Merge branch 'monterey'

CHANGELOG.adoc

@@ -2,6 +2,89 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
+== [Monterey, Revision 2] - 2022-03-XX
+
+* Rules
+** Added Rules
+*** audit_control_acls_configure
+*** audit_control_group_configure
+*** audit_control_mode_configure
+*** audit_control_owner_configure
+*** audit_flags_configure
+*** audit_retention_configure_sixty_days
+*** os_application_sandbox
+*** os_blank_bluray_disable
+*** os_blank_cd_disable
+*** os_blank_dvd_disable
+*** os_bluray_read_only_enforce
+*** os_burn_support_disable
+*** os_cd_read_only_enforce
+*** os_disk_image_disable
+*** os_dvdram_disable
+*** os_efi_integrity_validated
+*** os_erase_content_and_settings_disabled
+*** os_guest_folder_removed
+*** os_hibernate_mode_destroyfvkeyonstandby_enable
+*** os_hibernate_mode_enable
+*** os_install_log_retention_configure
+*** os_library_validation_enabled
+*** os_mobile_file_integrity_enable
+*** os_password_hint_remove
+*** os_safari_open_safe_downloads
+*** os_show_filename_extensions_enable
+*** os_skip_screen_time_prompt_enable
+*** os_sudo_timeout_configure
+*** os_system_wide_applications_configure
+*** os_terminal_secure_keyboard_enable
+*** os_time_offset_limit_configure
+*** os_world_writable_library_folder_configure
+*** os_world_writable_system_folder_configure
+*** pwpolicy_account_lockout_enforce_five
+*** pwpolicy_history_enforce_fifteen
+*** supplemental_cis_manual
+*** sysprefs_bluetooth_menu_enable
+*** sysprefs_bluetooth_unpaired_disable
+*** sysprefs_cd_dvd_sharing_disable
+*** sysprefs_hot_corners_secure
+*** sysprefs_install_macos_updates_enforce
+*** sysprefs_location_services_audit
+*** sysprefs_location_services_enable
+*** sysprefs_loginwindow_loginwindowtext_enable
+*** sysprefs_printer_sharing_disable
+*** sysprefs_remote_management_disable
+*** sysprefs_software_update_app_update_enforce.yaml
+*** sysprefs_software_update_download_enforce.yaml
+*** sysprefs_software_update_enforce.yaml
+*** sysprefs_softwareupdate_current.yaml
+*** sysprefs_time_machine_auto_backup_enable.yaml
+*** sysprefs_time_machine_encrypted_configure.yaml
+*** sysprefs_wake_network_access_disable.yaml
+*** sysprefs_wifi_menu_enable.yaml
+** Modified Rules
+*** sysprefs_airplay_receiver_disable
+*** Updated checks for configuration profiles
+** Bug Fixes
+
+* Baselines
+** Added CIS Level 1 & 2
+** Added DISA STIG
+
+* Scripts
+** generate_guidance
+*** Added support for CIS
+*** Bug Fixes
+** generate_baseline
+*** Bug Fixes
+** generate_mappings
+*** Bug Fixes
+** generate_oval
+*** Renamed Script
+*** plist510 tests updated to plist511
+*** Bug Fixes
+
+* SCAP
+** Bug Fixes
+
 == [Monterey, Revision 1] - 2021-10-20
 
 * Rules

SCAP/Makefile

@@ -6,13 +6,16 @@ DIR		= ../build/All_rules
 VERSION	= $(shell ./version.sh)
 OS = $(shell ./os.sh)
 
