diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
index fe871e501..cf1ac38da 100644
--- a/CHANGELOG.adoc
+++ b/CHANGELOG.adoc
@@ -2,6 +2,89 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
+== [Monterey, Revision 2] - 2022-03-XX
+
+* Rules
+** Added Rules
+*** audit_control_acls_configure
+*** audit_control_group_configure
+*** audit_control_mode_configure
+*** audit_control_owner_configure
+*** audit_flags_configure
+*** audit_retention_configure_sixty_days
+*** os_application_sandbox
+*** os_blank_bluray_disable
+*** os_blank_cd_disable
+*** os_blank_dvd_disable
+*** os_bluray_read_only_enforce
+*** os_burn_support_disable
+*** os_cd_read_only_enforce
+*** os_disk_image_disable
+*** os_dvdram_disable
+*** os_efi_integrity_validated
+*** os_erase_content_and_settings_disabled
+*** os_guest_folder_removed
+*** os_hibernate_mode_destroyfvkeyonstandby_enable
+*** os_hibernate_mode_enable
+*** os_install_log_retention_configure
+*** os_library_validation_enabled
+*** os_mobile_file_integrity_enable
+*** os_password_hint_remove
+*** os_safari_open_safe_downloads
+*** os_show_filename_extensions_enable
+*** os_skip_screen_time_prompt_enable
+*** os_sudo_timeout_configure
+*** os_system_wide_applications_configure
+*** os_terminal_secure_keyboard_enable
+*** os_time_offset_limit_configure
+*** os_world_writable_library_folder_configure
+*** os_world_writable_system_folder_configure
+*** pwpolicy_account_lockout_enforce_five
+*** pwpolicy_history_enforce_fifteen
+*** supplemental_cis_manual
+*** sysprefs_bluetooth_menu_enable
+*** sysprefs_bluetooth_unpaired_disable
+*** sysprefs_cd_dvd_sharing_disable
+*** sysprefs_hot_corners_secure
+*** sysprefs_install_macos_updates_enforce
+*** sysprefs_location_services_audit
+*** sysprefs_location_services_enable
+*** sysprefs_loginwindow_loginwindowtext_enable
+*** sysprefs_printer_sharing_disable
+*** sysprefs_remote_management_disable
+*** sysprefs_software_update_app_update_enforce.yaml
+*** sysprefs_software_update_download_enforce.yaml
+*** sysprefs_software_update_enforce.yaml
+*** sysprefs_softwareupdate_current.yaml
+*** sysprefs_time_machine_auto_backup_enable.yaml
+*** sysprefs_time_machine_encrypted_configure.yaml
+*** sysprefs_wake_network_access_disable.yaml
+*** sysprefs_wifi_menu_enable.yaml
+** Modified Rules
+*** sysprefs_airplay_receiver_disable
+*** Updated checks for configuration profiles
+** Bug Fixes
+
+* Baselines
+** Added CIS Level 1 & 2
+** Added DISA STIG
+
+* Scripts
+** generate_guidance
+*** Added support for CIS
+*** Bug Fixes
+** generate_baseline
+*** Bug Fixes
+** generate_mappings
+*** Bug Fixes
+** generate_oval
+*** Renamed Script
+*** plist510 tests updated to plist511
+*** Bug Fixes
+
+* SCAP
+** Bug Fixes
+
== [Monterey, Revision 1] - 2021-10-20
* Rules
diff --git a/SCAP/Makefile b/SCAP/Makefile
index ea01671fe..5e0a8dfdc 100644
--- a/SCAP/Makefile
+++ b/SCAP/Makefile
@@ -6,13 +6,16 @@ DIR = ../build/All_rules
VERSION = $(shell ./version.sh)
OS = $(shell ./os.sh)
-all: inputs tidy XCCDF datastream report beautify
+all: generate_cpe inputs tidy XCCDF datastream report beautify
+
+generate_cpe:
+ ./generate_cpe.sh
inputs:
# generate the HTML checklist document
../scripts/generate_guidance.py -g ../baselines/all_rules.yaml 2>/dev/null
# generate the related OVAL content
- ../scripts/yaml-to-oval.py ../baselines/all_rules.yaml
+ ../scripts/generate_oval.py ../baselines/all_rules.yaml
# outputs end up in ${DIR}
tidy:
@@ -36,8 +39,8 @@ XCCDF:
-o:${DIR}/xccdf.xml \
SCAP-version=1.3 \
id-namespace=content.mscp.nist.gov \
- benchmark-id-suffix=macOS_12.0 \
- OVAL-URI=${DIR}/All_rules.xml \
+ benchmark-id-suffix=macOS_${OS} \
+ OVAL-URI=${DIR}/all_rules.xml \
include-CPE=1
# the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml'
# a gratuitous OCIL document is provided
@@ -52,7 +55,7 @@ datastream:
-o:${DIR}/datastream.xml \
SCAP-version=1.3 \
id-namespace=content.mscp.nist.gov \
- datastream-id-suffix=macOS_12.0 \
+ datastream-id-suffix=macOS_${OS} \
include-CPE=1
report:
diff --git a/SCAP/generate_cpe.sh b/SCAP/generate_cpe.sh
new file mode 100755
index 000000000..46f9265de
--- /dev/null
+++ b/SCAP/generate_cpe.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"')
+CPE=$(/usr/bin/awk '/cpe/{print $2}' ../VERSION.yaml )
+CREATIONDATE=$(date -j -f "%a %b %d %T %Z %Y" "$(date)" "+%Y-%m-%dT%TZ")
+
+/bin/cat > macos-cpe-oval.xml << EOO
+
+
+
+ macOS Security Compliance Project
+ 5.11.2
+ $CREATIONDATE
+
+
+
+
+ Apple macOS $OS is installed
+
+ macOS
+
+
+ The operating system installed on the system is Apple macOS ($OS).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /System/Library/CoreServices/SystemVersion.plist
+ //*[contains(text(), "ProductVersion")]/following-sibling::*[1]/text()
+
+
+
+
+ macos
+
+
+ $OS
+
+
+
+
+EOO
+
+/bin/cat > macos-cpe-dictionary.xml << EOCPE
+
+
+
+
+
+
+
+
+
+ macOS Security Compliance Project
+ 2.3
+ $CREATIONDATE
+
+
+ Apple macOS $OS
+
+ This CPE Name represents macOS $OS
+
+ oval:gov.nist.mscp.content.cpe.oval:def:1
+
+
+
+
+EOCPE
\ No newline at end of file
diff --git a/SCAP/macos-cpe-dictionary.xml b/SCAP/macos-cpe-dictionary.xml
index b2477f7b5..7d19a3209 100644
--- a/SCAP/macos-cpe-dictionary.xml
+++ b/SCAP/macos-cpe-dictionary.xml
@@ -9,7 +9,7 @@
macOS Security Compliance Project
2.3
- 2021-09-16T15:35:10Z
+ 2022-02-10T12:16:51Z
Apple macOS 12.0
@@ -20,3 +20,4 @@
+
diff --git a/SCAP/macos-cpe-oval.xml b/SCAP/macos-cpe-oval.xml
index 2c5de92ab..c362fd29c 100644
--- a/SCAP/macos-cpe-oval.xml
+++ b/SCAP/macos-cpe-oval.xml
@@ -4,7 +4,7 @@
macOS Security Compliance Project
5.11.2
- 2021-09-16T15:35:10Z
+ 2022-02-10T12:16:51Z
@@ -14,7 +14,7 @@
macOS
- The operating system installed on the system is Apple macOS Big Sur (12.0).
+ The operating system installed on the system is Apple macOS (12.0).
@@ -28,27 +28,27 @@
-
-
+
-
- ProductVersion
+
/System/Library/CoreServices/SystemVersion.plist
- 1
-
+ //*[contains(text(), "ProductVersion")]/following-sibling::*[1]/text()
+
macos
-
+
12.0
-
+
+
diff --git a/SCAP/os.sh b/SCAP/os.sh
index b9380191e..b2f1224e9 100755
--- a/SCAP/os.sh
+++ b/SCAP/os.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-OS=$(/usr/bin/awk -F ": " '/os/{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"')
+OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"')
-echo $OS
\ No newline at end of file
+echo $OS
diff --git a/VERSION.yaml b/VERSION.yaml
index c553ee960..28ba2ed9f 100644
--- a/VERSION.yaml
+++ b/VERSION.yaml
@@ -1,3 +1,4 @@
os: "12.0"
-version: "Monterey Guidance, Revision 1"
-date: "2021-10-20"
+version: "Monterey Guidance, Revision 2"
+cpe: o:apple:macos:12.0
+date: "2022-03-16"
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
index f33894b1b..845a1bb02 100644
--- a/baselines/800-171.yaml
+++ b/baselines/800-171.yaml
@@ -14,6 +14,7 @@ profile:
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_enforce
+ - auth_smartcard_allow
- auth_ssh_password_authentication_disable
- section: "auditing"
rules:
@@ -53,7 +54,6 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_mdm_require
@@ -64,8 +64,9 @@ profile:
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
+ - os_policy_banner_ssh_configure
+ - os_policy_banner_ssh_enforce
- os_recovery_lock_enable
- - os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_sip_enable
@@ -74,6 +75,8 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
+ - os_sshd_client_alive_count_max_configure
+ - os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_tftpd_disable
- os_time_server_enabled
@@ -127,6 +130,7 @@ profile:
- sysprefs_guest_account_disable
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_internet_accounts_prefpane_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml
index 76b7edd13..511a59ac1 100644
--- a/baselines/800-53r5_high.yaml
+++ b/baselines/800-53r5_high.yaml
@@ -1,4 +1,4 @@
-title: "macOS 12 Security Configuration:NIST SP 800-53 Rev 5 High Impact Security Baseline"
+title: "macOS 12 Security Configuration: NIST SP 800-53 Rev 5 High Impact Security Baseline"
description: |
This guide describes the actions to take when securing a macOS 12 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline.
authors: |
@@ -63,7 +63,6 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_mdm_require
@@ -76,8 +75,9 @@ profile:
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
+ - os_policy_banner_ssh_configure
+ - os_policy_banner_ssh_enforce
- os_recovery_lock_enable
- - os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
@@ -87,7 +87,13 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
+ - os_sshd_client_alive_count_max_configure
+ - os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
+ - os_sshd_key_exchange_algorithm_configure
+ - os_sshd_permit_root_login_configure
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
- os_sudoers_tty_configure
- os_system_read_only
- os_tftpd_disable
@@ -132,6 +138,7 @@ profile:
- sysprefs_automatic_logout_enforce
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
+ - sysprefs_cd_dvd_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_critical_update_install_enforce
- sysprefs_diagnostics_reports_disable
@@ -145,6 +152,7 @@ profile:
- sysprefs_guest_account_disable
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_internet_accounts_prefpane_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
@@ -152,7 +160,9 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_personalized_advertising_disable
- sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
- sysprefs_rae_disable
+ - sysprefs_remote_management_disable
- sysprefs_screen_sharing_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml
index ca0ef8627..0022a9d07 100644
--- a/baselines/800-53r5_low.yaml
+++ b/baselines/800-53r5_low.yaml
@@ -1,4 +1,4 @@
-title: "macOS 12 Security Configuration:NIST SP 800-53 Rev 5 Low Impact Security Baseline"
+title: "macOS 12 Security Configuration: NIST SP 800-53 Rev 5 Low Impact Security Baseline"
description: |
This guide describes the actions to take when securing a macOS 12 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline.
authors: |
@@ -54,7 +54,6 @@ profile:
- os_handoff_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_mdm_require
@@ -64,13 +63,17 @@ profile:
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
- - os_removable_media_disable
+ - os_policy_banner_ssh_configure
+ - os_policy_banner_ssh_enforce
- os_root_disable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_sshd_fips_compliant
+ - os_sshd_key_exchange_algorithm_configure
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
- os_sudoers_tty_configure
- os_tftpd_disable
- os_time_server_enabled
@@ -110,6 +113,7 @@ profile:
- sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
+ - sysprefs_cd_dvd_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_critical_update_install_enforce
- sysprefs_diagnostics_reports_disable
@@ -121,6 +125,7 @@ profile:
- sysprefs_guest_access_smb_disable
- sysprefs_guest_account_disable
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_internet_accounts_prefpane_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
@@ -128,7 +133,9 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_personalized_advertising_disable
- sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
- sysprefs_rae_disable
+ - sysprefs_remote_management_disable
- sysprefs_screen_sharing_disable
- sysprefs_screensaver_timeout_enforce
- sysprefs_siri_disable
diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml
index 69ca00e1c..885dec3d3 100644
--- a/baselines/800-53r5_moderate.yaml
+++ b/baselines/800-53r5_moderate.yaml
@@ -1,4 +1,4 @@
-title: "macOS 12 Security Configuration:NIST SP 800-53 Rev 5 Moderate Impact Security Baseline"
+title: "macOS 12 Security Configuration: NIST SP 800-53 Rev 5 Moderate Impact Security Baseline"
description: |
This guide describes the actions to take when securing a macOS 12 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline.
authors: |
@@ -61,7 +61,6 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_mdm_require
@@ -74,6 +73,8 @@ profile:
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
+ - os_policy_banner_ssh_configure
+ - os_policy_banner_ssh_enforce
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
@@ -85,7 +86,12 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
+ - os_sshd_client_alive_count_max_configure
+ - os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
+ - os_sshd_key_exchange_algorithm_configure
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
- os_sudoers_tty_configure
- os_system_read_only
- os_tftpd_disable
@@ -130,6 +136,7 @@ profile:
- sysprefs_automatic_logout_enforce
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
+ - sysprefs_cd_dvd_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_critical_update_install_enforce
- sysprefs_diagnostics_reports_disable
@@ -143,6 +150,7 @@ profile:
- sysprefs_guest_account_disable
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_internet_accounts_prefpane_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
@@ -150,7 +158,9 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_personalized_advertising_disable
- sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
- sysprefs_rae_disable
+ - sysprefs_remote_management_disable
- sysprefs_screen_sharing_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
@@ -161,7 +171,6 @@ profile:
- sysprefs_system_wide_preferences_configure
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- - sysprefs_token_removal_enforce
- sysprefs_touchid_unlock_disable
- sysprefs_wifi_disable
- section: "Inherent"
diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml
new file mode 100644
index 000000000..507ac3328
--- /dev/null
+++ b/baselines/DISA-STIG.yaml
@@ -0,0 +1,162 @@
+title: "macOS 12.0: Security Configuration - DISA STIG"
+description: |
+ This guide describes the actions to take when securing a macOS system against the Apple macOS 12 (Monterey) STIG - Ver 1, Rel 1.
