:
32 | - 03.04.06
33 | - 03.04.08
34 | cis:
35 | benchmark:
36 | - N/A
37 | controls v8:
38 | - 4.1
39 | - 4.8
40 | cmmc:
41 | - CM.L2-3.4.6
42 | - CM.L2-3.4.7
43 | macOS:
44 | - '15.0'
45 | tags:
46 | - 800-53r5_low
47 | - 800-53r5_moderate
48 | - 800-53r5_high
49 | - cisv8
50 | - cmmc_lvl2
51 | - stig
52 | - cnssi-1253_moderate
53 | - cnssi-1253_low
54 | - cnssi-1253_high
55 | severity: medium
56 | mobileconfig: true
57 | mobileconfig_info:
58 | com.apple.systempreferences:
59 | DisabledSystemSettings:
60 | - com.apple.Siri-Settings.extension
61 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_smbd_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_smbd_disable
2 | title: Disable Server Message Block Sharing
3 | discussion: |
4 | Support for Server Message Block (SMB) file sharing is non-essential and _MUST_ be disabled.
5 |
6 | The information system _MUST_ be configured to provide only essential capabilities.
7 | check: |
8 | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" => disabled'
9 | result:
10 | integer: 1
11 | fix: |
12 | [source,bash]
13 | ----
14 | /bin/launchctl disable system/com.apple.smbd
15 | ----
16 | The system may need to be restarted for the update to take effect.
17 | references:
18 | cce:
19 | - CCE-94394-4
20 | cci:
21 | - CCI-000213
22 | 800-53r5:
23 | - AC-3
24 | - AC-17
25 | 800-53r4:
26 | - AC-3
27 | srg:
28 | - SRG-OS-000080-GPOS-00048
29 | disa_stig:
30 | - APPL-15-002001
31 | 800-171r3:
32 | - 03.01.02
33 | - 03.04.06
34 | cis:
35 | benchmark:
36 | - 2.3.3.3 (level 1)
37 | controls v8:
38 | - 4.1
39 | - 4.8
40 | - 5.4
41 | cmmc:
42 | - AC.L1-3.1.1
43 | macOS:
44 | - '15.0'
45 | tags:
46 | - 800-53r5_low
47 | - 800-53r5_moderate
48 | - 800-53r5_high
49 | - 800-53r4_low
50 | - 800-53r4_moderate
51 | - 800-53r4_high
52 | - 800-171
53 | - cis_lvl1
54 | - cis_lvl2
55 | - cisv8
56 | - cnssi-1253_low
57 | - cnssi-1253_high
58 | - cmmc_lvl2
59 | - cmmc_lvl1
60 | - stig
61 | - cnssi-1253_moderate
62 | severity: medium
63 | mobileconfig: false
64 | mobileconfig_info:
65 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_software_update_app_update_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_software_update_app_update_enforce
2 | title: Enforce Software Update App Update Updates Automatically
3 | discussion: |
4 | Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
8 | .objectForKey('AutomaticallyInstallAppUpdates').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94395-1
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 1.5 (level 1)
32 | controls v8:
33 | - 7.3
34 | - 7.4
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - cis_lvl1
39 | - cis_lvl2
40 | - cisv8
41 | mobileconfig: true
42 | mobileconfig_info:
43 | com.apple.SoftwareUpdate:
44 | AutomaticallyInstallAppUpdates: true
45 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_software_update_download_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_software_update_download_enforce
2 | title: Enforce Software Update Downloads Updates Automatically
3 | discussion: |
4 | Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
8 | .objectForKey('AutomaticDownload').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94396-9
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 1.3 (level 1)
32 | controls v8:
33 | - 7.3
34 | - 7.4
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - cis_lvl1
39 | - cis_lvl2
40 | - cisv8
41 | mobileconfig: true
42 | mobileconfig_info:
43 | com.apple.SoftwareUpdate:
44 | AutomaticDownload: true
45 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_software_update_enforce.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_software_update_enforce
2 | title: Enforce Software Update Automatically
3 | discussion: |
4 | Software Update _MUST_ be configured to enforce automatic update is enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
8 | .objectForKey('AutomaticCheckEnabled').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94397-7
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - SI-2(5)
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - 3.14.1
29 | - 3.14.2
30 | - 3.13.3
31 | cis:
32 | benchmark:
33 | - 1.2 (level 1)
34 | controls v8:
35 | - 7.3
36 | - 7.4
37 | macOS:
38 | - '15.0'
39 | tags:
40 | - cis_lvl1
41 | - cis_lvl2
42 | - cisv8
43 | mobileconfig: true
44 | mobileconfig_info:
45 | com.apple.SoftwareUpdate:
46 | AutomaticCheckEnabled: true
47 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_softwareupdate_current.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_softwareupdate_current
2 | title: Ensure Software Update is Updated and Current
3 | discussion: |
4 | Make sure Software Update is updated and current.