-all: inputs tidy XCCDF datastream report beautify
+all: generate_cpe inputs tidy XCCDF datastream report beautify
+
+generate_cpe: 
+	./generate_cpe.sh
 
 inputs:
 	# generate the HTML checklist document
 	../scripts/generate_guidance.py -g ../baselines/all_rules.yaml 2>/dev/null
 	# generate the related OVAL content
-	../scripts/yaml-to-oval.py ../baselines/all_rules.yaml
+	../scripts/generate_oval.py ../baselines/all_rules.yaml
 	# outputs end up in ${DIR}
 
 tidy:
@@ -36,8 +39,8 @@ XCCDF:
 	       	-o:${DIR}/xccdf.xml \
 		SCAP-version=1.3 \
 		id-namespace=content.mscp.nist.gov \
-		benchmark-id-suffix=macOS_12.0 \
-		OVAL-URI=${DIR}/All_rules.xml \
+		benchmark-id-suffix=macOS_${OS} \
+		OVAL-URI=${DIR}/all_rules.xml \
 		include-CPE=1
 	# the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml'
 	# a gratuitous OCIL document is provided
@@ -52,7 +55,7 @@ datastream:
 		-o:${DIR}/datastream.xml \
 		SCAP-version=1.3 \
 		id-namespace=content.mscp.nist.gov \
-		datastream-id-suffix=macOS_12.0 \
+		datastream-id-suffix=macOS_${OS} \
 		include-CPE=1
 
 report:

SCAP/generate_cpe.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"')
+CPE=$(/usr/bin/awk '/cpe/{print $2}'  ../VERSION.yaml )
+CREATIONDATE=$(date -j -f "%a %b %d %T %Z %Y" "$(date)" "+%Y-%m-%dT%TZ")
+
+/bin/cat > macos-cpe-oval.xml << EOO
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xsi:schemaLocation=" http://oval.mitre.org/XMLSchema/oval-definitions-5 https://raw.githubusercontent.com/OVALProject/Language/5.11.2/schemas/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent https://raw.githubusercontent.com/OVALProject/Language/5.11.2/schemas/independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#macos https://raw.githubusercontent.com/OVALProject/Language/5.11.2/schemas/macos-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix https://raw.githubusercontent.com/OVALProject/Language/5.11.2/schemas/unix-definitions-schema.xsd">
+    <generator>
+        <oval:product_name>macOS Security Compliance Project</oval:product_name>
+        <oval:schema_version>5.11.2</oval:schema_version>
+        <oval:timestamp>$CREATIONDATE</oval:timestamp>
+    </generator>
+    <definitions>
+        <definition id="oval:gov.nist.mscp.content.cpe.oval:def:1" version="1" class="inventory">
+            <metadata>
+                <title>Apple macOS $OS is installed</title>
+                <affected family="macos">
+                    <platform>macOS</platform>
+                </affected>
+                <reference source="CPE" ref_id="cpe:/$CPE"/>
+                <description>The operating system installed on the system is Apple macOS ($OS).</description>
+            </metadata>
+            <criteria operator="AND">
+                <criterion comment="The Installed Operating System is Part of the Mac OS Family" test_ref="oval:gov.nist.mscp.content.cpe:tst:1"/>
+                <criterion comment="Apple macOS version is greater than or equal to $OS" test_ref="oval:gov.nist.mscp.content.cpe:tst:2"/>