+authors: |
+ |===
+ |Dan Brodjieski|National Aeronautics and Space Administration
+ |Allen Golbig|Jamf
+ |Bob Gendler|National Institute of Standards and Technology
+ |===
+profile:
+ - section: "authentication"
+ rules:
+ - auth_pam_login_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - auth_pam_sudo_smartcard_enforce
+ - auth_smartcard_certificate_trust_enforce_moderate
+ - auth_smartcard_enforce
+ - section: "auditing"
+ rules:
+ - audit_acls_files_configure
+ - audit_acls_folders_configure
+ - audit_auditd_enabled
+ - audit_configure_capacity_notify
+ - audit_failure_halt
+ - audit_files_group_configure
+ - audit_files_mode_configure
+ - audit_files_owner_configure
+ - audit_flags_aa_configure
+ - audit_flags_ad_configure
+ - audit_flags_fd_configure
+ - audit_flags_fm_configure
+ - audit_flags_fr_configure
+ - audit_flags_fw_configure
+ - audit_flags_lo_configure
+ - audit_folder_group_configure
+ - audit_folder_owner_configure
+ - audit_folders_mode_configure
+ - audit_retention_configure
+ - audit_settings_failure_notify
+ - section: "macos"
+ rules:
+ - os_airdrop_disable
+ - os_anti_virus_installed
+ - os_appleid_prompt_disable
+ - os_asl_log_files_owner_group_configure
+ - os_asl_log_files_permissions_configure
+ - os_blank_bluray_disable
+ - os_blank_cd_disable
+ - os_blank_dvd_disable
+ - os_bluray_read_only_enforce
+ - os_bonjour_disable
+ - os_burn_support_disable
+ - os_camera_disable
+ - os_cd_read_only_enforce
+ - os_certificate_authority_trust
+ - os_config_data_install_enforce
+ - os_directory_services_configured
+ - os_disk_image_disable
+ - os_dvdram_disable
+ - os_erase_content_and_settings_disable
+ - os_ess_installed
+ - os_filevault_authorized_users
+ - os_filevault_autologin_disable
+ - os_firmware_password_require
+ - os_gatekeeper_enable
+ - os_handoff_disable
+ - os_home_folders_secure
+ - os_httpd_disable
+ - os_icloud_storage_prompt_disable
+ - os_newsyslog_files_owner_group_configure
+ - os_newsyslog_files_permissions_configure
+ - os_nfsd_disable
+ - os_password_proximity_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_policy_banner_ssh_configure
+ - os_policy_banner_ssh_enforce
+ - os_privacy_setup_prompt_disable
+ - os_removable_media_disable
+ - os_screensaver_loginwindow_enforce
+ - os_sip_enable
+ - os_siri_prompt_disable
+ - os_skip_screen_time_prompt_enable
+ - os_skip_unlock_with_watch_enable
+ - os_sshd_client_alive_count_max_configure
+ - os_sshd_client_alive_interval_configure
+ - os_sshd_fips_140_ciphers
+ - os_sshd_fips_140_macs
+ - os_sshd_key_exchange_algorithm_configure
+ - os_sshd_login_grace_time_configure
+ - os_sshd_permit_root_login_configure
+ - os_sudoers_tty_configure
+ - os_tftpd_disable
+ - os_time_server_enabled
+ - os_touchid_prompt_disable
+ - os_uucp_disable
+ - section: "passwordpolicy"
+ rules:
+ - pwpolicy_60_day_enforce
+ - pwpolicy_account_lockout_enforce
+ - pwpolicy_account_lockout_timeout_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_history_enforce
+ - pwpolicy_minimum_length_enforce
+ - pwpolicy_special_character_enforce
+ - pwpolicy_temporary_or_emergency_accounts_disable
+ - section: "icloud"
+ rules:
+ - icloud_addressbook_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_bookmarks_disable
+ - icloud_calendar_disable
+ - icloud_drive_disable
+ - icloud_keychain_disable
+ - icloud_mail_disable
+ - icloud_notes_disable
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_automatic_login_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_bluetooth_prefpane_disable
+ - sysprefs_bluetooth_prefpane_hide
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_guest_account_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_internet_accounts_prefpane_disable
+ - sysprefs_internet_accounts_prefpane_hide
+ - sysprefs_internet_sharing_disable
+ - sysprefs_location_services_disable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_rae_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_siri_disable
+ - sysprefs_siri_prefpane_disable
+ - sysprefs_siri_prefpane_hide
+ - sysprefs_smbd_disable
+ - sysprefs_ssh_disable
+ - sysprefs_system_wide_preferences_configure
+ - sysprefs_time_server_configure
+ - sysprefs_time_server_enforce
+ - sysprefs_token_removal_enforce
+ - sysprefs_touchid_prefpane_disable
+ - sysprefs_touchid_prefpane_hide
+ - sysprefs_wallet_applepay_prefpane_disable
+ - sysprefs_wallet_applepay_prefpane_hide
+ - section: "Supplemental"
+ rules:
+ - supplemental_controls
+ - supplemental_filevault
+ - supplemental_firewall_pf
+ - supplemental_password_policy
+ - supplemental_smartcard
diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml
index a7bd21359..5e909a0de 100644
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -7,13 +7,6 @@ authors: |
|Dan Brodjieski|National Aeronautics and Space Administration
|Allen Golbig|Jamf
|===
-title: "macOS 12.0: Security Configuration - all_rules"
-description: |
- This guide describes the actions to take when securing a macOS 12.0 system against the all_rules baseline.
-authors: |
- |===
- |Name|Organization
- |===
profile:
- section: "authentication"
rules:
@@ -31,12 +24,17 @@ profile:
- audit_acls_folders_configure
- audit_auditd_enabled
- audit_configure_capacity_notify
+ - audit_control_acls_configure
+ - audit_control_group_configure
+ - audit_control_mode_configure
+ - audit_control_owner_configure
- audit_failure_halt
- audit_files_group_configure
- audit_files_mode_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
+ - audit_flags_configure
- audit_flags_ex_configure
- audit_flags_fd_configure
- audit_flags_fm_configure
@@ -48,6 +46,7 @@ profile:
- audit_folder_owner_configure
- audit_folders_mode_configure
- audit_retention_configure
+ - audit_retention_configure_sixty_days
- audit_settings_failure_notify
- section: "macos"
rules:
@@ -57,12 +56,23 @@ profile:
- os_asl_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_authenticated_root_enable
+ - os_blank_bluray_disable
+ - os_blank_cd_disable
+ - os_blank_dvd_disable
+ - os_bluray_read_only_enforce
- os_bonjour_disable
+ - os_burn_support_disable
- os_calendar_app_disable
- os_camera_disable
+ - os_cd_read_only_enforce
- os_certificate_authority_trust
- os_config_data_install_enforce
- os_directory_services_configured
+ - os_disk_image_disable
+ - os_dvdram_disable
+ - os_efi_integrity_validated
+ - os_erase_content_and_settings_disable
+ - os_ess_installed
- os_facetime_app_disable
- os_filevault_authorized_users
- os_filevault_autologin_disable
@@ -71,21 +81,26 @@ profile:
- os_firmware_password_require
- os_gatekeeper_enable
- os_gatekeeper_rearm
+ - os_guest_folder_removed
- os_handoff_disable
- - os_hbss_installed
+ - os_hibernate_mode_destroyfvkeyonstandby_enable
+ - os_hibernate_mode_enable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
+ - os_install_log_retention_configure
- os_ir_support_disable
+ - os_library_validation_enabled
- os_mail_app_disable
- os_mdm_require
- os_messages_app_disable
+ - os_mobile_file_integrity_enable
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_parental_controls_enable
- os_password_autofill_disable
+ - os_password_hint_remove
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
@@ -95,36 +110,50 @@ profile:
- os_recovery_lock_enable
- os_removable_media_disable
- os_root_disable
+ - os_safari_open_safe_downloads_disable
- os_screensaver_loginwindow_enforce
- os_secure_boot_verify
+ - os_show_filename_extensions_enable
- os_sip_enable
- os_siri_prompt_disable
+ - os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
+ - os_sshd_fips_140_ciphers
+ - os_sshd_fips_140_macs
- os_sshd_fips_compliant
- os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
- os_sudoers_tty_configure
- os_system_read_only
+ - os_system_wide_applications_configure
+ - os_terminal_secure_keyboard_enable
- os_tftpd_disable
+ - os_time_offset_limit_configure
- os_time_server_enabled
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_user_app_installation_prohibit
- os_uucp_disable
+ - os_world_writable_library_folder_configure
+ - os_world_writable_system_folder_configure
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
+ - pwpolicy_account_lockout_enforce_five
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
+ - pwpolicy_history_enforce_fifteen
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
@@ -153,7 +182,12 @@ profile:
- sysprefs_automatic_login_disable
- sysprefs_automatic_logout_enforce
- sysprefs_bluetooth_disable
+ - sysprefs_bluetooth_menu_enable
+ - sysprefs_bluetooth_prefpane_disable
+ - sysprefs_bluetooth_prefpane_hide
- sysprefs_bluetooth_sharing_disable
+ - sysprefs_bluetooth_unpaired_disable
+ - sysprefs_cd_dvd_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_critical_update_install_enforce
- sysprefs_diagnostics_reports_disable
@@ -166,29 +200,52 @@ profile:
- sysprefs_guest_access_smb_disable
- sysprefs_guest_account_disable
- sysprefs_hot_corners_disable
+ - sysprefs_hot_corners_secure
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_install_macos_updates_enforce
+ - sysprefs_internet_accounts_prefpane_disable
+ - sysprefs_internet_accounts_prefpane_hide
- sysprefs_internet_sharing_disable
+ - sysprefs_location_services_audit
- sysprefs_location_services_disable
+ - sysprefs_location_services_enable
+ - sysprefs_loginwindow_loginwindowtext_enable
- sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_media_sharing_disabled
- sysprefs_password_hints_disable
- sysprefs_personalized_advertising_disable
- sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
- sysprefs_rae_disable
+ - sysprefs_remote_management_disable
- sysprefs_screen_sharing_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_siri_disable
+ - sysprefs_siri_prefpane_disable
+ - sysprefs_siri_prefpane_hide
- sysprefs_smbd_disable
+ - sysprefs_software_update_app_update_enforce
+ - sysprefs_software_update_download_enforce
+ - sysprefs_software_update_enforce
+ - sysprefs_softwareupdate_current
- sysprefs_ssh_disable
- sysprefs_ssh_enable
- sysprefs_system_wide_preferences_configure
+ - sysprefs_time_machine_auto_backup_enable
+ - sysprefs_time_machine_encrypted_configure
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
- sysprefs_token_removal_enforce
+ - sysprefs_touchid_prefpane_disable
+ - sysprefs_touchid_prefpane_hide
- sysprefs_touchid_unlock_disable
+ - sysprefs_wake_network_access_disable
+ - sysprefs_wallet_applepay_prefpane_disable
+ - sysprefs_wallet_applepay_prefpane_hide
- sysprefs_wifi_disable
+ - sysprefs_wifi_menu_enable
- section: "Inherent"
rules:
- audit_record_reduction_report_generation
@@ -268,6 +325,7 @@ profile:
- os_privacy_principle_minimization
- section: "Supplemental"
rules:
+ - supplemental_cis_manual
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml
new file mode 100644
index 000000000..7fc9eb955
--- /dev/null
+++ b/baselines/cis_lvl1.yaml
@@ -0,0 +1,107 @@
+title: "macOS 12.0: Security Configuration - CIS Benchmarks"
+description: |
+ This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 12.0 Monterey v1.0.0 Benchmark (Level 1)
+authors: |
+ The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
+ |===
+ |Edward Byrd|Center for Internet Security
+ |Ron Colvin|Center for Internet Security
+ |Allen Golbig|Jamf
+ |===
+profile:
+ - section: "auditing"
+ rules:
+ - audit_acls_files_configure
+ - audit_acls_folders_configure
+ - audit_auditd_enabled
+ - audit_control_acls_configure
+ - audit_control_group_configure
+ - audit_control_mode_configure
+ - audit_control_owner_configure
+ - audit_files_group_configure
+ - audit_files_mode_configure
+ - audit_files_owner_configure
+ - audit_folder_group_configure
+ - audit_folder_owner_configure
+ - audit_folders_mode_configure
+ - audit_retention_configure_sixty_days
+ - section: "macos"
+ rules:
+ - os_airdrop_disable
+ - os_authenticated_root_enable
+ - os_config_data_install_enforce
+ - os_efi_integrity_validated
+ - os_firewall_log_enable
+ - os_gatekeeper_enable
+ - os_guest_folder_removed
+ - os_hibernate_mode_destroyfvkeyonstandby_enable
+ - os_hibernate_mode_enable
+ - os_home_folders_secure
+ - os_httpd_disable
+ - os_install_log_retention_configure
+ - os_library_validation_enabled
+ - os_mobile_file_integrity_enable
+ - os_nfsd_disable
+ - os_password_hint_remove
+ - os_root_disable
+ - os_safari_open_safe_downloads_disable
+ - os_show_filename_extensions_enable
+ - os_sip_enable
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
+ - os_sudoers_tty_configure
+ - os_system_wide_applications_configure
+ - os_terminal_secure_keyboard_enable
+ - os_time_offset_limit_configure
+ - os_unlock_active_user_session_disable
+ - os_world_writable_system_folder_configure
+ - section: "passwordpolicy"
+ rules:
+ - pwpolicy_account_lockout_enforce_five
+ - pwpolicy_history_enforce_fifteen
+ - pwpolicy_minimum_length_enforce
+ - section: "systempreferences"
+ rules:
+ - sysprefs_airplay_receiver_disable
+ - sysprefs_automatic_login_disable
+ - sysprefs_bluetooth_menu_enable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_bluetooth_unpaired_disable
+ - sysprefs_cd_dvd_sharing_disable
+ - sysprefs_critical_update_install_enforce
+ - sysprefs_filevault_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_guest_access_smb_disable
+ - sysprefs_guest_account_disable
+ - sysprefs_install_macos_updates_enforce
+ - sysprefs_internet_sharing_disable
+ - sysprefs_loginwindow_loginwindowtext_enable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_password_hints_disable
+ - sysprefs_personalized_advertising_disable
+ - sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_remote_management_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_smbd_disable
+ - sysprefs_software_update_app_update_enforce
+ - sysprefs_software_update_download_enforce
+ - sysprefs_software_update_enforce
+ - sysprefs_softwareupdate_current
+ - sysprefs_ssh_disable
+ - sysprefs_system_wide_preferences_configure
+ - sysprefs_time_server_configure
+ - sysprefs_time_server_enforce
+ - sysprefs_wake_network_access_disable
+ - sysprefs_wifi_menu_enable
+ - section: "Supplemental"
+ rules:
+ - supplemental_cis_manual
+ - supplemental_filevault
+ - supplemental_firewall_pf
+ - supplemental_password_policy
+ - supplemental_smartcard
diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml
new file mode 100644
index 000000000..754b198b4
--- /dev/null
+++ b/baselines/cis_lvl2.yaml
@@ -0,0 +1,126 @@
+title: "macOS 12.0: Security Configuration - CIS Benchmarks"
+description: |
+ This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 12.0 Monterey v1.0.0 Benchmark (Level 1 and 2)
+authors: |
+ The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
+ |===
+ |Edward Byrd|Center for Internet Security
+ |Ron Colvin|Center for Internet Security
+ |Allen Golbig|Jamf
+ |===
+profile:
+ - section: "auditing"
+ rules:
+ - audit_acls_files_configure
+ - audit_acls_folders_configure
+ - audit_auditd_enabled
+ - audit_control_acls_configure
+ - audit_control_group_configure