5 |
6 | NOTE: Automatic fix can cause unplanned restarts and may lose work.
7 | check: |
8 | softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s")
9 | thirty_days_epoch=$(/bin/date -v -30d "+%s")
10 | if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then
11 | /bin/echo "0"
12 | else
13 | /bin/echo "1"
14 | fi
15 | result:
16 | integer: 1
17 | fix: |
18 | [source,bash]
19 | ----
20 | /usr/sbin/softwareupdate -i -a
21 | ----
22 | NOTE - This will apply to the whole system
23 | references:
24 | cce:
25 | - CCE-94398-5
26 | cci:
27 | - N/A
28 | 800-53r5:
29 | - N/A
30 | 800-53r4:
31 | - N/A
32 | srg:
33 | - N/A
34 | disa_stig:
35 | - N/A
36 | 800-171r3:
37 | - N/A
38 | cis:
39 | benchmark:
40 | - 1.1 (level 1)
41 | controls v8:
42 | - 7.3
43 | - 7.4
44 | macOS:
45 | - '15.0'
46 | tags:
47 | - cis_lvl1
48 | - cis_lvl2
49 | - cisv8
50 | severity: medium
51 | mobileconfig: false
52 | mobileconfig_info:
53 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_ssh_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_ssh_disable
2 | title: Disable SSH Server for Remote Access Sessions
3 | discussion: |
4 | SSH service _MUST_ be disabled for remote access.
5 | check: |
6 | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'
7 | result:
8 | integer: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/sbin/systemsetup -f -setremotelogin off >/dev/null
13 | /bin/launchctl disable system/com.openssh.sshd
14 | ----
15 | NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.
16 | references:
17 | cce:
18 | - CCE-94399-3
19 | cci:
20 | - N/A
21 | 800-53r5:
22 | - CM-7
23 | - CM-7(1)
24 | - AC-17
25 | 800-53r4:
26 | - AC-3
27 | - CM-7
28 | - CM-7(1)
29 | srg:
30 | - N/A
31 | disa_stig:
32 | - N/A
33 | 800-171r3:
34 | - 03.01.02
35 | - 03.04.06
36 | cis:
37 | benchmark:
38 | - 2.3.3.5 (level 1)
39 | controls v8:
40 | - 4.1
41 | - 4.8
42 | cmmc:
43 | - AC.L1-3.1.1
44 | - CM.L2-3.4.6
45 | - CM.L2-3.4.7
46 | macOS:
47 | - '15.0'
48 | tags:
49 | - cis_lvl1
50 | - cis_lvl2
51 | - cisv8
52 | - cnssi-1253_low
53 | - cnssi-1253_high
54 | - cmmc_lvl2
55 | - cmmc_lvl1
56 | - cnssi-1253_moderate
57 | severity: high
58 | mobileconfig: false
59 | mobileconfig_info:
60 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_ssh_enable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_ssh_enable
2 | title: Enable SSH Server for Remote Access Sessions
3 | discussion: |
4 | Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access.
5 | check: |
6 | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => enabled'
7 | result:
8 | integer: 1
9 | fix: |
10 | [source,bash]
11 | ----
12 | /bin/launchctl enable system/com.openssh.sshd
13 | ----
14 | references:
15 | cce:
16 | - CCE-94400-9
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - IA-2(8)
21 | - AC-3
22 | - CM-7
23 | - CM-7(1)
24 | - AC-17
25 | 800-53r4:
26 | - AC-3
27 | - CM-7
28 | - CM-7(1)
29 | - IA-2(8)
30 | - IA-2(9)
31 | srg:
32 | - N/A
33 | disa_stig:
34 | - N/A
35 | 800-171r3:
36 | - 03.01.02
37 | - 03.05.04
38 | cmmc:
39 | - AC.L1-3.1.1
40 | - CM.L2-3.4.6
41 | - CM.L2-3.4.7
42 | - IA.L2-3.5.4
43 | macOS:
44 | - '15.0'
45 | tags:
46 | - 800-53r5_low
47 | - 800-53r5_moderate
48 | - 800-53r5_high
49 | - 800-53r4_low
50 | - 800-53r4_moderate
51 | - 800-53r4_high
52 | - 800-171
53 | - cnssi-1253_low
54 | - cnssi-1253_high
55 | - cmmc_lvl2
56 | - cmmc_lvl1
57 | - cnssi-1253_moderate
58 | severity: medium
59 | mobileconfig: false
60 | mobileconfig_info:
61 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_time_machine_auto_backup_enable
2 | title: Configure Time Machine for Automatic Backups
3 | discussion: |
4 | Automatic backups _MUST_ be enabled when using Time Machine.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\
8 | .objectForKey('AutoBackup').js
9 | EOS
10 | result:
11 | string: 'true'
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94402-5
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 2.3.4.1 (level 2)
32 | controls v8:
33 | - 11.2
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - cis_lvl2
38 | - cisv8
39 | mobileconfig: true
40 | mobileconfig_info:
41 | com.apple.TimeMachine:
42 | AutoBackup: true
43 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_time_machine_encrypted_configure
2 | title: Ensure Time Machine Volumes are Encrypted
3 | discussion: |
4 | Time Machine volumes _MUST_ be encrypted.