+            </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <family_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists"
+            comment="The Installed Operating System is Part of the macOS Family" id="oval:gov.nist.mscp.content.cpe:tst:1" version="1">
+            <object object_ref="oval:gov.nist.mscp.content.cpe:obj:1"/>
+            <state state_ref="oval:gov.nist.mscp.content.cpe:ste:1"/>
+        </family_test>
+        <plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="Apple macOS version is greater than $OS"
+            id="oval:gov.nist.mscp.content.cpe:tst:2" version="2">
+            <object object_ref="oval:gov.nist.mscp.content.cpe:obj:2"/>
+            <state state_ref="oval:gov.nist.mscp.content.cpe:ste:2"/>
+        </plist511_test>
+    </tests>
+    <objects>
+        <family_object id="oval:gov.nist.mscp.content.cpe:obj:1" version="1" comment="This variable_object represents the family that the operating system belongs to."
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
+        <plist511_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="The macOS product version plist object." id="oval:gov.nist.mscp.content.cpe:obj:2" version="1">
+            <filepath>/System/Library/CoreServices/SystemVersion.plist</filepath>
+            <xpath>//*[contains(text(), "ProductVersion")]/following-sibling::*[1]/text()</xpath>
+        </plist511_object>
+    </objects>
+    <states>
+        <family_state id="oval:gov.nist.mscp.content.cpe:ste:1" version="1" comment="The OS is part of the macOS Family." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
+            <family>macos</family>
+        </family_state>
+        <plist511_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="Is the value is greater than or equal to $OS" id="oval:gov.nist.mscp.content.cpe:ste:2" version="1">
+            <value_of datatype="version" operation="greater than or equal">$OS</value_of>
+        </plist511_state>
+    </states>
+</oval_definitions>
+
+EOO
+
+/bin/cat > macos-cpe-dictionary.xml << EOCPE
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- This is a Common Platform Enumeration (CPE) 2.3 document -->
+<!-- See https://doi.org/10.6028/NIST.IR.7697 -->
+
+<!-- See https://www.w3.org/TR/xml-model/ -->
+<?xml-model href="https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="CPE XML schema"?>
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3">
+    <generator>
+        <product_name>macOS Security Compliance Project</product_name>
+        <schema_version>2.3</schema_version>
+        <timestamp>$CREATIONDATE</timestamp>
+    </generator>
+    <cpe-item name="cpe:/$CPE">
+        <title xml:lang="en-US">Apple macOS $OS</title>
+        <notes xml:lang="en-US">
+            <note>This CPE Name represents macOS $OS</note>
+        </notes>
+        <check href="macos-cpe-oval.xml" system="http://oval.mitre.org/XMLSchema/oval-definitions-5">oval:gov.nist.mscp.content.cpe.oval:def:1</check>
+        <cpe-23:cpe23-item name="cpe:2.3:$CPE:*:*:*:*:*:*:*"/>
+    </cpe-item>
+</cpe-list>
+
+EOCPE