+ - audit_control_mode_configure
+ - audit_control_owner_configure
+ - audit_files_group_configure
+ - audit_files_mode_configure
+ - audit_files_owner_configure
+ - audit_flags_configure
+ - audit_folder_group_configure
+ - audit_folder_owner_configure
+ - audit_folders_mode_configure
+ - audit_retention_configure_sixty_days
+ - section: "macos"
+ rules:
+ - os_airdrop_disable
+ - os_authenticated_root_enable
+ - os_bonjour_disable
+ - os_config_data_install_enforce
+ - os_efi_integrity_validated
+ - os_firewall_log_enable
+ - os_gatekeeper_enable
+ - os_guest_folder_removed
+ - os_hibernate_mode_destroyfvkeyonstandby_enable
+ - os_hibernate_mode_enable
+ - os_home_folders_secure
+ - os_httpd_disable
+ - os_install_log_retention_configure
+ - os_library_validation_enabled
+ - os_mobile_file_integrity_enable
+ - os_nfsd_disable
+ - os_password_hint_remove
+ - os_policy_banner_loginwindow_enforce
+ - os_root_disable
+ - os_safari_open_safe_downloads_disable
+ - os_show_filename_extensions_enable
+ - os_sip_enable
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
+ - os_sudoers_tty_configure
+ - os_system_wide_applications_configure
+ - os_terminal_secure_keyboard_enable
+ - os_time_offset_limit_configure
+ - os_unlock_active_user_session_disable
+ - os_world_writable_library_folder_configure
+ - os_world_writable_system_folder_configure
+ - section: "passwordpolicy"
+ rules:
+ - pwpolicy_account_lockout_enforce_five
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_history_enforce_fifteen
+ - pwpolicy_lower_case_character_enforce
+ - pwpolicy_minimum_length_enforce
+ - pwpolicy_special_character_enforce
+ - pwpolicy_upper_case_character_enforce
+ - section: "icloud"
+ rules:
+ - icloud_sync_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_airplay_receiver_disable
+ - sysprefs_automatic_login_disable
+ - sysprefs_bluetooth_menu_enable
+ - sysprefs_bluetooth_sharing_disable
+ - sysprefs_bluetooth_unpaired_disable
+ - sysprefs_cd_dvd_sharing_disable
+ - sysprefs_content_caching_disable
+ - sysprefs_critical_update_install_enforce
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_guest_access_smb_disable
+ - sysprefs_guest_account_disable
+ - sysprefs_hot_corners_secure
+ - sysprefs_install_macos_updates_enforce
+ - sysprefs_internet_sharing_disable
+ - sysprefs_location_services_audit
+ - sysprefs_location_services_enable
+ - sysprefs_loginwindow_loginwindowtext_enable
+ - sysprefs_loginwindow_prompt_username_password_enforce
+ - sysprefs_media_sharing_disabled
+ - sysprefs_password_hints_disable
+ - sysprefs_personalized_advertising_disable
+ - sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_remote_management_disable
+ - sysprefs_screen_sharing_disable
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_smbd_disable
+ - sysprefs_software_update_app_update_enforce
+ - sysprefs_software_update_download_enforce
+ - sysprefs_software_update_enforce
+ - sysprefs_softwareupdate_current
+ - sysprefs_ssh_disable
+ - sysprefs_system_wide_preferences_configure
+ - sysprefs_time_machine_auto_backup_enable
+ - sysprefs_time_machine_encrypted_configure
+ - sysprefs_time_server_configure
+ - sysprefs_time_server_enforce
+ - sysprefs_wake_network_access_disable
+ - sysprefs_wifi_menu_enable
+ - section: "Supplemental"
+ rules:
+ - supplemental_cis_manual
+ - supplemental_filevault
+ - supplemental_firewall_pf
+ - supplemental_password_policy
+ - supplemental_smartcard
\ No newline at end of file
diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml
index 913dee532..63de51f49 100644
--- a/baselines/cisv8.yaml
+++ b/baselines/cisv8.yaml
@@ -20,16 +20,22 @@ profile:
- auth_ssh_password_authentication_disable
- section: "auditing"
rules:
+ - audit_acls_files_configure
+ - audit_acls_folders_configure
- audit_auditd_enabled
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_ex_configure
- - audit_flags_fd_configure
- - audit_flags_fm_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_lo_configure
+ - audit_control_acls_configure
+ - audit_control_group_configure
+ - audit_control_mode_configure
+ - audit_control_owner_configure
+ - audit_files_group_configure
+ - audit_files_mode_configure
+ - audit_files_owner_configure
+ - audit_flags_configure
+ - audit_folder_group_configure
+ - audit_folder_owner_configure
+ - audit_folders_mode_configure
- audit_retention_configure
+ - audit_retention_configure_sixty_days
- section: "macos"
rules:
- os_airdrop_disable
@@ -39,42 +45,59 @@ profile:
- os_calendar_app_disable
- os_config_data_install_enforce
- os_directory_services_configured
+ - os_efi_integrity_validated
+ - os_ess_installed
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_log_enable
- os_gatekeeper_enable
- os_gatekeeper_rearm
- os_handoff_disable
- - os_hbss_installed
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
+ - os_install_log_retention_configure
- os_ir_support_disable
+ - os_library_validation_enabled
- os_mail_app_disable
- os_mdm_require
- os_messages_app_disable
+ - os_mobile_file_integrity_enable
- os_nfsd_disable
- os_parental_controls_enable
- os_password_autofill_disable
+ - os_password_hint_remove
- os_password_proximity_disable
- os_password_sharing_disable
- os_privacy_setup_prompt_disable
- os_root_disable
+ - os_safari_open_safe_downloads_disable
+ - os_show_filename_extensions_enable
- os_sip_enable
- os_siri_prompt_disable
- os_skip_unlock_with_watch_enable
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
+ - os_sudoers_tty_configure
+ - os_system_wide_applications_configure
+ - os_terminal_secure_keyboard_enable
- os_tftpd_disable
+ - os_time_offset_limit_configure
- os_time_server_enabled
- os_touchid_prompt_disable
+ - os_unlock_active_user_session_disable
- os_uucp_disable
+ - os_world_writable_library_folder_configure
+ - os_world_writable_system_folder_configure
- section: "passwordpolicy"
rules:
- pwpolicy_60_day_enforce
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
+ - pwpolicy_account_lockout_enforce_five
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_history_enforce
+ - pwpolicy_history_enforce_fifteen
- pwpolicy_lower_case_character_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
@@ -97,8 +120,12 @@ profile:
- section: "systempreferences"
rules:
- sysprefs_airplay_receiver_disable
+ - sysprefs_automatic_login_disable
- sysprefs_bluetooth_disable
+ - sysprefs_bluetooth_menu_enable
- sysprefs_bluetooth_sharing_disable
+ - sysprefs_bluetooth_unpaired_disable
+ - sysprefs_cd_dvd_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_critical_update_install_enforce
- sysprefs_diagnostics_reports_disable
@@ -108,21 +135,39 @@ profile:
- sysprefs_firewall_stealth_mode_enable
- sysprefs_guest_access_smb_disable
- sysprefs_guest_account_disable
+ - sysprefs_hot_corners_secure
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_install_macos_updates_enforce
+ - sysprefs_internet_accounts_prefpane_disable
- sysprefs_internet_sharing_disable
- - sysprefs_location_services_disable
+ - sysprefs_location_services_audit
+ - sysprefs_location_services_enable
+ - sysprefs_loginwindow_prompt_username_password_enforce
- sysprefs_media_sharing_disabled
+ - sysprefs_password_hints_disable
- sysprefs_personalized_advertising_disable
- sysprefs_power_nap_disable
+ - sysprefs_printer_sharing_disable
- sysprefs_rae_disable
+ - sysprefs_remote_management_disable
- sysprefs_screen_sharing_disable
+ - sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_timeout_enforce
- sysprefs_siri_disable
- sysprefs_smbd_disable
+ - sysprefs_software_update_app_update_enforce
+ - sysprefs_software_update_download_enforce
+ - sysprefs_software_update_enforce
+ - sysprefs_softwareupdate_current
- sysprefs_ssh_disable
+ - sysprefs_system_wide_preferences_configure
+ - sysprefs_time_machine_auto_backup_enable
+ - sysprefs_time_machine_encrypted_configure
- sysprefs_time_server_configure
- sysprefs_time_server_enforce
+ - sysprefs_wake_network_access_disable
- sysprefs_wifi_disable
+ - sysprefs_wifi_menu_enable
- section: "Inherent"
rules:
- os_logical_access
@@ -134,6 +179,7 @@ profile:
- pwpolicy_force_password_change
- section: "Permanent"
rules:
+ - audit_off_load_records
- os_auth_peripherals
- os_secure_name_resolution
- section: "not_applicable"
@@ -141,7 +187,6 @@ profile:
- os_access_control_mobile_devices
- section: "Supplemental"
rules:
- - supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml
index a43e01e1d..bc90875e4 100644
--- a/baselines/cnssi-1253.yaml
+++ b/baselines/cnssi-1253.yaml
@@ -7,13 +7,6 @@ authors: |
|Ekkehard Koch|
|Bob Gendler|National Institute of Standards and Technology
|===
-title: "macOS 12.0: Security Configuration - cnssi-1253"
-description: |
- This guide describes the actions to take when securing a macOS 12.0 system against the cnssi-1253 baseline.
-authors: |
- |===
- |Name|Organization
- |===
profile:
- section: "authentication"
rules:
@@ -63,7 +56,6 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- - os_internet_accounts_prefpane_disable
- os_ir_support_disable
- os_mail_app_disable
- os_mdm_require
@@ -74,8 +66,9 @@ profile:
- os_password_proximity_disable
- os_password_sharing_disable
- os_policy_banner_loginwindow_enforce
+ - os_policy_banner_ssh_configure
+ - os_policy_banner_ssh_enforce
- os_recovery_lock_enable
- - os_removable_media_disable
- os_root_disable
- os_screensaver_loginwindow_enforce
- os_sip_enable
@@ -84,7 +77,12 @@ profile:
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
+ - os_sshd_client_alive_count_max_configure
+ - os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
+ - os_sshd_key_exchange_algorithm_configure
+ - os_sudo_timeout_configure
+ - os_sudoers_timestamp_type_configure
- os_sudoers_tty_configure
- os_tftpd_disable
- os_time_server_enabled
@@ -126,6 +124,7 @@ profile:
- sysprefs_automatic_logout_enforce
- sysprefs_bluetooth_disable
- sysprefs_bluetooth_sharing_disable
+ - sysprefs_cd_dvd_sharing_disable
- sysprefs_content_caching_disable
- sysprefs_diagnostics_reports_disable
- sysprefs_filevault_enforce
@@ -138,6 +137,7 @@ profile:
- sysprefs_guest_account_disable
- sysprefs_hot_corners_disable
- sysprefs_improve_siri_dictation_disable
+ - sysprefs_internet_accounts_prefpane_disable
- sysprefs_internet_sharing_disable
- sysprefs_location_services_disable
- sysprefs_loginwindow_prompt_username_password_enforce
@@ -145,6 +145,7 @@ profile:
- sysprefs_personalized_advertising_disable
- sysprefs_power_nap_disable
- sysprefs_rae_disable
+ - sysprefs_remote_management_disable
- sysprefs_screen_sharing_disable
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_screensaver_password_enforce
diff --git a/includes/pwpolicy.xml b/includes/pwpolicy.xml
index 85d900484..3e59a98c8 100644
--- a/includes/pwpolicy.xml
+++ b/includes/pwpolicy.xml
@@ -102,9 +102,9 @@
policyContent
- policyAttributePassword matches '(.*[A-Z].*){1,}+'
+ policyAttributePassword matches '(.*[A-Za-z].*){1,}+'
policyIdentifier
- Must have at least 1 uppercase letter
+ Must have at least 1 Letter
policyParameters
minimumAlphaCharacters
diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml
index bb265e501..bd82a51f4 100644
--- a/includes/supported_payloads.yaml
+++ b/includes/supported_payloads.yaml
@@ -22,6 +22,7 @@ payloads_types:
- com.apple.SubmitDiagInfo
- com.apple.SystemConfiguration
- com.apple.TCC.configuration-profile-policy
+ - com.apple.Terminal
- com.apple.TextEdit
- com.apple.TimeMachine
- com.apple.airplay
@@ -86,6 +87,7 @@ payloads_types:
- com.apple.security.FDERecoveryRedirect
- com.apple.security.certificatetransparency
- com.apple.security.firewall
+ - com.apple.security.libraryvalidation
- com.apple.security.pem
- com.apple.security.pkcs1
- com.apple.security.pkcs12
diff --git a/requirements.txt b/requirements.txt
index afa9bb39b..948a1cebc 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,2 @@
pyyaml
-lxml
xlwt
diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml
index 0211cd2b2..bcee2de66 100644
--- a/rules/audit/audit_acls_files_configure.yaml
+++ b/rules/audit/audit_acls_files_configure.yaml
@@ -5,7 +5,7 @@ discussion: |
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
check: |
- /bin/ls -le $(/usr/bin/awk -F: '/^dir/{print $2}' /etc/security/audit_control) | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
+ /bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
result:
integer: 0
fix: |
@@ -20,17 +20,21 @@ references:
- CCI-000162
- CCI-001314
800-53r5:
- - SI-11
- AU-9
800-53r4:
- AU-9
- - SI-11
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
+ - SRG-OS-000206-GPOS-00084
disa_stig:
- - N/A
+ - APPL-12-000030
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -42,6 +46,10 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml
index ef58e7306..817470d2b 100644
--- a/rules/audit/audit_acls_folders_configure.yaml
+++ b/rules/audit/audit_acls_folders_configure.yaml
@@ -23,11 +23,16 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
disa_stig:
- - N/A
+ - APPL-12-000031
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -39,6 +44,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml
index 9fb99ced7..bdcc2451e 100644
--- a/rules/audit/audit_auditd_enabled.yaml
+++ b/rules/audit/audit_auditd_enabled.yaml
@@ -5,7 +5,7 @@ discussion: |
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
- The content required to be captured in an audit record varies based on the impact level of an organization’s system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
+ The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
@@ -54,16 +54,32 @@ references:
- AU-12(3)
- AU-14(1)
srg:
- - N/A
+ - SRG-OS-000037-GPOS-00015
+ - SRG-OS-000038-GPOS-00016
+ - SRG-OS-000039-GPOS-00017
+ - SRG-OS-000040-GPOS-00018
+ - SRG-OS-000041-GPOS-00019
+ - SRG-OS-000042-GPOS-00020
+ - SRG-OS-000042-GPOS-00021
+ - SRG-OS-000055-GPOS-00026
+ - SRG-OS-000254-GPOS-00095
+ - SRG-OS-000255-GPOS-00096
+ - SRG-OS-000303-GPOS-00120
+ - SRG-OS-000337-GPOS-00129
+ - SRG-OS-000358-GPOS-00145
+ - SRG-OS-000359-GPOS-00146
disa_stig:
- - N/A
+ - APPL-12-001003
800-171r2:
- 3.3.1
- 3.3.2
- 3.3.7
- cisv8:
- - 8.2
- - 8.5
+ cis:
+ benchmark:
+ - 3.1 (level 1)
+ controls v8:
+ - 8.2
+ - 8.5
macOS:
- "12.0"
tags:
@@ -75,7 +91,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml
index 8ff583de6..b8885938a 100644
--- a/rules/audit/audit_configure_capacity_notify.yaml
+++ b/rules/audit/audit_configure_capacity_notify.yaml
@@ -23,14 +23,15 @@ references:
800-53r4:
- AU-5(1)
srg:
- - N/A
+ - SRG-OS-000343-GPOS-00134
disa_stig:
- - N/A
+ - APPL-12-001030
macOS:
- "12.0"
tags:
- 800-53r5_high
- 800-53r4_high
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml
new file mode 100644
index 000000000..6890bd446
--- /dev/null
+++ b/rules/audit/audit_control_acls_configure.yaml
@@ -0,0 +1,41 @@
+id: audit_control_acls_configure
+title: "Configure Audit_Control to Not Contain Access Control Lists"
+discussion: |
+ /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs).