5 | check: |
6 | error_count=0
7 | for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do
8 | tmMounted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/Mounted/{print $2}')
9 | tmEncrypted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/FileVault/{print $2}')
10 | if [[ "$tmMounted" = "Yes" && "$tmEncrypted" = "No" ]]; then
11 | ((error_count++))
12 | fi
13 | done
14 | echo "$error_count"
15 | result:
16 | integer: 0
17 | fix: |
18 | . Go to System Settings -> Time Machine
19 | . Click *Select Disk*
20 | . Select existing Backup Disk under *Available Disks*
21 | . Click *Encrypt Backups*
22 | . Click *Use Disk*
23 | references:
24 | cce:
25 | - CCE-94403-3
26 | cci:
27 | - N/A
28 | 800-53r5:
29 | - N/A
30 | 800-53r4:
31 | - N/A
32 | srg:
33 | - N/A
34 | disa_stig:
35 | - N/A
36 | 800-171r3:
37 | - N/A
38 | cis:
39 | benchmark:
40 | - 2.3.4.2 (level 1)
41 | controls v8:
42 | - 3.6
43 | - 3.11
44 | - 11.3
45 | macOS:
46 | - '15.0'
47 | tags:
48 | - cis_lvl1
49 | - cis_lvl2
50 | - cisv8
51 | mobileconfig: false
52 | mobileconfig_info:
53 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_touch_id_settings_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_touch_id_settings_disable
2 | title: Disable the Touch ID System Settings Pane
3 | discussion: |
4 | The System Settings pane for Touch ID _MUST_ be disabled.
5 |
6 | Disabling the System Settings pane prevents the users from configuring Touch ID.
7 | check: |
8 | /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.Touch-ID-Settings.extension"
9 | result:
10 | integer: 1
11 | fix: |
12 | This is implemented by a Configuration Profile.
13 | references:
14 | cce:
15 | - CCE-94407-4
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - CM-7
20 | - CM-7(1)
21 | - CM-7(5)
22 | 800-53r4:
23 | - CM-7
24 | - CM-7(5)
25 | srg:
26 | - N/A
27 | disa_stig:
28 | - N/A
29 | 800-171r3:
30 | - 03.04.06
31 | - 03.04.08
32 | cis:
33 | benchmark:
34 | - N/A
35 | controls v8:
36 | - 4.1
37 | - 4.8
38 | cmmc:
39 | - CM.L2-3.4.6
40 | - CM.L2-3.4.7
41 | macOS:
42 | - '15.0'
43 | tags:
44 | - 800-53r5_low
45 | - 800-53r5_moderate
46 | - 800-53r5_high
47 | - cisv8
48 | - cmmc_lvl2
49 | - cnssi-1253_moderate
50 | - cnssi-1253_low
51 | - cnssi-1253_high
52 | mobileconfig: true
53 | mobileconfig_info:
54 | com.apple.systempreferences:
55 | DisabledSystemSettings:
56 | - com.apple.Touch-ID-Settings.extension
57 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_wake_network_access_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_wake_network_access_disable
2 | title: Ensure Wake for Network Access Is Disabled
3 | discussion: |
4 | Wake for network access _MUST_ be disabled.
