From df372f00c780801ab536ba115ff2e1fe72497bb4 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 16 May 2024 16:09:49 -0400 Subject: [PATCH 01/13] Update Gemfile - lock version for rexml --- Gemfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Gemfile b/Gemfile index e622c7fa7..d09a386e5 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,6 @@ source 'https://rubygems.org' +gem 'rexml', '3.2.6' gem 'asciidoctor' gem 'asciidoctor-pdf' gem 'rouge', '3.30.0' From d3a6dfe9d095e8202de2742e6b692171887da703 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 May 2024 08:28:24 -0400 Subject: [PATCH 02/13] [fix]gemfile - hardcode asciidoc 2.0.22 Hardcode asciidoc 2.0.22 to resolve table issue Issue #399 --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index d09a386e5..a374440ab 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,6 @@ source 'https://rubygems.org' gem 'rexml', '3.2.6' -gem 'asciidoctor' +gem 'asciidoctor', '2.0.22' gem 'asciidoctor-pdf' gem 'rouge', '3.30.0' From 9e570bb537bee9d1890df631a54fd65c90fd1381 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 3 Jul 2024 17:36:59 -0400 Subject: [PATCH 03/13] initial changes for cis 1.1.0 --- baselines/cis_lvl1.yaml | 4 ++-- baselines/cis_lvl2.yaml | 6 ++---- includes/mscp-data.yaml | 4 ++-- .../os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 7 +++---- rules/os/os_hibernate_mode_intel_enable.yaml | 8 +++----- rules/os/os_safari_popups_disabled.yaml | 8 +++----- rules/os/os_time_offset_limit_configure.yaml | 8 +++----- rules/os/os_time_server_enabled.yaml | 4 +++- rules/supplemental/supplemental_cis_manual.yaml | 3 ++- 9 files changed, 23 insertions(+), 29 deletions(-) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index f4d15d621..3856c6ade 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)" +title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 1)" description: | - This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 1) security baseline. authors: | *macOS Security Compliance Project* diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index c5c3dd20e..3881e7f84 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)" +title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 2)" description: | - This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) security baseline. + This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 2) security baseline. authors: | *macOS Security Compliance Project* @@ -49,8 +49,6 @@ profile: - os_gatekeeper_enable - os_guest_folder_removed - os_hibernate_mode_apple_silicon_enable - - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 39d6d1bdf..f02b873a1 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -83,8 +83,8 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 2 - cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.1.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 9ddb49bbd..44445bf55 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,14 +28,13 @@ references: - N/A cis: benchmark: - - 2.9.1.3 (level 2) + - N/A controls v8: - - 4.1 + - N/A macOS: - '14.0' tags: - - cis_lvl2 - - cisv8 + - none mobileconfig: true mobileconfig_info: com.apple.MCX: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index 3fb4a7b9f..136222283 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -53,14 +53,12 @@ references: - N/A cis: benchmark: - - 2.9.1.1 (level 2) + - N/A controls v8: - - 4.1 + - N/A macOS: - '14.0' tags: - - cis_lvl2 - - cisv8 - - i386 + - none mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_safari_popups_disabled.yaml b/rules/os/os_safari_popups_disabled.yaml index a9bab257c..f1643615d 100644 --- a/rules/os/os_safari_popups_disabled.yaml +++ b/rules/os/os_safari_popups_disabled.yaml @@ -23,15 +23,13 @@ references: - N/A cis: benchmark: - - 6.3.9 (level 1) + - N/A controls v8: - - 9.1 + - N/A macOS: - "14.0" tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 + - none mobileconfig: true mobileconfig_info: com.apple.Safari: diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index e43b61299..ae3f3965c 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -28,14 +28,12 @@ references: - N/A cis: benchmark: - - 2.3.2.2 (level 1) + - N/A controls v8: - - 8.4 + - N/A macOS: - '14.0' tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 + - none mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index af5c37e4f..5882bfb83 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -35,7 +35,7 @@ references: - 3.3.7 cis: benchmark: - - N/A + - 2.3.2.2 (level 1) controls v8: - 8.4 cmmc: @@ -49,6 +49,8 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cis_lvl1 + - cis_lvl2 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index e0dae1ec7..dfe509793 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -19,6 +19,7 @@ discussion: | 2.6.2.1 Audit Full Disk Access for Applications + 2.6.7 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + + 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel) + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + 2.14.1 Audit Game Center Settings + @@ -60,7 +61,7 @@ discussion: | 