+check: |
+ /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /bin/chmod -N /etc/security/audit_control
+ ----
+references:
+ cce:
+ - CCE-91088-5
+ cci:
+ - N/A
+ 800-53r5:
+ - AU-9
+ 800-53r4:
+ - AU-9
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml
new file mode 100644
index 000000000..b0dab4cc0
--- /dev/null
+++ b/rules/audit/audit_control_group_configure.yaml
@@ -0,0 +1,41 @@
+id: audit_control_group_configure
+title: "Configure Audit_Control Group to Wheel"
+discussion: |
+ /etc/security/audit_control _MUST_ have the group set to wheel.
+check: |
+ /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/chgrp wheel /etc/security/audit_control
+ ----
+references:
+ cce:
+ - CCE-91089-3
+ cci:
+ - N/A
+ 800-53r5:
+ - AU-9
+ 800-53r4:
+ - AU-9
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml
new file mode 100644
index 000000000..a3b32ab77
--- /dev/null
+++ b/rules/audit/audit_control_mode_configure.yaml
@@ -0,0 +1,41 @@
+id: audit_control_mode_configure
+title: "Configure Audit_Control Owner to Mode 440 or Less Permissive"
+discussion: |
+ /etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel.
+check: |
+ /bin/ls -l /etc/security/audit_control | awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /bin/chmod 440 /etc/security/audit_control
+ ----
+references:
+ cce:
+ - CCE-91090-1
+ cci:
+ - N/A
+ 800-53r5:
+ - AU-9
+ 800-53r4:
+ - AU-9
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml
new file mode 100644
index 000000000..7fd10d51b
--- /dev/null
+++ b/rules/audit/audit_control_owner_configure.yaml
@@ -0,0 +1,41 @@
+id: audit_control_owner_configure
+title: "Configure Audit_Control Owner to Root"
+discussion: |
+ /etc/security/audit_control _MUST_ have the owner set to root.
+check: |
+ /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/sbin/chown root /etc/security/audit_control
+ ----
+references:
+ cce:
+ - CCE-91091-9
+ cci:
+ - N/A
+ 800-53r5:
+ - AU-9
+ 800-53r4:
+ - AU-9
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml
index ab64fff69..3cc790852 100644
--- a/rules/audit/audit_failure_halt.yaml
+++ b/rules/audit/audit_failure_halt.yaml
@@ -23,9 +23,9 @@ references:
800-53r4:
- AU-5
srg:
- - N/A
+ - SRG-OS-000047-GPOS-00023
disa_stig:
- - N/A
+ - APPL-12-001010
800-171r2:
- 3.3.4
macOS:
@@ -39,6 +39,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml
index 128b45999..13f89ca7c 100644
--- a/rules/audit/audit_files_group_configure.yaml
+++ b/rules/audit/audit_files_group_configure.yaml
@@ -25,11 +25,16 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
disa_stig:
- - N/A
+ - APPL-12-001014
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -41,6 +46,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml
index d55950494..d04328622 100644
--- a/rules/audit/audit_files_mode_configure.yaml
+++ b/rules/audit/audit_files_mode_configure.yaml
@@ -21,11 +21,16 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
disa_stig:
- - N/A
+ - APPL-12-001016
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -37,6 +42,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml
index 0bdcfcd1d..256baf097 100644
--- a/rules/audit/audit_files_owner_configure.yaml
+++ b/rules/audit/audit_files_owner_configure.yaml
@@ -25,11 +25,16 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
disa_stig:
- - N/A
+ - APPL-12-001012
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -41,6 +46,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml
index 9754e6406..d3cda6618 100644
--- a/rules/audit/audit_flags_aa_configure.yaml
+++ b/rules/audit/audit_flags_aa_configure.yaml
@@ -31,16 +31,15 @@ references:
- AU-12
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000470-GPOS-00214
+ - SRG-OS-000472-GPOS-00217
+ - SRG-OS-000473-GPOS-00218
+ - SRG-OS-000475-GPOS-00220
disa_stig:
- - N/A
+ - APPL-12-001044
800-171r2:
- 3.3.1
- 3.3.2
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -53,7 +52,7 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml
index 0a22abc7b..a3c50467a 100644
--- a/rules/audit/audit_flags_ad_configure.yaml
+++ b/rules/audit/audit_flags_ad_configure.yaml
@@ -45,17 +45,22 @@ references:
- AU-12
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000004-GPOS-00004
+ - SRG-OS-000239-GPOS-00089
+ - SRG-OS-000240-GPOS-00090
+ - SRG-OS-000241-GPOS-00091
+ - SRG-OS-000327-GPOS-00127
+ - SRG-OS-000392-GPOS-00172
+ - SRG-OS-000471-GPOS-00215
+ - SRG-OS-000471-GPOS-00216
+ - SRG-OS-000476-GPOS-00221
+ - SRG-OS-000477-GPOS-00222
disa_stig:
- - N/A
+ - APPL-12-001001
800-171r2:
- 3.1.7
- 3.3.1
- 3.3.2
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -68,7 +73,7 @@ tags:
- 800-53r5_low
- 800-171
- cnssi-1253
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_configure.yaml b/rules/audit/audit_flags_configure.yaml
new file mode 100644
index 000000000..c5e1a085a
--- /dev/null
+++ b/rules/audit/audit_flags_configure.yaml
@@ -0,0 +1,51 @@
+id: audit_flags_configure
+title: "Configure Audit Flags"
+discussion: |
+ The auditing system _MUST_ be configured with at least the minimal flags of fm, ad, -ex, aa, -fr, lo, and -fw.
+check: |
+ /usr/bin/sed -n 's/^flags://p' /etc/security/audit_control | /usr/bin/grep -ce 'fm,ad,\-ex,aa,\-fr,lo,\-fw'
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sed -i '' 's/^flags:.*/flags:fm,ad,\-ex,aa,\-fr,lo,\-fw/' /etc/security/audit_control; /usr/sbin/audit -s
+ ----
+
+ NOTE: NOTE: This fix will replace the contents of the flags: line in `/etc/security/audit_control`, if you have customized the flags, your changes may be overwritten.
+references:
+ cce:
+ - CCE-91092-7
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-2(12)
+ - AU-12
+ - AU-2
+ - MA-4(1)
+ - CM-5(1)
+ 800-53r4:
+ - AU-2
+ - AU-12
+ - MA-4(1)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 3.2 (level 2)
+ controls v8:
+ - 3.14
+ - 8.2
+ - 8.5
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml
index d0a7d7876..690e3e94d 100644
--- a/rules/audit/audit_flags_ex_configure.yaml
+++ b/rules/audit/audit_flags_ex_configure.yaml
@@ -37,10 +37,6 @@ references:
800-171r2:
- 3.3.1
- 3.3.2
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -53,6 +49,5 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
- - cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml
index 742ae0a43..63b7a0e3b 100644
--- a/rules/audit/audit_flags_fd_configure.yaml
+++ b/rules/audit/audit_flags_fd_configure.yaml
@@ -37,15 +37,20 @@ references:
- CM-5(1)
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000064-GPOS-00033
+ - SRG-OS-000365-GPOS-00152
+ - SRG-OS-000458-GPOS-00203
+ - SRG-OS-000461-GPOS-00205
+ - SRG-OS-000463-GPOS-00207
+ - SRG-OS-000465-GPOS-00209
+ - SRG-OS-000466-GPOS-00210
+ - SRG-OS-000467-GPOS-00211
+ - SRG-OS-000468-GPOS-00212
+ - SRG-OS-000474-GPOS-00219
disa_stig:
- - N/A
+ - APPL-12-001020
800-171r2:
- N/A
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -53,7 +58,7 @@ tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml
index 7bc34da8d..c1184b1c6 100644
--- a/rules/audit/audit_flags_fm_configure.yaml
+++ b/rules/audit/audit_flags_fm_configure.yaml
@@ -9,7 +9,7 @@ discussion: |
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
- /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\fm'
+ /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'
result:
integer: 1
fix: |
@@ -37,20 +37,24 @@ references:
- CM-5(1)
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000064-GPOS-00033
+ - SRG-OS-000365-GPOS-00152
+ - SRG-OS-000458-GPOS-00203
+ - SRG-OS-000461-GPOS-00205
+ - SRG-OS-000463-GPOS-00207
+ - SRG-OS-000465-GPOS-00209
+ - SRG-OS-000466-GPOS-00210
+ - SRG-OS-000467-GPOS-00211
+ - SRG-OS-000468-GPOS-00212
+ - SRG-OS-000474-GPOS-00219
disa_stig:
- - N/A
+ - APPL-12-001020
800-171r2:
- N/A
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
- stig
- - cisv8
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml
index d5ffe8d97..6a42be798 100644
--- a/rules/audit/audit_flags_fm_failed_configure.yaml
+++ b/rules/audit/audit_flags_fm_failed_configure.yaml
@@ -1,7 +1,7 @@
id: audit_flags_fm_failed_configure
title: "Configure System to Audit All Failed Change of Object Attributes"
discussion: |
- The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm).
+ The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
@@ -37,14 +37,14 @@ references:
- MA-4(1)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.3.1
- 3.3.2
- 3.3.8
macOS:
- - "10.15"
+ - "12.0"
tags:
- 800-53r5_privacy
- 800-53r5_low
diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml
index a054a5b40..590cb5c7b 100644
--- a/rules/audit/audit_flags_fr_configure.yaml
+++ b/rules/audit/audit_flags_fr_configure.yaml
@@ -37,17 +37,22 @@ references:
- CM-5(1)
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000064-GPOS-00033
+ - SRG-OS-000365-GPOS-00152
+ - SRG-OS-000458-GPOS-00203
+ - SRG-OS-000461-GPOS-00205
+ - SRG-OS-000463-GPOS-00207
+ - SRG-OS-000465-GPOS-00209
+ - SRG-OS-000466-GPOS-00210
+ - SRG-OS-000467-GPOS-00211
+ - SRG-OS-000468-GPOS-00212
+ - SRG-OS-000474-GPOS-00219
disa_stig:
- - N/A
+ - APPL-12-001020
800-171r2:
- 3.3.1
- 3.3.2
- 3.3.8
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -60,7 +65,7 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml
index f638b8003..126ce52cf 100644
--- a/rules/audit/audit_flags_fw_configure.yaml
+++ b/rules/audit/audit_flags_fw_configure.yaml
@@ -36,17 +36,22 @@ references:
- CM-5(1)
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000064-GPOS-00033
+ - SRG-OS-000365-GPOS-00152
+ - SRG-OS-000458-GPOS-00203
+ - SRG-OS-000461-GPOS-00205
+ - SRG-OS-000463-GPOS-00207
+ - SRG-OS-000465-GPOS-00209
+ - SRG-OS-000466-GPOS-00210
+ - SRG-OS-000467-GPOS-00211
+ - SRG-OS-000468-GPOS-00212
+ - SRG-OS-000474-GPOS-00219
disa_stig:
- - N/A
+ - APPL-12-001020
800-171r2:
- 3.3.1
- 3.3.2
- 3.3.8
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -59,7 +64,7 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml
index 34453690b..0100645e0 100644
--- a/rules/audit/audit_flags_lo_configure.yaml
+++ b/rules/audit/audit_flags_lo_configure.yaml
@@ -7,7 +7,7 @@ discussion: |
The information system monitors login and logout events.
check: |
- /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'lo'
+ /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^lo'
result:
integer: 1
fix: |
@@ -33,17 +33,14 @@ references:
- AU-12
- MA-4(1)
srg:
- - N/A
+ - SRG-OS-000032-GPOS-00013
+ - SRG-OS-000462-GPOS-00206
disa_stig:
- - N/A
+ - APPL-12-001002
800-171r2:
- 3.1.12
- 3.3.1
- 3.3.2
- cisv8:
- - 3.14
- - 8.2
- - 8.5
macOS:
- "12.0"
tags:
@@ -56,7 +53,7 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml
index d0aefb04a..1936ef251 100644
--- a/rules/audit/audit_folder_group_configure.yaml
+++ b/rules/audit/audit_folder_group_configure.yaml
@@ -25,11 +25,16 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
disa_stig:
- - N/A
+ - APPL-12-001015
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -41,6 +46,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml
index afbc5db8e..267f13689 100644
--- a/rules/audit/audit_folder_owner_configure.yaml
+++ b/rules/audit/audit_folder_owner_configure.yaml
@@ -25,11 +25,16 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
disa_stig:
- - N/A
+ - APPL-12-001013
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -41,6 +46,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml
index 07e3bb467..82da5877b 100644
--- a/rules/audit/audit_folders_mode_configure.yaml
+++ b/rules/audit/audit_folders_mode_configure.yaml
@@ -25,11 +25,18 @@ references:
800-53r4:
- AU-9
srg:
- - N/A
+ - SRG-OS-000057-GPOS-00027
+ - SRG-OS-000058-GPOS-00028
+ - SRG-OS-000059-GPOS-00029
disa_stig:
- - N/A
+ - APPL-12-001017
800-171r2:
- 3.3.8
+ cis:
+ benchmark:
+ - 3.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -41,6 +48,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml
index f3ff739f8..321f4f461 100644
--- a/rules/audit/audit_off_load_records.yaml
+++ b/rules/audit/audit_off_load_records.yaml
@@ -23,11 +23,15 @@ references:
- N/A
srg:
- N/A
- cisv8:
- - 8.9
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 8.9
macOS:
- "12.0"
tags:
- permanent
+ - cisv8
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml
index 0a39cd572..c81212d23 100644
--- a/rules/audit/audit_retention_configure.yaml
+++ b/rules/audit/audit_retention_configure.yaml
@@ -25,12 +25,15 @@ references:
- AU-4
- AU-11
srg:
- - N/A
+ - SRG-OS-000341-GPOS-00132
disa_stig:
- - N/A
- cisv8:
- - 8.3
- - 8.1
+ - APPL-12-001029
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 8.3
+ - 8.1
macOS:
- "12.0"
tags:
@@ -43,6 +46,7 @@ tags:
- 800-53r5_high
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_retention_configure_sixty_days.yaml b/rules/audit/audit_retention_configure_sixty_days.yaml
new file mode 100644
index 000000000..6b61dd9c8
--- /dev/null
+++ b/rules/audit/audit_retention_configure_sixty_days.yaml
@@ -0,0 +1,45 @@
+id: audit_retention_configure_sixty_days
+title: "Configure Audit Retention to a Minimum of Sixty Days or One Gigabyte"
+discussion: |
+ The audit service _MUST_ be configured to require records be kept for sixty days or longer before deletion, unless the system uses a central audit record storage facility.