5 | check: |
6 | /usr/bin/pmset -g custom | /usr/bin/awk '/womp/ { sum+=$2 } END {print sum}'
7 | result:
8 | integer: 0
9 | fix: |
10 | [source,bash]
11 | ----
12 | /usr/bin/pmset -a womp 0
13 | ----
14 | references:
15 | cce:
16 | - CCE-94410-8
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | disa_stig:
24 | - N/A
25 | srg:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 2.9.3 (level 1)
32 | controls v8:
33 | - 4.8
34 | macOS:
35 | - '15.0'
36 | tags:
37 | - cis_lvl1
38 | - cis_lvl2
39 | - cisv8
40 | mobileconfig: false
41 | mobileconfig_info:
42 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_wallet_applepay_settings_disable
2 | title: Disable the System Settings Pane for Wallet and Apple Pay
3 | discussion: |
4 | The System Settings pane for Wallet and Apple Pay _MUST_ be disabled.
5 |
6 | Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay.
7 | check: |
8 | /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.WalletSettingsExtension"
9 | result:
10 | integer: 1
11 | fix: |
12 | This is implemented by a Configuration Profile.
13 | references:
14 | cce:
15 | - CCE-94411-6
16 | cci:
17 | - CCI-000381
18 | 800-53r5:
19 | - CM-7
20 | - CM-7(1)
21 | - CM-7(5)
22 | 800-53r4:
23 | - CM-7
24 | - CM-7(5)
25 | srg:
26 | - SRG-OS-000095-GPOS-00049
27 | disa_stig:
28 | - APPL-15-002052
29 | 800-171r3:
30 | - 03.04.06
31 | - 03.04.08
32 | cis:
33 | benchmark:
34 | - N/A
35 | controls v8:
36 | - 4.1
37 | - 4.8
38 | cmmc:
39 | - CM.L2-3.4.6
40 | - CM.L2-3.4.7
41 | macOS:
42 | - '15.0'
43 | tags:
44 | - 800-53r5_low
45 | - 800-53r5_moderate
46 | - 800-53r5_high
47 | - cisv8
48 | - cmmc_lvl2
49 | - stig
50 | - cnssi-1253_moderate
51 | - cnssi-1253_low
52 | - cnssi-1253_high
53 | severity: medium
54 | mobileconfig: true
55 | mobileconfig_info:
56 | com.apple.systempreferences:
57 | DisabledSystemSettings:
58 | - com.apple.WalletSettingsExtension
59 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_wifi_disable_when_connected_to_ethernet
2 | title: Disable Wi-Fi When Connected to Ethernet
3 | discussion: |
4 | The macOS should be configured to automatically disable Wi-Fi when connected to ethernet.
5 |
6 | The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used.
7 |
8 | NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable.
9 | check: |
10 | The technology does not support this requirement. This is an applicable-does not meet finding.
11 | fix: |
12 | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
13 | references:
14 | cce:
15 | - CCE-94413-2
16 | cci:
17 | - N/A
18 | 800-53r5:
19 | - AC-4
20 | - AC-18(1)
21 | - AC-18(3)
22 | 800-53r4:
23 | - AC-4
24 | - AC-18(1)
25 | - AC-18(3)
26 | disa_stig:
27 | - N/A
28 | srg:
29 | - N/A
30 | 800-171r3:
31 | - 03.01.03
32 | - 03.01.16
33 | cmmc:
34 | - AC.L2-3.1.3
35 | - AC.L2-3.1.17
36 | macOS:
37 | - '15.0'
38 | tags:
39 | - 800-53r5_moderate
40 | - 800-53r5_high
41 | - 800-53r4_moderate
42 | - 800-53r4_high
43 | - 800-171
44 | - permanent
45 | - cnssi-1253_low
46 | - cnssi-1253_high
47 | - cmmc_lvl2
48 | - cnssi-1253_moderate
49 | mobileconfig: false
50 | mobileconfig_info:
51 |
--------------------------------------------------------------------------------
/rules/system_settings/system_settings_wifi_menu_enable.yaml:
--------------------------------------------------------------------------------
1 | id: system_settings_wifi_menu_enable
2 | title: Enable Wifi Menu
3 | discussion: |
4 | The WiFi menu _MUST_ be enabled.
5 | check: |
6 | /usr/bin/osascript -l JavaScript << EOS
7 | $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\
8 | .objectForKey('WiFi').js
9 | EOS
10 | result:
11 | integer: 18
12 | fix: |
13 | This is implemented by a Configuration Profile.
