Merge branch 'sonoma' into dev_sonoma_compscript

usnistgov · Aug 27, 2024 · 8adb0f3 · 8adb0f3
2 parents 8ce092c + 8d3ac52
commit 8adb0f3
Show file tree

Hide file tree

Showing 25 changed files with 162 additions and 64 deletions.
diff --git a/Gemfile b/Gemfile
@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'asciidoctor'
+gem 'rexml', '3.2.6'
+gem 'asciidoctor', '2.0.22'
 gem 'asciidoctor-pdf'
 gem 'rouge', '3.30.0'
diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml
@@ -116,12 +116,14 @@ profile:
       - os_library_validation_enabled
       - os_loginwindow_adminhostinfo_undefined
       - os_mail_app_disable
+      - os_malicious_code_prevention
       - os_mdm_require
       - os_messages_app_disable
       - os_mobile_file_integrity_enable
       - os_newsyslog_files_owner_group_configure
       - os_newsyslog_files_permissions_configure
       - os_nfsd_disable
+      - os_obscure_password
       - os_on_device_dictation_enforce
       - os_parental_controls_enable
       - os_password_autofill_disable
@@ -166,6 +168,7 @@ profile:
       - os_sshd_login_grace_time_configure
       - os_sshd_permit_root_login_configure
       - os_sshd_unused_connection_timeout_configure
+      - os_store_encrypted_passwords
       - os_sudo_timeout_configure
       - os_sudoers_timestamp_type_configure
       - os_system_read_only
@@ -187,6 +190,7 @@ profile:
       - pwpolicy_account_lockout_timeout_enforce
       - pwpolicy_alpha_numeric_enforce
       - pwpolicy_custom_regex_enforce
+      - pwpolicy_force_password_change
       - pwpolicy_history_enforce
       - pwpolicy_lower_case_character_enforce
       - pwpolicy_max_lifetime_enforce
@@ -240,7 +244,9 @@ profile:
       - system_settings_screensaver_password_enforce
       - system_settings_screensaver_timeout_enforce
       - system_settings_siri_disable
+      - system_settings_siri_listen_disable
       - system_settings_siri_settings_disable
+      - system_settings_sleep_enforce
       - system_settings_smbd_disable
       - system_settings_software_update_app_update_enforce
       - system_settings_software_update_download_enforce
@@ -260,6 +266,7 @@ profile:
       - system_settings_wake_network_access_disable
       - system_settings_wallet_applepay_settings_disable
       - system_settings_wifi_disable
+      - system_settings_wifi_disable_when_connected_to_ethernet
       - system_settings_wifi_menu_enable
   - section: "Inherent"
     rules:

diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)"
+title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 1)"
 description: |
-  This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) security baseline.
+  This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 1) security baseline.
 authors: |
   *macOS Security Compliance Project*
 
@@ -49,7 +49,6 @@ profile:
       - os_root_disable
       - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
-      - os_safari_popups_disabled
       - os_safari_prevent_cross-site_tracking_enable
       - os_safari_show_full_website_address_enable
       - os_safari_show_status_bar_enabled
@@ -61,7 +60,7 @@ profile:
       - os_sudoers_timestamp_type_configure
       - os_system_wide_applications_configure
       - os_terminal_secure_keyboard_enable
-      - os_time_offset_limit_configure
+      - os_time_server_enabled
       - os_unlock_active_user_session_disable
       - os_world_writable_system_folder_configure
   - section: "passwordpolicy"
@@ -96,6 +95,7 @@ profile:
       - system_settings_screen_sharing_disable
       - system_settings_screensaver_ask_for_password_delay_enforce
       - system_settings_screensaver_timeout_enforce
+      - system_settings_siri_listen_disable
       - system_settings_smbd_disable
       - system_settings_software_update_app_update_enforce
       - system_settings_software_update_download_enforce

diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)"
+title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 2)"
 description: |
-  This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) security baseline.
+  This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 2) security baseline.
 authors: |
   *macOS Security Compliance Project*
 