+
+ When "expire-after" is set to "60d", the audit service will not delete audit logs until the log data is at least sixty days old.
+check: |
+ /usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control
+result:
+ string: 60d or 1G
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d or 1G/' /etc/security/audit_control; /usr/sbin/audit -s
+ ----
+references:
+ cce:
+ - CCE-91093-5
+ cci:
+ - N/A
+ 800-53r5:
+ - AU-11
+ - AU-4
+ 800-53r4:
+ - AU-4
+ - AU-11
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ cis:
+ benchmark:
+ - 3.4 (level 1)
+ controls v8:
+ - 8.3
+ - 8.1
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml
index f57d376ef..bff4e518a 100644
--- a/rules/audit/audit_settings_failure_notify.yaml
+++ b/rules/audit/audit_settings_failure_notify.yaml
@@ -3,7 +3,7 @@ title: "Configure Audit Failure Notification"
discussion: |
The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
- It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system’s capability, and system operation may be adversely affected.
+ It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected.
check: |
/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn
result:
@@ -25,9 +25,9 @@ references:
- AU-5
- AU-5(2)
srg:
- - N/A
+ - SRG-OS-000344-GPOS-00135
disa_stig:
- - N/A
+ - APPL-12-001031
800-171r2:
- 3.3.4
macOS:
@@ -38,6 +38,7 @@ tags:
- 800-53r4_high
- 800-53r5_high
- 800-171
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml
index 1aefc2a74..8663cab4b 100644
--- a/rules/auth/auth_pam_login_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml
@@ -5,6 +5,8 @@ discussion: |
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
+ IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
+
NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login
@@ -47,15 +49,18 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-003050
800-171r2:
- 3.5.3
- cisv8:
- - 6.3
- - 6.4
- - 6.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.3
+ - 6.4
+ - 6.5
macOS:
- "12.0"
tags:
@@ -68,6 +73,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml
index 611767989..ac268f909 100644
--- a/rules/auth/auth_pam_su_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml
@@ -5,6 +5,8 @@ discussion: |
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
+ IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
+
NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su
@@ -42,15 +44,18 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-003051
800-171r2:
- 3.5.3
- cisv8:
- - 6.3
- - 6.4
- - 6.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.3
+ - 6.4
+ - 6.5
macOS:
- "12.0"
tags:
@@ -63,6 +68,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
index d17a669d2..1a6510542 100644
--- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
@@ -5,6 +5,8 @@ discussion: |
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
+ IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
+
NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo
@@ -41,15 +43,18 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-003052
800-171r2:
- 3.5.3
- cisv8:
- - 6.3
- - 6.4
- - 6.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.3
+ - 6.4
+ - 6.5
macOS:
- "12.0"
tags:
@@ -62,6 +67,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml
index 3db7d567f..9e8f32c00 100644
--- a/rules/auth/auth_smartcard_allow.yaml
+++ b/rules/auth/auth_smartcard_allow.yaml
@@ -7,9 +7,12 @@ discussion: |
When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
+ .objectForKey('allowSmartCard').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,10 +31,13 @@ references:
- N/A
disa_stig:
- N/A
- cisv8:
- - 6.3
- - 6.4
- - 6.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.3
+ - 6.4
+ - 6.5
macOS:
- "12.0"
tags:
diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
index 2bd446bd2..b3142cc3f 100644
--- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
+++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
@@ -9,8 +9,11 @@ discussion: |
NOTE: Before applying this setting, please see the smartcard supplemental guidance.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/awk '/checkCertificateTrust/{print substr($3, 1, length($3)-1)}'
-result:
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
+ .objectForKey('checkCertificateTrust').js
+ EOS
+result:
integer: 3
fix: |
This is implemented by a Configuration Profile.
@@ -27,7 +30,7 @@ references:
- IA-5(2)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
macOS:
- "12.0"
diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
index 7bc3074f3..bb4c9b77c 100644
--- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
+++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
@@ -9,7 +9,10 @@ discussion: |
NOTE: Before applying this setting, please see the smartcard supplemental guidance.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/awk '/checkCertificateTrust/{print substr($3, 1, length($3)-1)}'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
+ .objectForKey('checkCertificateTrust').js
+ EOS
result:
integer: 2
fix: |
@@ -19,10 +22,10 @@ references:
- CCE-90882-2
cci:
- CCI-000186
- - CCI-002470
- - CCI-001991
- CCI-001953
- CCI-001954
+ - CCI-001991
+ - CCI-002470
800-53r5:
- IA-5(2)
- SC-17
@@ -30,15 +33,20 @@ references:
- IA-2(12)
- IA-5(2)
srg:
- - N/A
- disa_stig:
- - APPL-12-XXXXXX
+ - SRG-OS-000376-GPOS-00161
+ - SRG-OS-000377-GPOS-00162
+ - SRG-OS-000384-GPOS-00167
+ - SRG-OS-000403-GPOS-00182
+ - SRG-OS-000067-GPOS-00035
+ disa_stig:
+ - APPL-12-001060
macOS:
- "12.0"
tags:
- 800-53r4_moderate
- 800-53r5_moderate
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml
index a0f8caf88..81816275d 100644
--- a/rules/auth/auth_smartcard_enforce.yaml
+++ b/rules/auth/auth_smartcard_enforce.yaml
@@ -5,15 +5,18 @@ discussion: |
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
- When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver.
+ When enforceSmartCard is set to "true", the smartcard must be used for login, authorization, and unlocking the screensaver.
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement.
NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'enforceSmartCard = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
+ .objectForKey('enforceSmartCard').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -42,17 +45,22 @@ references:
- IA-5(2)
- IA-5(11)
srg:
- - N/A
+ - SRG-OS-000107-GPOS-00054
+ - SRG-OS-000108-GPOS-00055
+ - SRG-OS-000068-GPOS-00036
disa_stig:
- - N/A
+ - APPL-12-003020
800-171r2:
- 3.5.1
- 3.5.2
- 3.5.3
- cisv8:
- - 6.3
- - 6.4
- - 6.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.3
+ - 6.4
+ - 6.5
macOS:
- "12.0"
tags:
@@ -65,6 +73,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "high"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml
index 38a279c70..943c1808f 100644
--- a/rules/auth/auth_ssh_password_authentication_disable.yaml
+++ b/rules/auth/auth_ssh_password_authentication_disable.yaml
@@ -48,10 +48,13 @@ references:
- 3.5.2
- 3.5.3
- 3.7.5
- cisv8:
- - 6.3
- - 6.4
- - 6.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.3
+ - 6.4
+ - 6.5
macOS:
- "12.0"
tags:
diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml
index fa467da3d..b8ff14b6f 100644
--- a/rules/icloud/icloud_addressbook_disable.yaml
+++ b/rules/icloud/icloud_addressbook_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_addressbook_disable
title: "Disable iCloud Address Book"
discussion: |
- The macOS built-in Contacts.app connection to Apple’s iCloud service _MUST_ be disabled.
+ The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudAddressBook = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudAddressBook').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002014
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml
index 2aa1ca6ed..3f206f751 100644
--- a/rules/icloud/icloud_appleid_prefpane_disable.yaml
+++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml
@@ -5,7 +5,7 @@ discussion: |
Disabling the system preference pane prevents login to Apple ID and iCloud.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID'
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
result:
integer: 1
fix: |
@@ -26,15 +26,18 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000370-GPOS-00155
+ disa_stig:
+ - APPL-12-002031
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -47,6 +50,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "high"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml
index 62a6f0614..cbf21ff69 100644
--- a/rules/icloud/icloud_bookmarks_disable.yaml
+++ b/rules/icloud/icloud_bookmarks_disable.yaml
@@ -3,11 +3,14 @@ title: "Disable iCloud Bookmarks"
discussion: |
The macOS built-in Safari.app bookmark synchronization via the iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudBookmarks = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudBookmarks').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002042
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml
index c8c06ff30..e992d9ad8 100644
--- a/rules/icloud/icloud_calendar_disable.yaml
+++ b/rules/icloud/icloud_calendar_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_calendar_disable
title: "Disable the iCloud Calendar Services"
discussion: |
- The macOS built-in Calendar.app connection to Apple’s iCloud service _MUST_ be disabled.
+ The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.
-check:
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudCalendar = 0'
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudCalendar').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002012
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml
index c99985d44..1119ce038 100644
--- a/rules/icloud/icloud_drive_disable.yaml
+++ b/rules/icloud/icloud_drive_disable.yaml
@@ -3,11 +3,14 @@ title: "Disable iCloud Document Sync"
discussion: |
The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDocumentSync = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudDocumentSync').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002041
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml
index fa648805a..fb4ed6a76 100644
--- a/rules/icloud/icloud_keychain_disable.yaml
+++ b/rules/icloud/icloud_keychain_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_keychain_disable
title: "Disable iCloud Keychain Sync"
discussion: |
- The macOS system’s ability to automatically synchronize a user’s passwords to their iCloud account _MUST_ be disabled.
+ The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudKeychainSync = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudKeychainSync').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002040
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml
index 842a139fe..4ac93192e 100644
--- a/rules/icloud/icloud_mail_disable.yaml
+++ b/rules/icloud/icloud_mail_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_mail_disable
title: "Disable iCloud Mail"
discussion: |
- The macOS built-in Mail.app connection to Apple’s iCloud service _MUST_ be disabled.
+ The macOS built-in Mail.app connection to Apple's iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudMail = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudMail').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002015
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml
index f09c04bd7..e6eadbdc0 100644
--- a/rules/icloud/icloud_notes_disable.yaml
+++ b/rules/icloud/icloud_notes_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_notes_disable
title: "Disable iCloud Notes"
discussion: |
- The macOS built-in Notes.app connection to Apple’s iCloud service _MUST_ be disabled.
+ The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudNotes = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudNotes').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002016
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml
index 6e7735cc8..076d59d16 100644
--- a/rules/icloud/icloud_photos_disable.yaml
+++ b/rules/icloud/icloud_photos_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_photos_disable
title: "Disable iCloud Photo Library"
discussion: |
- The macOS built-in Photos.app connection to Apple’s iCloud service _MUST_ be disabled.
+ The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPhotoLibrary = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudPhotoLibrary').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002043
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml
index cc53ef6d2..bbbdecd61 100644
--- a/rules/icloud/icloud_private_relay_disable.yaml
+++ b/rules/icloud/icloud_private_relay_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPrivateRelay = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudPrivateRelay').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -33,10 +36,13 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml
index fc59d0b4e..800f14f0a 100644
--- a/rules/icloud/icloud_reminders_disable.yaml
+++ b/rules/icloud/icloud_reminders_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_reminders_disable
title: "Disable iCloud Reminders"
discussion: |
- The macOS built-in Reminders.app connection to Apple’s iCloud service _MUST_ be disabled.
+ The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudReminders = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudReminders').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,16 +31,20 @@ references:
- AC-20
- AC-20(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002013
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -50,6 +57,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml
index c76df61d4..6cb4ce2bc 100644
--- a/rules/icloud/icloud_sync_disable.yaml
+++ b/rules/icloud/icloud_sync_disable.yaml
@@ -1,13 +1,16 @@
id: icloud_sync_disable
title: "Disable iCloud Desktop and Document Folder Sync"
discussion: |
- The macOS system’s ability to automatically synchronize a user’s desktop and documents folder to their iCloud Drive _MUST_ be disabled.
+ The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled.
- Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.
+ Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDesktopAndDocuments = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCloudDesktopAndDocuments').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -33,10 +36,13 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - 2.6.1.4 (level 2)
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
@@ -48,6 +54,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml
index 73e808f5d..89bbffe53 100644
--- a/rules/os/os_access_control_mobile_devices.yaml
+++ b/rules/os/os_access_control_mobile_devices.yaml
@@ -23,8 +23,11 @@ references:
- N/A
srg:
- N/A
- cisv8:
- - 6.4
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.4
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml
index 15c214d9f..d1539aa70 100644
--- a/rules/os/os_airdrop_disable.yaml
+++ b/rules/os/os_airdrop_disable.yaml
@@ -5,9 +5,12 @@ discussion:
AirDrop allows users to share and receive files from other nearby Apple devices.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAirDrop = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowAirDrop').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -26,19 +29,22 @@ references:
- AC-3
- AC-20
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
disa_stig:
- - N/A
+ - APPL-12-002009
800-171r2:
- 3.1.1
- 3.1.2
- 3.1.16
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 6.7
+ cis:
+ benchmark:
+ - 2.4.11 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
+ - 6.7
macOS:
- "12.0"
tags:
@@ -50,7 +56,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml
index bf0150289..3c7d4aa71 100644
--- a/rules/os/os_anti_virus_installed.yaml
+++ b/rules/os/os_anti_virus_installed.yaml
@@ -1,14 +1,18 @@
id: os_anti_virus_installed
title: "Must Use an Approved Antivirus Program"
discussion: |
- An approved antivirus product _MUST_ be installed and configured to run.