14 | references:
15 | cce:
16 | - CCE-94414-0
17 | cci:
18 | - N/A
19 | 800-53r5:
20 | - N/A
21 | 800-53r4:
22 | - N/A
23 | srg:
24 | - N/A
25 | disa_stig:
26 | - N/A
27 | 800-171r3:
28 | - N/A
29 | cis:
30 | benchmark:
31 | - 2.4.1 (level 1)
32 | controls v8:
33 | - 4.8
34 | - 12.6
35 | macOS:
36 | - '15.0'
37 | tags:
38 | - cis_lvl1
39 | - cis_lvl2
40 | - cisv8
41 | mobileconfig: true
42 | mobileconfig_info:
43 | com.apple.controlcenter:
44 | WiFi: 18
45 |
--------------------------------------------------------------------------------
/scripts/KNOWN_ISSUES:
--------------------------------------------------------------------------------
1 | Known Issues:
2 |
3 | Automation of the password policy remediation is not currently implemented in the compliance script. The path to your pwpolicy.xml must be defined in the compliance script in the variables section, line 433.
--------------------------------------------------------------------------------
/scripts/util/README:
--------------------------------------------------------------------------------
1 | These additional utilities are macOS ONLY
2 |
3 | mscp_local_report.py
4 | mscp_local_report will generate an Excel and HTML document that shows a pie chart with the compliance percentage and a table with the rule name and result.
5 |
6 | Additional python modules required:
7 | * openpyxl
8 | * pandas
9 | * matplotlib
10 | pip3 install MODULENAME
11 |
12 | Usage:
13 | Run a compliance scan using the compliance script generated from generate_guidance.py
14 | ./mscp_local_report.py -p /Library/Preferences/org.BASELINE.audit.plist -o /Path/To/Output/FILENAME
15 | - This will generate an HTML and XLSX file with the filename.
16 |
17 | generate_checklist.py
18 | The generate_checklist script will generate a .ckl XML file for use with the DISA STIG Viewer and eMass systems.
19 |
20 | Usage:
21 | When using generate_guidance.py, run it using the -r option to include references and -s to create a compliance script.
22 | ./generate_guidance.py -s -r disa_stig /path/to/disa/stig/baseline_file
23 | Then run a compliance scan using the generated content.
24 | sudo build/BASELINE/BASELINE_compliance.sh --check
25 | Download the DISA STIG for the specific version of the operating system from the DoD Cyber Exchange (https://public.cyber.mil/stigs/downloads/)
26 | Then run the generate_checklist script
27 | ./generate_checklist.py -p /Library/Preferences/org.BASELINE.audit.plist -d /PATH/TO/DISA/STIG/Manual/xccdf/file > /Path/To/Output.ckl
28 |
--------------------------------------------------------------------------------
/sections/auditing.yaml:
--------------------------------------------------------------------------------
1 | name: "Auditing"
2 | description: |
3 | This section contains the configuration and enforcement of the OpenBSM settings.
4 |
5 | NOTE: The BSM Audit subsystem has been marked as deprecated by Apple.
6 |
7 | NOTE: The check/fix commands outlined in this section _MUST_ be run with elevated privileges.
--------------------------------------------------------------------------------
/sections/authentication.yaml:
--------------------------------------------------------------------------------
1 | name: "Authentication"
2 | description: |
3 | This section contains the configuration of authentication settings, including the enforcement of smartcard authentication.
4 |
5 | NOTE: See additional guidance in the Smartcard Supplemental.
6 |
7 | NOTE: The check/fix commands outlined in this section must be run with elevated privileges.
--------------------------------------------------------------------------------
/sections/icloud.yaml:
--------------------------------------------------------------------------------
1 | name: "iCloud"
2 | description: |
3 | This section contains the configuration and enforcement of iCloud and the Apple ID service settings.
4 |
5 | NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with with elevated privileges.
--------------------------------------------------------------------------------
/sections/inherent.yaml:
--------------------------------------------------------------------------------
1 | name: "Inherent"
2 | description: |
3 | This section reviews the controls that are built-in to macOS, and cannot be configured out of compliance.
--------------------------------------------------------------------------------
/sections/macos.yaml:
--------------------------------------------------------------------------------
1 | name: "macOS"
2 | description: |
3 | This section contains the configuration and enforcement of operating system settings.
4 |
5 | NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges.
--------------------------------------------------------------------------------
/sections/not_applicable.yaml:
--------------------------------------------------------------------------------
1 | name: "Not Applicable"
2 | description: |
3 | This section contains the controls that are defined in the NIST 800-53 revision 5 but are not applicable when configuring a macOS system.
--------------------------------------------------------------------------------
/sections/passwordpolicy.yaml:
--------------------------------------------------------------------------------
1 | name: "Password Policy"
2 | description: |
3 | This section contains the configuration and enforcement of settings pertaining to password policies in macOS.
4 |
5 | NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges.
6 |
7 | [IMPORTANT]
8 | ====
9 | The password policy recommendations in the NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
10 | ====
11 |
12 | NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible.