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + 6.3.8 Audit Autofill + - 6.3.10 Ensure JavaScript is Enabled in Safari + + 6.3.0 Audit Pop-up Windows + |=== check: | fix: | From 20493b37fb7d5656c77994e5daaa448000763799 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 4 Jul 2024 08:25:30 -0400 Subject: [PATCH 04/13] more changes for cis 1.1.0 --- rules/os/os_hibernate_mode_apple_silicon_enable.yaml | 6 ------ rules/os/os_safari_show_status_bar_enabled.yaml | 4 ++-- rules/supplemental/supplemental_cis_manual.yaml | 4 +++- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml index 78cdf08c0..1a5cb2a35 100644 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -8,11 +8,9 @@ discussion: | Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. This setting ensures that MacBooks will not hibernate and require FileVault authentication whenever the display goes to sleep for a short period of time. - NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. check: | error_count=0 if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') @@ -22,9 +20,6 @@ check: | if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then ((error_count++)) fi - if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then - ((error_count++)) - fi fi echo "$error_count" result: @@ -34,7 +29,6 @@ fix: | ---- /usr/bin/pmset -a sleep 10 /usr/bin/pmset -a displaysleep 15 - /usr/bin/pmset -a hibernatemode 25 ---- references: cce: diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml index 98d04a297..a4f31f38e 100644 --- a/rules/os/os_safari_show_status_bar_enabled.yaml +++ b/rules/os/os_safari_show_status_bar_enabled.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-93015-6 + - N/A cci: - N/A 800-53r5: @@ -23,7 +23,7 @@ references: - N/A cis: benchmark: - - 6.3.11 (level 1) + - 6.3.10 (level 1) controls v8: - 9.1 macOS: diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index dfe509793..9e03f47f5 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -12,6 +12,8 @@ discussion: | |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + 2.1.1.4 Audit Security Keys Used With AppleIDs + + 2.1.1.5 Audit Freeform Sync to iCloud + + 2.1.1.6 Audit Find My Mac + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + @@ -61,7 +63,7 @@ discussion: | 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + 6.3.8 Audit Autofill + - 6.3.0 Audit Pop-up Windows + + 6.3.9 Audit Pop-up Windows + |=== check: | fix: | From c205352ab72e47ea7dde54405f71c261a67d2434 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 9 Jul 2024 12:20:45 -0400 Subject: [PATCH 05/13] refactor[rules] Updated and added new CIS rules --- ...s_hibernate_mode_apple_silicon_enable.yaml | 13 +++-- .../os/os_safari_show_status_bar_enabled.yaml | 2 +- ...ttings_improve_siri_dictation_disable.yaml | 3 +- .../system_settings_siri_listen_disable.yaml | 42 +++++++++++++++ .../system_settings_sleep_enforce.yaml | 54 +++++++++++++++++++ 5 files changed, 108 insertions(+), 6 deletions(-) create mode 100644 rules/system_settings/system_settings_siri_listen_disable.yaml create mode 100644 rules/system_settings/system_settings_sleep_enforce.yaml diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml index 1a5cb2a35..303821b12 100644 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -8,9 +8,11 @@ discussion: | Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. This setting ensures that MacBooks will not hibernate and require FileVault authentication whenever the display goes to sleep for a short period of time. + NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. check: | error_count=0 if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') @@ -20,6 +22,9 @@ check: | if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then ((error_count++)) fi + if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then + ((error_count++)) + fi fi echo "$error_count" result: @@ -29,6 +34,7 @@ fix: | ---- /usr/bin/pmset -a sleep 10 /usr/bin/pmset -a displaysleep 15 + /usr/bin/pmset -a hibernatemode 25 ---- references: cce: @@ -47,14 +53,13 @@ references: - N/A cis: benchmark: - - 2.9.1.2 (level 2) + - N/A controls v8: - - 4.1 + - N/A macOS: - '14.0' tags: - - cis_lvl2 - - cisv8 + - none - arm64 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml index a4f31f38e..4823e03bc 100644 --- a/rules/os/os_safari_show_status_bar_enabled.yaml +++ b/rules/os/os_safari_show_status_bar_enabled.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93015-6 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index b70261b56..515c3533f 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -37,7 +37,7 @@ references: - APPL-14-002210 cis: benchmark: - - N/A + - 2.6.3 (level 2) controls v8: - 4.1 - 4.8 @@ -55,6 +55,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 + - cis_lvl2 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/system_settings/system_settings_siri_listen_disable.yaml b/rules/system_settings/system_settings_siri_listen_disable.yaml new file mode 100644 index 000000000..ffc38fd63 --- /dev/null +++ b/rules/system_settings/system_settings_siri_listen_disable.yaml @@ -0,0 +1,42 @@ +id: system_settings_siri_listen_disable +title: "Ensure Siri Listen For is Disabled" +discussion: | + Siri has the ability to listen for "Hey Siri" or "Siri". Listen for _MUST_ be disabled. +check: | + /usr/bin/sudo /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Siri')\ + .objectForKey('VoiceTriggerUserEnabled').js + EOS +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - 2.5.2 (level 1) + controls v8: + - 4.1 + - 4.8 +macOS: + - "14.