+ An approved antivirus product _MUST_ be installed and configured to run.
- Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
+ Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
check: |
- Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution.
- If there is no local antivirus solution installed on the system, this is a finding.
+ /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.mrt" => false'
+result:
+ integer: 1
fix: |
- Install an approved antivirus solution onto the system.
+ [source,bash]
+ ----
+ /bin/launchctl enable system/com.apple.mrt
+ ----
references:
cce:
- CCE-90900-2
@@ -19,13 +23,13 @@ references:
800-53r4:
- SI-2
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-002070
macOS:
- "12.0"
tags:
- - manual
+ - stig
severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml
index eeb9bdb2d..db4a1e0c6 100644
--- a/rules/os/os_appleid_prompt_disable.yaml
+++ b/rules/os/os_appleid_prompt_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipCloudSetup = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipCloudSetup').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,14 +23,17 @@ references:
800-53r4:
- AC-20
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002035
800-171r2:
- 3.1.20
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -40,6 +46,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml
index 8683137b1..7c054ed48 100644
--- a/rules/os/os_asl_log_files_owner_group_configure.yaml
+++ b/rules/os/os_asl_log_files_owner_group_configure.yaml
@@ -23,9 +23,9 @@ references:
800-53r4:
- SI-11
srg:
- - N/A
+ - SRG-OS-000206-GPOS-00084
disa_stig:
- - N/A
+ - APPL-12-004001
800-171r2:
- N/A
macOS:
@@ -33,6 +33,7 @@ macOS:
tags:
- 800-53r5_moderate
- 800-53r5_high
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml
index c556e28e5..55ec4bd06 100644
--- a/rules/os/os_asl_log_files_permissions_configure.yaml
+++ b/rules/os/os_asl_log_files_permissions_configure.yaml
@@ -21,9 +21,9 @@ references:
800-53r4:
- SI-11
srg:
- - N/A
+ - SRG-OS-000206-GPOS-00084
disa_stig:
- - N/A
+ - APPL-12-004002
800-171r2:
- N/A
macOS:
@@ -31,6 +31,7 @@ macOS:
tags:
- 800-53r5_moderate
- 800-53r5_high
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml
index b4ed22e3c..403dcb0eb 100644
--- a/rules/os/os_auth_peripherals.yaml
+++ b/rules/os/os_auth_peripherals.yaml
@@ -21,9 +21,12 @@ references:
- N/A
800-171r2:
- 3.5.1
- - 3.5.2
- cisv8:
- - 13.9
+ - 3.5.2
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 13.9
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml
index 38269918c..83e277d0e 100644
--- a/rules/os/os_authenticated_root_enable.yaml
+++ b/rules/os/os_authenticated_root_enable.yaml
@@ -42,8 +42,11 @@ references:
- 3.1.1
- 3.1.2
- 3.4.5
- cisv8:
- - 3.3
+ cis:
+ benchmark:
+ - 5.1.5 (level 1)
+ controls v8:
+ - 3.3
macOS:
- "12.0"
tags:
@@ -55,6 +58,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml
new file mode 100644
index 000000000..ad2a56c35
--- /dev/null
+++ b/rules/os/os_blank_bluray_disable.yaml
@@ -0,0 +1,53 @@
+id: os_blank_bluray_disable
+title: "Disable Blank Blu Ray"
+discussion: |
+ Blank Blu Ray media _MUST_ be disabled.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["blankbd"]
+ EOS
+result:
+ string: "deny,eject"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91094-3
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ blankbd:
+ - alert
+ - eject
+
diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml
new file mode 100644
index 000000000..0033dd5f0
--- /dev/null
+++ b/rules/os/os_blank_cd_disable.yaml
@@ -0,0 +1,52 @@
+id: os_blank_cd_disable
+title: "Disable Blank CD"
+discussion: |
+ Blank CD media _MUST_ be disabled.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["blankcd"]
+ EOS
+result:
+ string: "deny,eject"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91095-0
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ blankcd:
+ - alert
+ - eject
\ No newline at end of file
diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml
new file mode 100644
index 000000000..0ab72723a
--- /dev/null
+++ b/rules/os/os_blank_dvd_disable.yaml
@@ -0,0 +1,52 @@
+id: os_blank_dvd_disable
+title: "Disable Blank DVD"
+discussion: |
+ Blank DVD media _MUST_ be disabled.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["blankdvd"]
+ EOS
+result:
+ string: "deny,eject"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91096-8
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ blankdvd:
+ - alert
+ - eject
\ No newline at end of file
diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml
new file mode 100644
index 000000000..913e22b70
--- /dev/null
+++ b/rules/os/os_bluray_read_only_enforce.yaml
@@ -0,0 +1,52 @@
+id: os_bluray_read_only_enforce
+title: "Enforce Blu Ray Read Only"
+discussion: |
+ Blu Ray media _MUST_ be set to read only.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["bd"]
+ EOS
+result:
+ string: "read-only"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91097-6
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ bd:
+ - read-only
+
diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml
index c6b2ad77f..7ef39c634 100644
--- a/rules/os/os_bonjour_disable.yaml
+++ b/rules/os/os_bonjour_disable.yaml
@@ -3,9 +3,12 @@ title: "Disable Bonjour Multicast"
discussion: |
Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'NoMulticastAdvertisements = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\
+ .objectForKey('NoMulticastAdvertisements').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,14 +23,17 @@ references:
- CM-7
- CM-7(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002005
800-171r2:
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 4.1 (level 2)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -39,7 +45,9 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml
new file mode 100644
index 000000000..529218e64
--- /dev/null
+++ b/rules/os/os_burn_support_disable.yaml
@@ -0,0 +1,39 @@
+id: os_burn_support_disable
+title: "Disable Burn Support"
+discussion:
+ Burn support _MUST_ be disabled.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")'
+result:
+ integer: 2
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91098-4
+ cci:
+ - CCI-000366
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-005053
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "low"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.finder:
+ ProhibitBurn: true
+ com.apple.DiscRecording:
+ BurnSupport: "off"
\ No newline at end of file
diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml
index 4b84c4101..3015309ad 100644
--- a/rules/os/os_calendar_app_disable.yaml
+++ b/rules/os/os_calendar_app_disable.yaml
@@ -7,10 +7,23 @@ discussion: |
====
Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
-check:
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Calendar.app"
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('familyControlsEnabled'))
+ let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('pathBlackList').js
+ for ( let app in pathlist ) {
+ if ( ObjC.unwrap(pathlist[app]) == "/Applications/Calendar.app" && pref1 == true ){
+ return("true")
+ }
+ }
+ return("false")
+ }
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -33,9 +46,12 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml
index 3fb18df08..b421c3673 100644
--- a/rules/os/os_camera_disable.yaml
+++ b/rules/os/os_camera_disable.yaml
@@ -3,9 +3,12 @@ title: "Disable Camera"
discussion: |
macOS _MUST_ be configured to disable the camera.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCamera = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowCamera').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,13 +23,14 @@ references:
800-53r4:
- N/A
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
+ - APPL-12-002017
macOS:
- "12.0"
tags:
- - none
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml
new file mode 100644
index 000000000..fd3cd518e
--- /dev/null
+++ b/rules/os/os_cd_read_only_enforce.yaml
@@ -0,0 +1,51 @@
+id: os_cd_read_only_enforce
+title: "Enforce CD Read Only"
+discussion: |
+ CD media _MUST_ be set to read only.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["cd"]
+ EOS
+result:
+ string: "read-only"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91099-2
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ cd:
+ - read-only
\ No newline at end of file
diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml
index e1ced3826..ce5812349 100644
--- a/rules/os/os_certificate_authority_trust.yaml
+++ b/rules/os/os_certificate_authority_trust.yaml
@@ -18,10 +18,8 @@ references:
- SC-17
800-53r4:
- SC-17
- disa_stig:
- - N/A
- srg:
- - N/A
+ disa_stig:
+ - APPL-12-003001
macOS:
- "12.0"
tags:
@@ -31,6 +29,7 @@ tags:
- 800-53r4_high
- cnssi-1253
- manual
+ - stig
severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml
index 87ac56322..19e7a7350 100644
--- a/rules/os/os_config_data_install_enforce.yaml
+++ b/rules/os/os_config_data_install_enforce.yaml
@@ -9,38 +9,48 @@ discussion: |
NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
+ .objectForKey('ConfigDataInstall').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-90913-5
cci:
- - N/A
+ - CCI-000366
800-53r5:
- SI-3
- SI-2(5)
800-53r4:
- N/A
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
+ - APPL-12-002070
800-171r2:
- N/A
- cisv8:
- - 10.1
- - 10.2
- - 10.4
+ cis:
+ benchmark:
+ - 1.5 (level 1)
+ controls v8:
+ - 10.1
+ - 10.2
+ - 10.4
macOS:
- "12.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
+severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.SoftwareUpdate:
diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml
index 57f10e7cf..2cb596bb0 100644
--- a/rules/os/os_directory_services_configured.yaml
+++ b/rules/os/os_directory_services_configured.yaml
@@ -5,7 +5,7 @@ discussion: |
A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system.
check: |
- /usr/bin/dscl localhost -list . | /usr/bin/grep -vE '(Contact|Search|Local|^$)'; /bin/echo $?
+ /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $?
result:
integer: 0
fix: |
@@ -20,15 +20,19 @@ references:
800-53r4:
- N/A
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
- cisv8:
- - 6.7
+ - APPL-12-000016
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.7
macOS:
- "12.0"
tags:
- cisv8
+ - stig
severity: "high"
mobileconfig:
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml
new file mode 100644
index 000000000..16ee61772
--- /dev/null
+++ b/rules/os/os_disk_image_disable.yaml
@@ -0,0 +1,52 @@
+id: os_disk_image_disable
+title: "Disable Disk Images"
+discussion: |
+ Disk images _MUST_ be disabled.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["disk-image"]
+ EOS
+result:
+ string: "deny,eject"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91100-8
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ disk-image:
+ - alert
+ - eject
\ No newline at end of file
diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml
new file mode 100644
index 000000000..c1eb08a85
--- /dev/null
+++ b/rules/os/os_dvdram_disable.yaml
@@ -0,0 +1,53 @@
+id: os_dvdram_disable
+title: "Disable Blank CD"
+discussion: |
+ Blank CD media _MUST_ be disabled.
+
+ [IMPORTANT]
+ ====
+ Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["dvdram"]
+ EOS
+result:
+ string: "deny,eject"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91101-6
+ cci:
+ - CCI-000366
+ - CCI-001967
+ 800-53r5:
+ - MP-7
+ 800-53r4:
+ - MP-7(1)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
+ 800-171r2:
+ - 3.8.8
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systemuiserver:
+ mount-controls:
+ dvdram:
+ - alert
+ - eject
+
diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml
new file mode 100644
index 000000000..2f4b80f84
--- /dev/null
+++ b/rules/os/os_efi_integrity_validated.yaml
@@ -0,0 +1,35 @@
+id: os_efi_integrity_validated
+title: "Ensure Extensible Firmware Interface Version is Valid"
+discussion: |
+ The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple.
+check: |
+ if /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi
+result:
+ integer: 1
+fix: |
+ Install a known good version of macOS.
+references:
+ cce:
+ - CCE-91102-4
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.11 (level 1)
+ controls v8:
+ - 2.2
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - i386
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml
new file mode 100644
index 000000000..bfffabd60
--- /dev/null
+++ b/rules/os/os_erase_content_and_settings_disable.yaml
@@ -0,0 +1,37 @@
+id: os_erase_content_and_settings_disable
+title: "Disable Erase Content and Settings"
+discussion:
+ Erase Content and Settings _MUST_ be disabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowEraseContentAndSettings').js
+ EOS
+result:
+ string: "false"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91103-2
+ cci:
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(1)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-005061
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.applicationaccess:
+ allowEraseContentAndSettings: false
diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml
new file mode 100644
index 000000000..5fe7045d1
--- /dev/null
+++ b/rules/os/os_ess_installed.yaml
@@ -0,0 +1,33 @@
+id: os_ess_installed
+title: "Must Use ESS"
+discussion: |
+ The approved ESS solution _MUST_ be installed and configured to run.
+
+ The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET.
+check: |
+ Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system.
+ If the installed components of the ESS solution are not at the DoD approved minimal versions, this is a finding.
+fix: |
+ Install the approved ESS solution onto the system.
+references:
+ cce:
+ - CCE-90930-9
+ cci:
+ - CCI-001233
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - SI-2(2)
+ srg:
+ - SRG-OS-000191-GPOS-00080
+ disa_stig:
+ - APPL-12-000015
+macOS:
+ - "12.0"
+tags:
+ - manual
+ - cisv8
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml
index 2557d62c5..ecb6433ad 100644
--- a/rules/os/os_facetime_app_disable.yaml
+++ b/rules/os/os_facetime_app_disable.yaml
@@ -3,11 +3,24 @@ title: "Disable FaceTime.app"
discussion: |
The macOS built-in FaceTime.app _MUST_ be disabled.
- The FaceTime.app establishes a connection to Apple’s iCloud service, even when security controls have been put in place to disable iCloud access.