--------------------------------------------------------------------------------
/sections/permanent.yaml:
--------------------------------------------------------------------------------
1 | name: "Permanent Findings"
2 | description: |
3 | This section contains the controls that are defined in NIST 800-53 revision 5 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section.
--------------------------------------------------------------------------------
/sections/srg.yaml:
--------------------------------------------------------------------------------
1 | name: "DISA SRG"
2 | description: |
3 | This section contains rules and controls that are associated with DISA's security requirements guide for general purpose operating systems.
4 |
5 | NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges.
--------------------------------------------------------------------------------
/sections/supplemental.yaml:
--------------------------------------------------------------------------------
1 | name: "Supplemental"
2 | description: |
3 | This section provides additional information to support the guidance provided by the baselines.
--------------------------------------------------------------------------------
/sections/systemsettings.yaml:
--------------------------------------------------------------------------------
1 | name: "System Settings"
2 | description: |
3 | This section contains the configuration and enforcement of the settings within the macOS System Settings application.
4 |
5 | NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges.
--------------------------------------------------------------------------------
/templates/adoc_authors.adoc:
--------------------------------------------------------------------------------
1 | == Authors
2 | [width="100%",cols="1,3"]
3 |
4 | $authors_list
5 |
6 | ////
7 | |===
8 | |Bob Gendler|National Institute of Standards and Technology
9 | |Allen Golbig|National Aeronautics and Space Administration
10 | |Dan Brodjieski|Defense Information Systems Agency
11 | |Jason Blake|National Institute of Standards and Technology
12 | |Blair Heiserman|National Institute of Standards and Technology
13 | |Joshua Glemza|National Aeronautics and Space Administration
14 | |Elyse Anderson|National Aeronautics and Space Administration
15 | |Gary Gapinski|National Aeronautics and Space Administration
16 | |===
17 | ////
--------------------------------------------------------------------------------
/templates/adoc_footer.adoc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/usnistgov/macos_security/30d4a1af0443332772cd8617d01d7dd3463f8072/templates/adoc_footer.adoc
--------------------------------------------------------------------------------
/templates/adoc_foreword.adoc:
--------------------------------------------------------------------------------
1 | == Foreword
2 |
3 | The macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5.
4 |
5 | This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
6 |
7 | The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs.
8 |
9 | Any and all risk based decisions to tailor the content produced by this project in order to meet the needs of a specific organization shall be approved by the responsible Information System Owner (ISO) and Authorizing Official (AO) and formally documented in their System Security Plan (SSP). While the project attempts to provide settings to meet compliance requirements, it is recommended that each rule be reviewed by your organization's Information System Security Officer (ISSO) prior to implementation.
10 |
--------------------------------------------------------------------------------
/templates/adoc_header.adoc:
--------------------------------------------------------------------------------
1 | :doctype: book
2 | :stylesdir: ../../templates/
3 | :stylesheet: asciidoctor.css
4 | :experimental:
5 | :reproducible:
6 | :icons: font
7 | :chapter-label:
8 | :listing-caption: Listing
9 | :sectnums:
10 | ifdef::backend-html5[]
11 | :toc: preamble
12 | endif::[]
13 | ifdef::backend-pdf[]
14 | :toc: []
15 | endif::[]
16 | :toclevels: 4
17 | :xrefstyle: full
18 | :source-highlighter: rouge
19 | :nofooter:
20 | $nist171_attribute
21 | $stig_attribute
22 | $cis_attribute
23 | $cmmc_attribute
24 | :version: $version ($release_date)
25 | :os: $os_version
26 | :proj-title: $html_header_title
27 | :document-title: $html_title
28 | :document-subtitle: $html_subtitle
29 | $document_subtitle2
30 | ifdef::backend-pdf[]
31 | = {document-title}: {document-subtitle}
32 | $version ($release_date)
33 | :pdf-themesdir: ../templates
34 | :pdf-theme: $pdf_theme
35 | :title-logo-image: image:data:image/png;base64,$pdflogo[align=center]
36 | :nofooter!:
37 | endif::[]
38 | :data-uri:
39 | :allow-uri-read:
40 | ifdef::backend-html5[]
41 | :notitle:
42 |
43 |
44 | $tag_attribute
45 |
46 | [cols="55s"]
47 | |======
48 | |image:$logo[]
49 | |======
50 |
51 | [cols="^.^1s",width="100%"]
52 | |======
53 | |+++
54 | +++{document-title}+++
+++{document-subtitle}+++
+++{document-subtitle2}+++
+++{version}+++
55 |
+++
56 | |======
57 | endif::[]
58 |
--------------------------------------------------------------------------------
/templates/adoc_rule.adoc:
--------------------------------------------------------------------------------
1 | === $rule_title
2 |
3 | $rule_discussion
4 |
5 | To check the state of the system, run the following command(s):
6 | [source,bash,options="nowrap"]
7 | ----
8 | $rule_check
9 | ----
10 |
11 | If the result is not *$rule_result*, this is a finding.