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.siri: + VoiceTriggerUserEnabled: false diff --git a/rules/system_settings/system_settings_sleep_enforce.yaml b/rules/system_settings/system_settings_sleep_enforce.yaml new file mode 100644 index 000000000..9a6e8af53 --- /dev/null +++ b/rules/system_settings/system_settings_sleep_enforce.yaml @@ -0,0 +1,54 @@ +id: system_settings_sleep_enforce +title: Enforce Display Sleep (Apple Silicon) +discussion: | + Display Sleep _MUST_ be enforced on Apple Silicon MacBooks. +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a sleep 10 + /usr/bin/pmset -a displaysleep 15 + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.9.1.2 (level 2) + controls v8: + - 4.1 +macOS: + - '14.0' +tags: + - cis_lvl2 + - cisv8 + - arm64 +mobileconfig: false +mobileconfig_info: From cbf3aea6d0748e72008216c9ee3537ed929e2665 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 9 Jul 2024 15:00:02 -0400 Subject: [PATCH 06/13] refactor[baselines] Rebuilt baseline files Rebuilt all_rules, cisv8, cis_lvl1, cis_lvl2 --- baselines/all_rules.yaml | 7 +++++++ baselines/cis_lvl1.yaml | 4 ++-- baselines/cis_lvl2.yaml | 7 ++++--- baselines/cisv8.yaml | 7 ++----- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index ff0de1df6..ed7c0b8be 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -116,12 +116,14 @@ profile: - os_library_validation_enabled - os_loginwindow_adminhostinfo_undefined - os_mail_app_disable + - os_malicious_code_prevention - os_mdm_require - os_messages_app_disable - os_mobile_file_integrity_enable - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable + - os_obscure_password - os_on_device_dictation_enforce - os_parental_controls_enable - os_password_autofill_disable @@ -166,6 +168,7 @@ profile: - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure - os_sshd_unused_connection_timeout_configure + - os_store_encrypted_passwords - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_read_only @@ -187,6 +190,7 @@ profile: - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce - pwpolicy_custom_regex_enforce + - pwpolicy_force_password_change - pwpolicy_history_enforce - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce @@ -240,7 +244,9 @@ profile: - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable + - system_settings_siri_listen_disable - system_settings_siri_settings_disable + - system_settings_sleep_enforce - system_settings_smbd_disable - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce @@ -260,6 +266,7 @@ profile: - system_settings_wake_network_access_disable - system_settings_wallet_applepay_settings_disable - system_settings_wifi_disable + - system_settings_wifi_disable_when_connected_to_ethernet - system_settings_wifi_menu_enable - section: "Inherent" rules: diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 3856c6ade..e2c0487e4 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -49,7 +49,6 @@ profile: - os_root_disable - os_safari_advertising_privacy_protection_enable - os_safari_open_safe_downloads_disable - - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable - os_safari_show_status_bar_enabled @@ -61,7 +60,7 @@ profile: - os_sudoers_timestamp_type_configure - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - - os_time_offset_limit_configure + - os_time_server_enabled - os_unlock_active_user_session_disable - os_world_writable_system_folder_configure - section: "passwordpolicy" @@ -96,6 +95,7 @@ profile: - system_settings_screen_sharing_disable - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_timeout_enforce + - system_settings_siri_listen_disable - system_settings_smbd_disable - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 3881e7f84..a5b06b7d5 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -48,7 +48,6 @@ profile: - os_firewall_log_enable - os_gatekeeper_enable - os_guest_folder_removed - - os_hibernate_mode_apple_silicon_enable - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure @@ -62,7 +61,6 @@ profile: - os_root_disable - os_safari_advertising_privacy_protection_enable - os_safari_open_safe_downloads_disable - - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable - os_safari_show_status_bar_enabled @@ -74,7 +72,7 @@ profile: - os_sudoers_timestamp_type_configure - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - - os_time_offset_limit_configure + - os_time_server_enabled - os_unlock_active_user_session_disable - os_world_writable_library_folder_configure - os_world_writable_system_folder_configure @@ -104,6 +102,7 @@ profile: - system_settings_guest_access_smb_disable - system_settings_guest_account_disable - system_settings_hot_corners_secure + - system_settings_improve_siri_dictation_disable - system_settings_install_macos_updates_enforce - system_settings_internet_sharing_disable - system_settings_location_services_enable @@ -119,6 +118,8 @@ profile: - system_settings_screen_sharing_disable - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_timeout_enforce + - system_settings_siri_listen_disable + - system_settings_sleep_enforce - system_settings_smbd_disable - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index d8430d593..fcf5bf474 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -78,9 +78,6 @@ profile: - os_gatekeeper_enable - os_gatekeeper_rearm - os_handoff_disable - - os_hibernate_mode_apple_silicon_enable - - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable @@ -100,7 +97,6 @@ profile: - os_root_disable - os_safari_advertising_privacy_protection_enable - os_safari_open_safe_downloads_disable - - os_safari_popups_disabled - os_safari_prevent_cross-site_tracking_enable - os_safari_show_full_website_address_enable - os_safari_show_status_bar_enabled @@ -115,7 +111,6 @@ profile: - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - os_tftpd_disable - - os_time_offset_limit_configure - os_time_server_enabled - os_touchid_prompt_disable - os_unlock_active_user_session_disable @@ -171,7 +166,9 @@ profile: - system_settings_screensaver_ask_for_password_delay_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable + - system_settings_siri_listen_disable - system_settings_siri_settings_disable + - system_settings_sleep_enforce - system_settings_smbd_disable - system_settings_software_update_app_update_enforce - system_settings_software_update_download_enforce From 7670e768b22a9b14732e5cb14241ba485174a501 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 9 Jul 2024 15:00:36 -0400 Subject: [PATCH 07/13] refactor[rules] Added CCEs Added CCEs to * system_settings_siri_listen_disable * system_settings_sleep_enforce --- rules/system_settings/system_settings_siri_listen_disable.yaml | 2 +- rules/system_settings/system_settings_sleep_enforce.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/system_settings/system_settings_siri_listen_disable.yaml b/rules/system_settings/system_settings_siri_listen_disable.yaml index ffc38fd63..d98bd9753 100644 --- a/rules/system_settings/system_settings_siri_listen_disable.yaml +++ b/rules/system_settings/system_settings_siri_listen_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-93022-2 cci: - N/A 800-53r5: diff --git a/rules/system_settings/system_settings_sleep_enforce.yaml b/rules/system_settings/system_settings_sleep_enforce.yaml index 9a6e8af53..4f9f6c53d 100644 --- a/rules/system_settings/system_settings_sleep_enforce.yaml +++ b/rules/system_settings/system_settings_sleep_enforce.yaml @@ -26,7 +26,7 @@ fix: | ---- references: cce: - - N/A + - CCE-93023-0 cci: - N/A 800-53r5: From 901049a39add86ec45249846bba0fc1ea920b211 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 22 Jul 2024 10:58:23 -0400 Subject: [PATCH 08/13] fix[rule]: updated ODV for CIS values --- rules/os/os_unlock_active_user_session_disable.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index f444a7f67..9542db471 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -48,8 +48,8 @@ macOS: odv: hint: "Review the /System/Library/Security/authorization.plist file for more information." recommended: "authenticate-session-owner" - cis_lvl1: "use-login-window-ui" - cis_lvl2: "use-login-window-ui" + cis_lvl1: "authenticate-session-owner" + cis_lvl2: "authenticate-session-owner" stig: "authenticate-session-owner" tags: - 800-53r5_low From e53d338597f8fc4c731137213595dc3c45f7d6e6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Jul 2024 12:12:26 -0400 Subject: [PATCH 09/13] CIS Benchmark 1.1 --- includes/mscp-data.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index f02b873a1..1c29e75ae 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -91,4 +91,4 @@ titles: cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low) cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate) cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High) - stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1 + stig: Apple macOS 14 (Sonoma) STIG - Ver 2, Rel 1 From f333a44d7fc858aa4e7f9d6a046f9703ef05edd1 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Fri, 23 Aug 2024 08:35:12 -0400 Subject: [PATCH 10/13] fix[script]: date format for compliance timestamp When a compliance scan is run using a generated script, the stored value now reflects a UTC timestamp that is both human readable and easily converted to other usable formats if needed. Issue #405 --- scripts/generate_guidance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 2cc0248ef..29b384b91 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -834,7 +834,7 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere /usr/bin/mcxrefresh -u $CURR_USER_UID # write timestamp of last compliance check -/usr/bin/defaults write "$audit_plist" lastComplianceCheck "$(date)" +/usr/bin/defaults write "$audit_plist" lastComplianceCheck "$(date +"%Y-%m-%d %H:%M:%S%z")" """ # Read all rules in the section and output the check functions From 09e3aeacd38691cce6b9e8be178f6eb0fd8c669c Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Tue, 27 Aug 2024 07:26:26 -0700 Subject: [PATCH 11/13] Grammar fix (#408) Co-authored-by: Bob Gendler --- rules/system_settings/system_settings_rae_disable.yaml | 2 +- rules/system_settings/system_settings_ssh_disable.