+ The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/FaceTime.app"
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('familyControlsEnabled'))
+ let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('pathBlackList').js
+ for ( let app in pathlist ) {
+ if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){
+ return("true")
+ }
+ }
+ return("false")
+ }
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -31,9 +44,12 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml
index a78d98b46..c0ac40c49 100644
--- a/rules/os/os_filevault_authorized_users.yaml
+++ b/rules/os/os_filevault_authorized_users.yaml
@@ -23,14 +23,15 @@ references:
800-53r4:
- N/A
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
+ - APPL-12-000032
macOS:
- "12.0"
tags:
- 800-53r5_high
- manual
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml
index 510645fe8..f26f1cd3a 100644
--- a/rules/os/os_filevault_autologin_disable.yaml
+++ b/rules/os/os_filevault_autologin_disable.yaml
@@ -7,9 +7,12 @@ discussion: |
NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableFDEAutoLogin = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
+ .objectForKey('DisableFDEAutoLogin').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -24,17 +27,18 @@ references:
- AC-3
- IA-5(13)
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
- cci:
- - CCI-002143
+ - APPL-12-000033
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 3.3
- - 6.7
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 3.3
+ - 6.7
macOS:
- "12.0"
tags:
@@ -47,6 +51,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml
index 8901cd7fb..7357cfde4 100644
--- a/rules/os/os_firewall_log_enable.yaml
+++ b/rules/os/os_firewall_log_enable.yaml
@@ -7,9 +7,21 @@ discussion: |
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(EnableLogging = 1|LoggingOption = detail)'
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
+ .objectForKey('EnableLogging').js
+ let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
+ .objectForKey('LoggingOption').js
+ if ( pref1 == true && pref2 == "detail" ){
+ return("true")
+ } else {
+ return("false")
+ }
+ }
+ EOS
result:
- integer: 2
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -25,7 +37,7 @@ references:
- AU-12
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.3.1
@@ -33,10 +45,13 @@ references:
- 3.13.1
- 3.13.2
- 3.13.5
- cisv8:
- - 4.5
- - 8.2
- - 8.5
+ cis:
+ benchmark:
+ - 3.6 (level 1)
+ controls v8:
+ - 4.5
+ - 8.2
+ - 8.5
macOS:
- "12.0"
tags:
@@ -48,6 +63,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml
index e7de701d5..be1a79f6e 100644
--- a/rules/os/os_firmware_password_require.yaml
+++ b/rules/os/os_firmware_password_require.yaml
@@ -32,9 +32,9 @@ references:
800-53r4:
- AC-6
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
+ - APPL-12-003013
800-171r2:
- 3.1.5
macOS:
@@ -47,6 +47,7 @@ tags:
- 800-171
- cnssi-1253
- i386
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml
index 2cad2a915..2374fb123 100644
--- a/rules/os/os_gatekeeper_enable.yaml
+++ b/rules/os/os_gatekeeper_enable.yaml
@@ -32,15 +32,18 @@ references:
- SI-3
- SI-7(15)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000366-GPOS-00153
+ disa_stig:
+ - APPL-12-002064
800-171r2:
- 3.4.5
- cisv8:
- - 10.1
- - 10.2
- - 10.5
+ cis:
+ benchmark:
+ - 2.5.2.1 (level 1)
+ controls v8:
+ - 10.1
+ - 10.2
+ - 10.5
macOS:
- "12.0"
tags:
@@ -51,7 +54,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "high"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml
index 587219c49..089d54616 100644
--- a/rules/os/os_gatekeeper_rearm.yaml
+++ b/rules/os/os_gatekeeper_rearm.yaml
@@ -3,9 +3,12 @@ title: "Enforce Gatekeeper 30 Day Automatic Rearm"
discussion: |
Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'GKAutoRearm = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security')\
+ .objectForKey('GKAutoRearm').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,12 +23,15 @@ references:
- SI-3
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.4.5
- cisv8:
- - 10.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 10.5
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml
new file mode 100644
index 000000000..4084a907e
--- /dev/null
+++ b/rules/os/os_guest_folder_removed.yaml
@@ -0,0 +1,40 @@
+id: os_guest_folder_removed
+title: "Remove Guest Folder if Present"
+discussion: |
+ The guest folder _MUST_ be deleted if present.
+check: |
+ /bin/ls /Users/ | /usr/bin/grep -c "Guest"
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /bin/rm -Rf /Users/Guest
+ ----
+references:
+ cce:
+ - CCE-91104-0
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 6.1.5 (level 1)
+ controls v8:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml
index 9edbb67ab..f17cd57a7 100644
--- a/rules/os/os_handoff_disable.yaml
+++ b/rules/os/os_handoff_disable.yaml
@@ -5,14 +5,19 @@ discussion: |
Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowActivityContinuation = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowActivityContinuation').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-90929-1
+ cci:
+ - CCI-000381
800-53r5:
- AC-3
- AC-20
@@ -24,19 +29,20 @@ references:
- CM-7
- CM-7(1)
disa_stig:
- - N/A
+ - APPL-12-005058
srg:
- - N/A
- cci:
- - N/A
+ - SRG-OS-000095-GPOS-00049
800-171r2:
- 3.1.1
- 3.1.2
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -49,6 +55,8 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml
deleted file mode 100644
index c41f86ff1..000000000
--- a/rules/os/os_hbss_installed.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-id: os_hbss_installed
-title: "Must Use HBSS"
-discussion: |
- The approved HBSS solution _MUST_ be installed and configured to run.
-
- The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNET.
-check: |
- Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved HBSS solution is loaded on the system.
- If the installed components of the HBSS solution are not at the DoD approved minimal versions, this is a finding.
-fix: |
- Install the approved HBSS solution onto the system.
-references:
- cce:
- - CCE-90930-9
- cci:
- - CCI-001233
- 800-53r5:
- - N/A
- 800-53r4:
- - SI-2(2)
- srg:
- - N/A
- disa_stig:
- - N/A
- cisv8:
- - 10.1
- - 10.2
- - 10.6
- - 10.7
-macOS:
- - "12.0"
-tags:
- - manual
- - cisv8
-severity: "medium"
-mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
new file mode 100644
index 000000000..c942a9ce1
--- /dev/null
+++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
@@ -0,0 +1,42 @@
+id: os_hibernate_mode_destroyfvkeyonstandby_enable
+title: "Enable DestroyFVKeyOnStandby on Hibernate"
+discussion: |
+ DestroyFVKeyOnStandby on hibernate _MUST_ be enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
+ .objectForKey('DestroyFVKeyOnStandby').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91105-7
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.9 (level 2)
+ controls v8:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+mobileconfig: true
+mobileconfig_info:
+ com.apple.MCX:
+ DestroyFVKeyOnStandby: true
diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml
new file mode 100644
index 000000000..271976f96
--- /dev/null
+++ b/rules/os/os_hibernate_mode_enable.yaml
@@ -0,0 +1,62 @@
+id: os_hibernate_mode_enable
+title: "Enable Hibernate Mode"
+discussion: |
+ Hibernate mode _MUST_ be enabled.
+
+ NOTE: Hibernate mode is not fully supported on Apple Silicon devices. This rule is only applicable to Intel devices.
+check: |
+ error_count=0
+ hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}')
+ hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}')
+ hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}')
+ hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
+ macType=$(/usr/sbin/system_profiler SPHardwareDataType 2>&1 | /usr/bin/grep -c MacBook)
+ if [[ "$macType" -ge 0 ]]; then
+ if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then
+ ((error_count++))
+ fi
+ if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then
+ ((error_count++))
+ fi
+ if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then
+ ((error_count++))
+ fi
+ fi
+ echo "$error_count"
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/pmset -a standbydelayhigh 600
+ /usr/bin/pmset -a standbydelaylow 600
+ /usr/bin/pmset -a highstandbythreshold 90
+ ----
+references:
+ cce:
+ - CCE-91106-5
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.9 (level 2)
+ controls v8:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - i386
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml
index 3addf698b..0ecbf8d58 100644
--- a/rules/os/os_home_folders_secure.yaml
+++ b/rules/os/os_home_folders_secure.yaml
@@ -1,9 +1,9 @@
id: os_home_folders_secure
title: "Secure User's Home Folders"
discussion: |
- The system _MUST_ be configured to prevent access to other users’ home folders.
+ The system _MUST_ be configured to prevent access to other user's home folders.
- The default behavior of macOS is to allow all valid users access to the the top level of every other user’s home folder while restricting access only to the Apple default folders within.
+ The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within.
check: |
/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d -perm -1 | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs
result:
@@ -27,11 +27,17 @@ references:
800-53r4:
- AC-6
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00228
+ - SRG-OS-000480-GPOS-00230
disa_stig:
- - N/A
+ - APPL-12-002068
800-171r2:
- 3.1.5
+ cis:
+ benchmark:
+ - 5.1.1 (level 1)
+ controls v8:
+ - N/A
macOS:
- "12.0"
tags:
@@ -41,6 +47,9 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml
index 87e2c0630..ebbf38088 100644
--- a/rules/os/os_httpd_disable.yaml
+++ b/rules/os/os_httpd_disable.yaml
@@ -24,15 +24,18 @@ references:
800-53r4:
- AC-3
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002008
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 3.3
- - 6.7
+ cis:
+ benchmark:
+ - 4.4 (level 1)
+ controls v8:
+ - 3.3
+ - 6.7
macOS:
- "12.0"
tags:
@@ -44,7 +47,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml
index 977dca7c8..449673fc3 100644
--- a/rules/os/os_icloud_storage_prompt_disable.yaml
+++ b/rules/os/os_icloud_storage_prompt_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipiCloudStorageSetup = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipiCloudStorageSetup').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,14 +23,17 @@ references:
800-53r4:
- AC-20
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002037
800-171r2:
- 3.1.20
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -40,6 +46,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml
new file mode 100644
index 000000000..e2be53aa6
--- /dev/null
+++ b/rules/os/os_install_log_retention_configure.yaml
@@ -0,0 +1,46 @@
+id: os_install_log_retention_configure
+title: "Configure Install.log Retention to 365 Days or More"
+discussion: |
+ The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility.
+check: |
+ /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}'
+result:
+ string: "Yes"
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install
+ ----
+
+ NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.
+references:
+ cce:
+ - CCE-91107-3
+ cci:
+ - N/A
+ 800-53r5:
+ - AU-11
+ - AU-4
+ 800-53r4:
+ - AU-11
+ - AU-4
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 3.3 (level 1)
+ controls v8:
+ - 8.1
+ - 8.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml
index bcfd551a1..7a8f05fb7 100644
--- a/rules/os/os_ir_support_disable.yaml
+++ b/rules/os/os_ir_support_disable.yaml
@@ -7,9 +7,12 @@ discussion: |
NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.driver.AppleIRController')\
+ .objectForKey('DeviceEnabled').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -27,15 +30,18 @@ references:
- AC-18
srg:
- N/A
- disa_stig:
+ disa_stig:
- AOSX-13-000075
800-171r2:
- 3.1.16
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 12.6
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 12.6
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml
new file mode 100644
index 000000000..a1802e0ea
--- /dev/null
+++ b/rules/os/os_library_validation_enabled.yaml
@@ -0,0 +1,47 @@
+id: os_library_validation_enabled
+title: "Enable Library Validation"
+discussion:
+ Library validation _MUST_ be enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.libraryvalidation')\
+ .objectForKey('DisableLibraryValidation').js
+ EOS
+result:
+ string: "false"
+fix: |
+ [source,bash]
+ ----
+ This is implemented by a Configuration Profile.
+ ----
+references:
+ cce:
+ - CCE-91108-1
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.1.4 (level 1)
+ controls v8:
+ - 2.3
+ - 2.6
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.security.libraryvalidation:
+ DisableLibraryValidation: false
\ No newline at end of file
diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml
index 07609d059..0b6244e89 100644
--- a/rules/os/os_limit_dos_attacks.yaml
+++ b/rules/os/os_limit_dos_attacks.yaml
@@ -5,7 +5,7 @@ discussion: |
DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission.
- To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems’ susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.
+ To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.
check: |
The technology does not support this requirement. This is an applicable-does not meet finding.
fix: |
diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml
index f0df30f59..132edb3bc 100644
--- a/rules/os/os_logical_access.yaml
+++ b/rules/os/os_logical_access.yaml
@@ -26,9 +26,12 @@ references:
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 3.3
- - 6.7
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 3.3
+ - 6.7
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml
index fe0579ad4..120022dd1 100644
--- a/rules/os/os_mail_app_disable.yaml
+++ b/rules/os/os_mail_app_disable.yaml
@@ -3,16 +3,29 @@ title: "Disable Mail App"
discussion: |
The macOS built-in Mail.app _MUST_ be disabled.
- The Mail.app contains functionality that can establish connections to Apple’s iCloud, even when security controls to disable iCloud access have been put in place.
+ The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place.
[IMPORTANT]
====
Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Mail.app"
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('familyControlsEnabled'))
+ let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('pathBlackList').js
+ for ( let app in pathlist ) {
+ if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){
+ return("true")
+ }
+ }
+ return("false")
+ }
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -35,9 +48,12 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml
index b2cf685ae..b57308700 100644
--- a/rules/os/os_malicious_code_prevention.yaml
+++ b/rules/os/os_malicious_code_prevention.yaml
@@ -12,7 +12,7 @@ discussion: |
* an app has been changed (in the file system), and
* XProtect signatures are updated.
* YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly.
- * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer’s signing certificate and prevents unsafe apps from running.
+ * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running.
* Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner.
2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading.
@@ -23,7 +23,7 @@ discussion: |
3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute.
The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code:
- * Apple’s Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login.
+ * Apple's Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login.
link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[]
@@ -45,10 +45,13 @@ references:
- N/A
srg:
- N/A
- cisv8:
- - 10.1
- - 10.2
- - 10.5
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 10.1
+ - 10.2
+ - 10.5
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml
index 7d1920471..aea55bbc2 100644
--- a/rules/os/os_mdm_require.yaml
+++ b/rules/os/os_mdm_require.yaml
@@ -42,9 +42,12 @@ references:
800-171r2:
- 3.4.1
- 3.4.2
- cisv8:
- - 4.1
- - 5.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 5.1
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml
index 4432efa8a..53d44765a 100644
--- a/rules/os/os_messages_app_disable.yaml
+++ b/rules/os/os_messages_app_disable.yaml
@@ -3,11 +3,24 @@ title: "Disable Messages App"
discussion: |
The macOS built-in Messages.app _MUST_ be disabled.
- The Messages.app establishes a connection to Apple’s iCloud service, even when security controls to disable iCloud access have been put in place.
+ The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Messages.app"
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('familyControlsEnabled'))
+ let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('pathBlackList').js
+ for ( let app in pathlist ) {
+ if ( ObjC.unwrap(pathlist[app]) == "/Applications/Messages.app" && pref1 == true ){
+ return("true")
+ }
+ }
+ return("false")
+ }
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -31,9 +44,12 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml
index 931ee87a9..657bd1757 100644
--- a/rules/os/os_mfa_network_access.yaml
+++ b/rules/os/os_mfa_network_access.yaml
@@ -20,8 +20,11 @@ references:
- N/A
srg:
- N/A
- cisv8:
- - 5.6
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 5.6
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml
new file mode 100644
index 000000000..cbb8ab718
--- /dev/null
+++ b/rules/os/os_mobile_file_integrity_enable.yaml
@@ -0,0 +1,42 @@
+id: os_mobile_file_integrity_enable
+title: "Enable Apple Mobile File Integrity"
+discussion:
+ Mobile file integrity _MUST_ be ebabled.