12 |
13 | ====
14 | **Remediation Description**
15 |
16 | Perform the following to configure the system to meet the requirements:
17 |
18 | $rule_fix
19 | ====
20 |
21 | [cols="15%h, 85%a"]
22 | |===
23 |
24 | |ID
25 | |$rule_id
26 |
27 | $severity
28 |
29 | |References
30 | |
31 |
32 | [cols="20%h,80%a"]
33 | [frame="none"]
34 | [grid="cols"]
35 | !===
36 |
37 | !800-53r5
38 | !$rule_80053r5
39 |
40 | ifdef::show_171[]
41 | !800-171r3
42 | !$rule_800171
43 | endif::[]
44 |
45 | ifdef::show_STIG[]
46 | !DISA STIG(s)
47 | !$rule_disa_stig
48 | endif::[]
49 |
50 | ifdef::show_CIS[]
51 | $rule_cis
52 | endif::[]
53 |
54 | ifdef::show_CMMC[]
55 | !CMMC
56 | !$rule_cmmc
57 | endif::[]
58 |
59 | !CCE
60 | !$rule_cce
61 |
62 | ifdef::show_tags[]
63 | !TAGS
64 | !$rule_tags
65 | endif::[]
66 |
67 | !===
68 |
69 | |
70 | |===
71 |
--------------------------------------------------------------------------------
/templates/adoc_rule_custom_refs.adoc:
--------------------------------------------------------------------------------
1 | === $rule_title
2 |
3 | $rule_discussion
4 |
5 | To check the state of the system, run the following command(s):
6 | [source,bash]
7 | ----
8 | $rule_check
9 | ----
10 |
11 | If the result is not *$rule_result*, this is a finding.
12 |
13 | ====
14 | **Remediation Description**
15 |
16 | Perform the following to configure the system to meet the requirements:
17 |
18 | $rule_fix
19 | ====
20 |
21 | [cols="15%h, 85%a"]
22 | |===
23 |
24 | |ID
25 | |$rule_id
26 |
27 | |References
28 | |
29 |
30 | [cols="20%h,80%a"]
31 | [frame="none"]
32 | [grid="cols"]
33 | !===
34 |
35 | !800-53r5
36 | !$rule_80053r5
37 |
38 | ifdef::show_171[]
39 | !800-171r3
40 | !$rule_800171
41 | endif::[]
42 |
43 | ifdef::show_STIG[]
44 | !DISA STIG(s)
45 | !$rule_disa_stig
46 | endif::[]
47 |
48 | ifdef::show_CIS[]
49 | $rule_cis
50 | endif::[]
51 |
52 | ifdef::show_CMMC[]
53 | !CMMC
54 | !
55 | $rule_cmmc
56 | endif::[]
57 |
58 | !CCE
59 | !$rule_cce
60 |
61 | $rule_custom_refs
62 |
63 | ifdef::show_tags[]
64 | !TAGS
65 | !$rule_tags
66 | endif::[]
67 |
68 | !===
69 |
70 | |
71 | |===
72 |
--------------------------------------------------------------------------------
/templates/adoc_rule_ios.adoc:
--------------------------------------------------------------------------------
1 | === $rule_title
2 |
3 | $rule_discussion
4 |
5 | $rule_check
6 |
7 | ====
8 | **Remediation Description**
9 |
10 | Perform the following to configure the system to meet the requirements:
11 |
12 | $rule_fix
13 | ====
14 |
15 | [cols="15%h, 85%a"]
16 | |===
17 |
18 | |ID
19 | |$rule_id
20 |
21 | $severity
22 |
23 | |References
24 | |
25 |
26 | [cols="20%h,80%a"]
27 | [frame="none"]
28 | [grid="cols"]
29 | !===
30 |
31 | !800-53r5
32 | !$rule_80053r5
33 |
34 | ifdef::show_171[]
35 | !800-171r3
36 | !$rule_800171
37 | endif::[]
38 |
39 | ifdef::show_STIG[]
40 | !DISA STIG(s)
41 | !$rule_disa_stig
42 | !SFR
43 | !$rule_sfr
44 | endif::[]
45 |
46 | ifdef::show_CIS[]
47 | $rule_cis
48 | endif::[]
49 |
50 | !CCE
51 | !$rule_cce
52 |
53 | ifdef::show_tags[]
54 | !TAGS
55 | !$rule_tags
56 | endif::[]
57 |
58 | !===
59 |
60 | |
61 | |===
62 |
--------------------------------------------------------------------------------
/templates/adoc_rule_no_setting.adoc:
--------------------------------------------------------------------------------
1 | === $rule_title
2 |
3 | $rule_discussion
4 |
5 | $rule_check
6 |
7 | [cols="15%h, 85%a"]
8 | |===
9 |
10 | |ID
11 | |$rule_id
12 |
13 | |References
14 | |
15 |
16 | [cols="20%h,80%a"]
17 | [frame="none"]
18 | [grid="cols"]
19 | !===
20 |
21 | !800-53r5
22 | !$rule_80053r5
23 |
24 | ifdef::show_171[]
25 | !800-171r3
26 | !$rule_800171