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index ee689e1e0..8fe8cbfc1 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -14,7 +14,7 @@ fix: | /usr/sbin/systemsetup -setremoteappleevents off /bin/launchctl disable system/com.apple.AEServer ---- - NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. + NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision. references: cce: - CCE-92981-0 diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 954d00d59..1ead068de 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -12,7 +12,7 @@ fix: | /usr/sbin/systemsetup -f -setremotelogin off >/dev/null /bin/launchctl disable system/com.openssh.sshd ---- - NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision. + NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision. references: cce: - CCE-92994-3 From a8e6d6713bd15060cd44c1ee0a8030d1b4102c8f Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Tue, 27 Aug 2024 07:26:45 -0700 Subject: [PATCH 12/13] Spelling fixes (#409) Co-authored-by: Bob Gendler --- rules/os/os_application_sandboxing.yaml | 2 +- rules/os/os_mobile_file_integrity_enable.yaml | 2 +- scripts/generate_guidance.py | 6 +++--- scripts/generate_scap.py | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 4f438de74..04bda7365 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -1,5 +1,5 @@ id: os_application_sandboxing -title: Ensure Seperate Execution Domain for Processes +title: Ensure Separate Execution Domain for Processes discussion: | The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index 7b39fc89e..315e3ec62 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -1,6 +1,6 @@ id: os_mobile_file_integrity_enable title: Enable Apple Mobile File Integrity -discussion: Mobile file integrity _MUST_ be ebabled. +discussion: Mobile file integrity _MUST_ be enabled. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" result: diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 2cc0248ef..a2aee6ca5 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1104,7 +1104,7 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere " " "Optional parameters:" "--check : run the compliance checks without interaction" - "--fix : run the remediation commands without interation" + "--fix : run the remediation commands without interaction" "--cfc : runs a check, fix, check without interaction" "--stats : display the statistics from last compliance check" "--compliant : reports the number of compliant checks" @@ -1347,7 +1347,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 14, "CIS v8", headers) sheet1.write(0, 15, "CMMC", headers) sheet1.write(0, 16, "CCI", headers) - sheet1.write(0, 17, "Modifed Rule", headers) + sheet1.write(0, 17, "Modified Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1761,7 +1761,7 @@ def main(): pdf_theme="mscp-theme.yml" themes = glob.glob('../custom/templates/*theme*.yml') if len(themes) > 1 : - print("Found muliple custom themes in directory, only one can exist, using default") + print("Found multiple custom themes in directory, only one can exist, using default") elif len(themes) == 1 : print(f"Found custom PDF theme: {themes[0]}") pdf_theme = themes[0] diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index 1dbfc802b..0f25ebc4c 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -361,7 +361,7 @@ def generate_scap(all_rules, all_baselines, args): else: severity = "unknown" check_rule = str() - if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permenant" in rule_yaml['tags']: + if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: check_rule = ''' ''' From 8d3ac525e4708b89223e11db3535a4fca2a42dd8 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Tue, 27 Aug 2024 11:31:18 -0400 Subject: [PATCH 13/13] merging changes from dev_sonoma_issue400 --- scripts/generate_baseline.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index 4f24cf4f6..e31f0a6ad 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -132,12 +132,12 @@ def collect_rules(): #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) - all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), - rule_yaml['id'].replace('|', '\|'), - rule_yaml['severity'].replace('|', '\|'), - rule_yaml['discussion'].replace('|', '\|'), - rule_yaml['check'].replace('|', '\|'), - rule_yaml['fix'].replace('|', '\|'), + all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\\|'), + rule_yaml['id'].replace('|', '\\|'), + rule_yaml['severity'].replace('|', '\\|'), + rule_yaml['discussion'].replace('|', '\\|'), + rule_yaml['check'].replace('|', '\\|'), + rule_yaml['fix'].replace('|', '\\|'), rule_yaml['references']['cci'], rule_yaml['references']['cce'], rule_yaml['references']['800-53r4'],