@@ -48,9 +48,6 @@ profile:
       - os_firewall_log_enable
       - os_gatekeeper_enable
       - os_guest_folder_removed
-      - os_hibernate_mode_apple_silicon_enable
-      - os_hibernate_mode_destroyfvkeyonstandby_enable
-      - os_hibernate_mode_intel_enable
       - os_home_folders_secure
       - os_httpd_disable
       - os_install_log_retention_configure
@@ -64,7 +61,6 @@ profile:
       - os_root_disable
       - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
-      - os_safari_popups_disabled
       - os_safari_prevent_cross-site_tracking_enable
       - os_safari_show_full_website_address_enable
       - os_safari_show_status_bar_enabled
@@ -76,7 +72,7 @@ profile:
       - os_sudoers_timestamp_type_configure
       - os_system_wide_applications_configure
       - os_terminal_secure_keyboard_enable
-      - os_time_offset_limit_configure
+      - os_time_server_enabled
       - os_unlock_active_user_session_disable
       - os_world_writable_library_folder_configure
       - os_world_writable_system_folder_configure
@@ -106,6 +102,7 @@ profile:
       - system_settings_guest_access_smb_disable
       - system_settings_guest_account_disable
       - system_settings_hot_corners_secure
+      - system_settings_improve_siri_dictation_disable
       - system_settings_install_macos_updates_enforce
       - system_settings_internet_sharing_disable
       - system_settings_location_services_enable
@@ -121,6 +118,8 @@ profile:
       - system_settings_screen_sharing_disable
       - system_settings_screensaver_ask_for_password_delay_enforce
       - system_settings_screensaver_timeout_enforce
+      - system_settings_siri_listen_disable
+      - system_settings_sleep_enforce
       - system_settings_smbd_disable
       - system_settings_software_update_app_update_enforce
       - system_settings_software_update_download_enforce

diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml
@@ -79,9 +79,6 @@ profile:
       - os_gatekeeper_enable
       - os_gatekeeper_rearm
       - os_handoff_disable
-      - os_hibernate_mode_apple_silicon_enable
-      - os_hibernate_mode_destroyfvkeyonstandby_enable
-      - os_hibernate_mode_intel_enable
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
@@ -101,7 +98,6 @@ profile:
       - os_root_disable
       - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
-      - os_safari_popups_disabled
       - os_safari_prevent_cross-site_tracking_enable
       - os_safari_show_full_website_address_enable
       - os_safari_show_status_bar_enabled
@@ -116,7 +112,6 @@ profile:
       - os_system_wide_applications_configure
       - os_terminal_secure_keyboard_enable
       - os_tftpd_disable
-      - os_time_offset_limit_configure
       - os_time_server_enabled
       - os_touchid_prompt_disable
       - os_unlock_active_user_session_disable
@@ -172,7 +167,9 @@ profile:
       - system_settings_screensaver_ask_for_password_delay_enforce
       - system_settings_screensaver_timeout_enforce
       - system_settings_siri_disable
+      - system_settings_siri_listen_disable
       - system_settings_siri_settings_disable
+      - system_settings_sleep_enforce
       - system_settings_smbd_disable
       - system_settings_software_update_app_update_enforce
       - system_settings_software_update_download_enforce

diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml
@@ -83,12 +83,12 @@ titles:
   800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
   800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
   800-171: NIST 800-171 Rev 2
-  cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)
-  cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)
+  cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 1)
+  cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 2)
   cmmc_lvl1: US CMMC 2.0 Level 1
   cmmc_lvl2: US CMMC 2.0 Level 2
   cisv8: CIS Controls Version 8
   cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low)
   cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
   cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
-  stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1
+  stig: Apple macOS 14 (Sonoma) STIG - Ver 2, Rel 1
diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml
@@ -1,5 +1,5 @@
 id: os_application_sandboxing
-title: Ensure Seperate Execution Domain for Processes
+title: Ensure Separate Execution Domain for Processes
 discussion: |
   The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
 

diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml
@@ -53,14 +53,13 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.1.2 (level 2)
+      - N/A
     controls v8:
-      - 4.1
+      - N/A
 macOS:
   - '14.0'
 tags:
-  - cis_lvl2
-  - cisv8
+  - none
   - arm64
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
@@ -28,14 +28,13 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.1.3 (level 2)
+      - N/A
     controls v8:
-      - 4.1
+      - N/A
 macOS:
   - '14.0'
 tags:
-  - cis_lvl2
-  - cisv8
+  - none
 mobileconfig: true
 mobileconfig_info:
   com.apple.MCX:

diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml
@@ -53,14 +53,12 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.9.1.1 (level 2)
+      - N/A
     controls v8:
-      - 4.1
+      - N/A
 macOS:
   - '14.0'
 tags:
-  - cis_lvl2
-  - cisv8
-  - i386
+  - none
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml
@@ -1,6 +1,6 @@
 id: os_mobile_file_integrity_enable
 title: Enable Apple Mobile File Integrity
-discussion: Mobile file integrity _MUST_ be ebabled.
+discussion: Mobile file integrity _MUST_ be enabled.
 check: |
   /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
 result:

diff --git a/rules/os/os_safari_popups_disabled.yaml b/rules/os/os_safari_popups_disabled.yaml
@@ -23,15 +23,13 @@ references:
     - N/A
   cis:
     benchmark:
-      - 6.3.9 (level 1)
+      - N/A
     controls v8:
-      - 9.1
+      - N/A
 macOS:
   - "14.0"
 tags:
-  - cis_lvl1
-  - cis_lvl2
-  - cisv8
+  - none
 mobileconfig: true
 mobileconfig_info:
   com.apple.Safari:

diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml
@@ -23,7 +23,7 @@ references:
     - N/A
   cis:
     benchmark:
-      - 6.3.11 (level 1)
+      - 6.3.10 (level 1)
     controls v8:
       - 9.1
 macOS:

diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml
@@ -28,14 +28,12 @@ references:
     - N/A
   cis:
     benchmark:
-      - 2.3.2.2 (level 1)
+      - N/A
     controls v8:
-      - 8.4
+      - N/A
 macOS:
   - '14.0'
 tags:
-  - cis_lvl1
-  - cis_lvl2
-  - cisv8
+  - none
 mobileconfig: false
 mobileconfig_info:
diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml
@@ -35,7 +35,7 @@ references:
     - 3.3.7
   cis:
     benchmark:
-      - N/A
+      - 2.3.2.2 (level 1)
     controls v8:
       - 8.4
   cmmc:
@@ -49,6 +49,8 @@ tags:
   - 800-53r5_high
   - 800-53r4_moderate
   - 800-53r4_high
+  - cis_lvl1
+  - cis_lvl2
   - cisv8
   - cnssi-1253_moderate
   - cnssi-1253_low

diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml
@@ -48,8 +48,8 @@ macOS:
 odv:
   hint: "Review the /System/Library/Security/authorization.plist file for more information."
   recommended: "authenticate-session-owner"
-  cis_lvl1: "use-login-window-ui"
-  cis_lvl2: "use-login-window-ui"
+  cis_lvl1: "authenticate-session-owner"
+  cis_lvl2: "authenticate-session-owner"
   stig: "authenticate-session-owner"
 tags:
   - 800-53r5_low

diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml
@@ -12,13 +12,16 @@ discussion: |
   |2.1.1.1 Audit iCloud Keychain +
   2.1.1.2 Audit iCloud Drive +
   2.1.1.4 Audit Security Keys Used With AppleIDs +
+  2.1.1.5 Audit Freeform Sync to iCloud +
+  2.1.1.6 Audit Find My Mac +
   2.1.2 Audit App Store Password Settings +
   2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +
   2.5.1 Audit Siri Settings +
   2.6.1.3 Audit Location Services Access +
   2.6.2.1 Audit Full Disk Access for Applications +
   2.6.7 Audit Lockdown Mode +
   2.8.1 Audit Universal Control Settings +
+  2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel) +
   2.11.2 Audit Touch ID +
   2.13.1 Audit Passwords System Preference Setting +
   2.14.1 Audit Game Center Settings +
@@ -60,7 +63,7 @@ discussion: |
   6.3.2 Audit History and Remove History Items +
   6.3.5 Audit Hide IP Address in Safari Setting +
   6.3.8 Audit Autofill +
-  6.3.10 Ensure JavaScript is Enabled in Safari +
+  6.3.9 Audit Pop-up Windows +
   |===
 check: |
 fix: |

diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml
@@ -37,7 +37,7 @@ references:
     - APPL-14-002210
   cis:
     benchmark:
-      - N/A
+      - 2.6.3 (level 2)
     controls v8:
       - 4.1
       - 4.8
@@ -55,6 +55,7 @@ tags:
   - 800-53r4_moderate
   - 800-53r4_high
   - 800-171
+  - cis_lvl2
   - cisv8
   - cnssi-1253_moderate
   - cnssi-1253_low

diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml
@@ -14,7 +14,7 @@ fix: |
   /usr/sbin/systemsetup -setremoteappleevents off
   /bin/launchctl disable system/com.apple.AEServer
   ----
-  NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision.
+  NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.
 references:
   cce:
     - CCE-92981-0