27 | endif::[]
28 |
29 | ifdef::show_STIG[]
30 | !DISA STIG(s)
31 | !$rule_disa_stig
32 | endif::[]
33 |
34 | ifdef::show_CIS[]
35 | $rule_cis
36 | endif::[]
37 |
38 | ifdef::show_CMMC[]
39 | !CMMC
40 | !
41 | $rule_cmmc
42 | endif::[]
43 |
44 | ifdef::show_tags[]
45 | !CCE
46 | !$rule_cce
47 |
48 | !TAGS
49 | !$rule_tags
50 | endif::[]
51 |
52 | !===
53 |
54 | |
55 | |===
56 |
--------------------------------------------------------------------------------
/templates/adoc_rules_table_footer.adoc:
--------------------------------------------------------------------------------
1 | |===
--------------------------------------------------------------------------------
/templates/adoc_rules_table_header.adoc:
--------------------------------------------------------------------------------
1 | = macOS Rules
2 | :stylesheet:
3 |
4 | [%header,width="100%",cols="10%,25%,65%a",opts="wrap"]
5 | |===
6 |
7 | |ID
8 | |Title
9 | |Discussion
--------------------------------------------------------------------------------
/templates/adoc_rules_table_row.adoc:
--------------------------------------------------------------------------------
1 | |**$rule_id**
2 | |$rule_title
3 | |$rule_discussion
4 |
--------------------------------------------------------------------------------
/templates/adoc_scope.adoc:
--------------------------------------------------------------------------------
1 | == Scope
2 |
3 | $scope_description
--------------------------------------------------------------------------------
/templates/adoc_section.adoc:
--------------------------------------------------------------------------------
1 | == $section_name
2 |
3 | $description
4 |
5 |
--------------------------------------------------------------------------------
/templates/adoc_supplemental.adoc:
--------------------------------------------------------------------------------
1 | === $rule_title
2 |
3 | $rule_discussion
4 |
5 |
--------------------------------------------------------------------------------
/templates/images/mscp_banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/usnistgov/macos_security/30d4a1af0443332772cd8617d01d7dd3463f8072/templates/images/mscp_banner.png
--------------------------------------------------------------------------------
/templates/images/mscp_banner_outline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/usnistgov/macos_security/30d4a1af0443332772cd8617d01d7dd3463f8072/templates/images/mscp_banner_outline.png
--------------------------------------------------------------------------------
/templates/images/mscp_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/usnistgov/macos_security/30d4a1af0443332772cd8617d01d7dd3463f8072/templates/images/mscp_logo.png
--------------------------------------------------------------------------------
/templates/mscp-theme.yml:
--------------------------------------------------------------------------------
1 | extends: default
2 | header:
3 | font_color: 999999
4 | height: 0.5in
5 | recto:
6 | columns: "<40% =20% >40%"
7 | right:
8 | content: ~
9 | center:
10 | content: ~
11 | verso:
12 | columns: $header_recto_columns
13 | left:
14 | content: $header_recto_right_content
15 | center:
16 | content: $header_recto_center_content
17 | footer:
18 | height: 0.60in
19 | lines: 2
20 | recto:
21 | right:
22 | content: |-
23 | *{page-number}*
24 | center:
25 | content: |-
26 | {proj-title} +
27 | macOS Security Compliance Project - _{version}_
28 | verso:
29 | left:
30 | content: |-
31 | *{page-number}*
32 | center:
33 | content: |-
34 | {proj-title} +
35 | macOS Security Compliance Project - _{version}_
--------------------------------------------------------------------------------