SCAP/macos-cpe-dictionary.xml

@@ -9,7 +9,7 @@
     <generator>
         <product_name>macOS Security Compliance Project</product_name>
         <schema_version>2.3</schema_version>
-        <timestamp>2021-09-16T15:35:10Z</timestamp>
+        <timestamp>2022-02-10T12:16:51Z</timestamp>
     </generator>
     <cpe-item name="cpe:/o:apple:macos:12.0">
         <title xml:lang="en-US">Apple macOS 12.0</title>
@@ -20,3 +20,4 @@
         <cpe-23:cpe23-item name="cpe:2.3:o:apple:macos:12.0:*:*:*:*:*:*:*"/>
     </cpe-item>
 </cpe-list>
+

SCAP/macos-cpe-oval.xml

@@ -4,7 +4,7 @@
     <generator>
         <oval:product_name>macOS Security Compliance Project</oval:product_name>
         <oval:schema_version>5.11.2</oval:schema_version>
-        <oval:timestamp>2021-09-16T15:35:10Z</oval:timestamp>
+        <oval:timestamp>2022-02-10T12:16:51Z</oval:timestamp>
     </generator>
     <definitions>
         <definition id="oval:gov.nist.mscp.content.cpe.oval:def:1" version="1" class="inventory">
@@ -14,7 +14,7 @@
                     <platform>macOS</platform>
                 </affected>
                 <reference source="CPE" ref_id="cpe:/o:apple:macos:12.0"/>
-                <description>The operating system installed on the system is Apple macOS Big Sur (12.0).</description>
+                <description>The operating system installed on the system is Apple macOS (12.0).</description>
             </metadata>
             <criteria operator="AND">
                 <criterion comment="The Installed Operating System is Part of the Mac OS Family" test_ref="oval:gov.nist.mscp.content.cpe:tst:1"/>
@@ -28,27 +28,27 @@
             <object object_ref="oval:gov.nist.mscp.content.cpe:obj:1"/>
             <state state_ref="oval:gov.nist.mscp.content.cpe:ste:1"/>
         </family_test>
-        <plist510_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="Apple macOS version is greater than 12.0"
+        <plist511_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="Apple macOS version is greater than 12.0"
             id="oval:gov.nist.mscp.content.cpe:tst:2" version="2">
             <object object_ref="oval:gov.nist.mscp.content.cpe:obj:2"/>
             <state state_ref="oval:gov.nist.mscp.content.cpe:ste:2"/>
-        </plist510_test>
+        </plist511_test>
     </tests>
     <objects>
         <family_object id="oval:gov.nist.mscp.content.cpe:obj:1" version="1" comment="This variable_object represents the family that the operating system belongs to."
             xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
-        <plist510_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="The macOS product version plist object." id="oval:gov.nist.mscp.content.cpe:obj:2" version="1">
-            <key>ProductVersion</key>
+        <plist511_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="The macOS product version plist object." id="oval:gov.nist.mscp.content.cpe:obj:2" version="1">
             <filepath>/System/Library/CoreServices/SystemVersion.plist</filepath>
-            <instance datatype="int" operation="equals">1</instance>
-        </plist510_object>
+            <xpath>//*[contains(text(), "ProductVersion")]/following-sibling::*[1]/text()</xpath>
+        </plist511_object>
     </objects>
     <states>
         <family_state id="oval:gov.nist.mscp.content.cpe:ste:1" version="1" comment="The OS is part of the macOS Family." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
             <family>macos</family>
         </family_state>
-        <plist510_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="Is the value is greater than or equal to 12.0" id="oval:gov.nist.mscp.content.cpe:ste:2" version="1">
+        <plist511_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="Is the value is greater than or equal to 12.0" id="oval:gov.nist.mscp.content.cpe:ste:2" version="1">
             <value datatype="version" operation="greater than or equal">12.0</value>
-        </plist510_state>
+        </plist511_state>
     </states>
 </oval_definitions>
+

SCAP/os.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-OS=$(/usr/bin/awk -F ": " '/os/{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"')
+OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"')
 
-echo $OS
+echo $OS

VERSION.yaml

@@ -1,3 +1,4 @@
 os: "12.0"
-version: "Monterey Guidance, Revision 1"
-date: "2021-10-20"
+version: "Monterey Guidance, Revision 2"
+cpe: o:apple:macos:12.0
+date: "2022-03-16"

baselines/800-171.yaml

@@ -14,6 +14,7 @@ profile:
       - auth_pam_su_smartcard_enforce
       - auth_pam_sudo_smartcard_enforce
       - auth_smartcard_enforce
+      - auth_smartcard_allow
       - auth_ssh_password_authentication_disable
   - section: "auditing"
     rules:
@@ -53,7 +54,6 @@ profile:
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
-      - os_internet_accounts_prefpane_disable
       - os_ir_support_disable
       - os_mail_app_disable
       - os_mdm_require
@@ -64,8 +64,9 @@ profile:
       - os_password_proximity_disable
       - os_password_sharing_disable
       - os_policy_banner_loginwindow_enforce
+      - os_policy_banner_ssh_configure
+      - os_policy_banner_ssh_enforce
       - os_recovery_lock_enable
-      - os_removable_media_disable
       - os_root_disable
       - os_screensaver_loginwindow_enforce
       - os_sip_enable
@@ -74,6 +75,8 @@ profile:
       - os_ssh_fips_compliant
       - os_ssh_server_alive_count_max_configure
       - os_ssh_server_alive_interval_configure
+      - os_sshd_client_alive_count_max_configure
+      - os_sshd_client_alive_interval_configure
       - os_sshd_fips_compliant
       - os_tftpd_disable
       - os_time_server_enabled
@@ -127,6 +130,7 @@ profile:
       - sysprefs_guest_account_disable
       - sysprefs_hot_corners_disable
       - sysprefs_improve_siri_dictation_disable
+      - sysprefs_internet_accounts_prefpane_disable
       - sysprefs_internet_sharing_disable
       - sysprefs_location_services_disable
       - sysprefs_loginwindow_prompt_username_password_enforce