+check: |
+ /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/sbin/nvram boot-args=""
+ ----
+references:
+ cce:
+ - CCE-91109-9
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.1.3 (level 1)
+ controls v8:
+ - 2.3
+ - 2.6
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml
index c9886100b..f878723a6 100644
--- a/rules/os/os_newsyslog_files_owner_group_configure.yaml
+++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml
@@ -23,9 +23,9 @@ references:
800-53r4:
- SI-11
srg:
- - N/A
+ - SRG-OS-000206-GPOS-00084
disa_stig:
- - N/A
+ - APPL-12-004001
800-171r2:
- N/A
macOS:
@@ -33,6 +33,7 @@ macOS:
tags:
- 800-53r5_moderate
- 800-53r5_high
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml
index ccb066b16..9993eb920 100644
--- a/rules/os/os_newsyslog_files_permissions_configure.yaml
+++ b/rules/os/os_newsyslog_files_permissions_configure.yaml
@@ -22,9 +22,9 @@ references:
800-53r4:
- SI-11
srg:
- - N/A
+ - SRG-OS-000206-GPOS-00084
disa_stig:
- - N/A
+ - APPL-12-004002
800-171r2:
- N/A
macOS:
@@ -32,6 +32,7 @@ macOS:
tags:
- 800-53r5_moderate
- 800-53r5_high
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml
index 61f07e7ba..79c84ff2b 100644
--- a/rules/os/os_nfsd_disable.yaml
+++ b/rules/os/os_nfsd_disable.yaml
@@ -23,15 +23,18 @@ references:
800-53r4:
- AC-3
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
disa_stig:
- - N/A
+ - APPL-12-002003
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 3.3
- - 6.7
+ cis:
+ benchmark:
+ - 4.5 (level 1)
+ controls v8:
+ - 3.3
+ - 6.7
macOS:
- "12.0"
tags:
@@ -43,7 +46,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml
index 4fb9a5466..19051d13a 100644
--- a/rules/os/os_obscure_password.yaml
+++ b/rules/os/os_obscure_password.yaml
@@ -29,8 +29,11 @@ references:
- 3.5.1
- 3.5.2
- 3.5.11
- cisv8:
- - 4.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml
index 666616890..889993cf7 100644
--- a/rules/os/os_parental_controls_enable.yaml
+++ b/rules/os/os_parental_controls_enable.yaml
@@ -7,9 +7,12 @@ discussion: |
Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'familyControlsEnabled = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('familyControlsEnabled').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -24,12 +27,15 @@ references:
- CM-7(2)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.4.7
- cisv8:
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml
index 2cb8a08e2..919ca9b8b 100644
--- a/rules/os/os_password_autofill_disable.yaml
+++ b/rules/os/os_password_autofill_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordAutoFill = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowPasswordAutoFill').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -35,9 +38,12 @@ references:
- 3.4.6
- 3.5.1
- 3.5.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml
new file mode 100644
index 000000000..cb7a12272
--- /dev/null
+++ b/rules/os/os_password_hint_remove.yaml
@@ -0,0 +1,39 @@
+id: os_password_hint_remove
+title: "Remove Password Hint From User Accounts"
+discussion: |
+ User accounts _MUST_ not contain password hints.
+check: |
+ /usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
+ /usr/bin/dscl . -delete /Users/$u hint
+ done
+ ----
+references:
+ cce:
+ - CCE-91110-7
+ cci:
+ - N/A
+ 800-53r5:
+ - IA-6
+ 800-53r4:
+ - IA-6
+ 800-171r2:
+ - 3.5.11
+ cis:
+ benchmark:
+ - 5.14 (level 1)
+ controls v8:
+ - 5.2
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml
index ca225634a..52b1d5e58 100644
--- a/rules/os/os_password_proximity_disable.yaml
+++ b/rules/os/os_password_proximity_disable.yaml
@@ -5,35 +5,36 @@ discussion: |
The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordProximityRequests = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowPasswordProximityRequests').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-90968-9
cci:
- - N/A
+ - CCI-000381
800-53r5:
- IA-5
800-53r4:
- IA-5
srg:
- SRG-OS-000095-GPOS-00049
- - SRG-OS-000370-GPOS-00155
disa_stig:
- - N/A
- srg:
- - N/A
- cci:
- - N/A
+ - APPL-12-005060
800-171r2:
- 3.5.1
- 3.5.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -46,6 +47,8 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml
index e96fe0e93..6111a690e 100644
--- a/rules/os/os_password_sharing_disable.yaml
+++ b/rules/os/os_password_sharing_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordSharing = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowPasswordSharing').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -17,20 +20,19 @@ references:
- IA-5
800-53r4:
- IA-5
- srg:
- - SRG-OS-000095-GPOS-00049
- disa_stig:
- - N/A
srg:
- N/A
- cci:
+ disa_stig:
- N/A
800-171r2:
- 3.5.1
- 3.5.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml
index 7ccd96fc7..f11bffe69 100644
--- a/rules/os/os_pii_deidentification.yaml
+++ b/rules/os/os_pii_deidentification.yaml
@@ -3,7 +3,7 @@ title: "Remove Elements of Personally Identifiable Information from Datasets"
discussion: |
Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification.
- De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk.
+ De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk.
check: |
This requirement is NA for this technology.
fix: |
diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml
index f09a80677..46d0f3c0d 100644
--- a/rules/os/os_policy_banner_loginwindow_enforce.yaml
+++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml
@@ -40,11 +40,18 @@ references:
800-53r4:
- AC-8
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000023-GPOS-00006
+ - SRG-OS-000024-GPOS-00007
+ - SRG-OS-000228-GPOS-00088
+ disa_stig:
+ - APPL-12-000025
800-171r2:
- 3.1.9
+ cis:
+ benchmark:
+ - 5.13 (level 2)
+ controls v8:
+ - N/A
macOS:
- "12.0"
tags:
@@ -56,6 +63,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl2
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml
index 1a6d58ab3..e6e984b5b 100644
--- a/rules/os/os_policy_banner_ssh_configure.yaml
+++ b/rules/os/os_policy_banner_ssh_configure.yaml
@@ -27,15 +27,23 @@ references:
800-53r4:
- AC-8
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000023-GPOS-00006
+ disa_stig:
+ - APPL-12-000023
800-171r2:
- 3.1.9
macOS:
- "12.0"
tags:
- - none
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - 800-171
+ - cnssi-1253
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml
index 5719e5404..d60e6c684 100644
--- a/rules/os/os_policy_banner_ssh_enforce.yaml
+++ b/rules/os/os_policy_banner_ssh_enforce.yaml
@@ -28,15 +28,24 @@ references:
800-53r4:
- AC-8
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000023-GPOS-00006
+ - SRG-OS-000024-GPOS-00007
+ disa_stig:
+ - APPL-12-000024
800-171r2:
- 3.1.9
macOS:
- "12.0"
tags:
- - none
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - 800-171
+ - cnssi-1253
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml
index d5d669c4c..8fedda776 100644
--- a/rules/os/os_privacy_setup_prompt_disable.yaml
+++ b/rules/os/os_privacy_setup_prompt_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipPrivacySetup = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipPrivacySetup').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -22,17 +25,20 @@ references:
- CM-7
- CM-7(1)
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
disa_stig:
- - N/A
- cisv8:
- - 4.1
- - 4.8
+ - APPL-12-002036
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
- - none
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml
index 396ee8e50..ac91ee8aa 100644
--- a/rules/os/os_removable_media_disable.yaml
+++ b/rules/os/os_removable_media_disable.yaml
@@ -9,37 +9,42 @@ discussion: |
====
Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
+
+ [IMPORTANT]
+ ====
+ Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.
+ ====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep 'harddisk-external' -A3 | /usr/bin/grep -Ec "eject|alert"
+ /usr/bin/osascript -l JavaScript << EOS
+ ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\
+ .objectForKey('mount-controls'))["harddisk-external"]
+ EOS
result:
- integer: 2
+ string: "deny,eject"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-90991-1
cci:
- - N/A
+ - CCI-000366
+ - CCI-001967
800-53r5:
- MP-7
800-53r4:
- MP-7(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-005051
800-171r2:
- 3.8.8
macOS:
- "12.0"
tags:
- - 800-53r5_low
- - 800-53r5_moderate
- - 800-53r5_high
- - 800-53r4_moderate
- - 800-53r4_high
- - 800-171
- - cnssi-1253
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.systemuiserver:
diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml
index 260f247ff..a9ad05531 100644
--- a/rules/os/os_root_disable.yaml
+++ b/rules/os/os_root_disable.yaml
@@ -27,8 +27,11 @@ references:
800-171r2:
- 3.5.1
- 3.5.2
- cisv8:
- - 4.7
+ cis:
+ benchmark:
+ - 5.6 (level 1)
+ controls v8:
+ - 4.7
macOS:
- "12.0"
tags:
@@ -40,6 +43,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml
new file mode 100644
index 000000000..fe9b4062e
--- /dev/null
+++ b/rules/os/os_safari_open_safe_downloads_disable.yaml
@@ -0,0 +1,38 @@
+id: os_safari_open_safe_downloads_disable
+title: "Disable Automatic Opening of Safe Files in Safari"
+discussion: |
+ Open "safe" files after downloading _MUST_ be disabled in Safari.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91111-5
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ disa_stig:
+ - N/A
+ srg:
+ - N/A
+ cis:
+ benchmark:
+ - 6.3 (level 1)
+ controls v8:
+ - 9
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.Safari:
+ AutoOpenSafeDownloads: false
diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml
index f704e3217..5c4f86512 100644
--- a/rules/os/os_screensaver_loginwindow_enforce.yaml
+++ b/rules/os/os_screensaver_loginwindow_enforce.yaml
@@ -3,9 +3,12 @@ title: "Enforce Screen Saver at Login Window"
discussion: |
A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c loginWindowModulePath
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+ .objectForKey('loginWindowModulePath').js
+ EOS
result:
- integer: 1
+ string: "/System/Library/Screen Savers/Flurry.saver"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -18,9 +21,9 @@ references:
800-53r4:
- AC-11(1)
srg:
- - N/A
+ - SRG-OS-000031-GPOS-00012
disa_stig:
- - N/A
+ - APPL-12-000006
800-171r2:
- 3.1.10
macOS:
@@ -32,6 +35,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml
index 1dcef83e2..931c6d2c1 100644
--- a/rules/os/os_secure_name_resolution.yaml
+++ b/rules/os/os_secure_name_resolution.yaml
@@ -24,8 +24,11 @@ references:
- N/A
srg:
- N/A
- cisv8:
- - 4.9
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.9
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml
new file mode 100644
index 000000000..d9496a5fe
--- /dev/null
+++ b/rules/os/os_show_filename_extensions_enable.yaml
@@ -0,0 +1,50 @@
+id: os_show_filename_extensions_enable
+title: "Enable Show All Filename Extensions"
+discussion: |
+ Show all filename extensions _MUST_ be enabled in the Finder.
+
+ [NOTE]
+ ====
+ The check and fix are for the currently logged in user. To get the currently logged in user, run the following.
+ [source,bash]
+ ----
+ CURRENT_USER=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
+ ----
+ ====
+check: |
+ /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null
+result:
+ boolean: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true
+ ----
+references:
+ cce:
+ - CCE-91112-3
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 6.2 (level 1)
+ controls v8:
+ - 2.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml
index 10461fb00..cbeeb3912 100644
--- a/rules/os/os_sip_enable.yaml
+++ b/rules/os/os_sip_enable.yaml
@@ -55,9 +55,23 @@ references:
- CM-5
- SC-4
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000051-GPOS-00024
+ - SRG-OS-000054-GPOS-00025
+ - SRG-OS-000062-GPOS-00031
+ - SRG-OS-000122-GPOS-00063
+ - SRG-OS-000256-GPOS-00097
+ - SRG-OS-000257-GPOS-00098
+ - SRG-OS-000258-GPOS-00099
+ - SRG-OS-000259-GPOS-00100
+ - SRG-OS-000348-GPOS-00136
+ - SRG-OS-000349-GPOS-00137
+ - SRG-OS-000350-GPOS-00138
+ - SRG-OS-000351-GPOS-00139
+ - SRG-OS-000352-GPOS-00140
+ - SRG-OS-000353-GPOS-00141
+ - SRG-OS-000354-GPOS-00142
+ disa_stig:
+ - APPL-12-005001
800-171r2:
- 3.1.1
- 3.1.2
@@ -65,10 +79,13 @@ references:
- 3.3.8
- 3.4.5
- 3.13.4
- cisv8:
- - 2.6
- - 3.3
- - 10.5
+ cis:
+ benchmark:
+ - 5.18 (level 1)
+ controls v8:
+ - 2.6
+ - 3.3
+ - 10.5
macOS:
- "12.0"
tags:
@@ -81,6 +98,9 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - cis_lvl1
+ - cis_lvl2
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml
index 5c6aaa366..22b19f09b 100644
--- a/rules/os/os_siri_prompt_disable.yaml
+++ b/rules/os/os_siri_prompt_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipSiriSetup = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipSiriSetup').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -25,15 +28,19 @@ references:
- CM-7(1)
- AC-20
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
+ disa_stig:
+ - APPL-12-002039
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -46,6 +53,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml
new file mode 100644
index 000000000..541481a11
--- /dev/null
+++ b/rules/os/os_skip_screen_time_prompt_enable.yaml
@@ -0,0 +1,37 @@
+id: os_skip_screen_time_prompt_enable
+title: "Disable Screen Time Prompt During Setup Assistant"
+discussion:
+ The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipScreenTime').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91113-1
+ cci:
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(1)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-005055
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "low"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.SetupAssistant.managed:
+ SkipScreenTime: true
diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml
index d94b7e591..d9be6cbe8 100644
--- a/rules/os/os_skip_unlock_with_watch_enable.yaml
+++ b/rules/os/os_skip_unlock_with_watch_enable.yaml
@@ -5,9 +5,12 @@ discussion: |
Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipUnlockWithWatch = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipUnlockWithWatch').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,13 +23,16 @@ references:
800-53r4:
- AC-20
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-005056
800-171r2:
- 3.1.20
- cisv8:
- - 4.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
@@ -39,6 +45,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml
index 4d0be812e..8205d769f 100644
--- a/rules/os/os_ssh_fips_compliant.yaml
+++ b/rules/os/os_ssh_fips_compliant.yaml
@@ -54,7 +54,7 @@ references:
- SC-13
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.13
diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml
index de6774573..e196534f5 100644
--- a/rules/os/os_ssh_server_alive_count_max_configure.yaml
+++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml
@@ -24,7 +24,7 @@ references:
- SC-10
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.13.9
diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml
index 9053e5f07..0b776351f 100644
--- a/rules/os/os_ssh_server_alive_interval_configure.yaml
+++ b/rules/os/os_ssh_server_alive_interval_configure.yaml
@@ -27,7 +27,7 @@ references:
- SC-10
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.13.9
diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml
index 9b4ec791f..31bcd3522 100644
--- a/rules/os/os_sshd_client_alive_count_max_configure.yaml
+++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml
@@ -23,15 +23,21 @@ references:
800-53r4:
- SC-10
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000163-GPOS-00072
+ disa_stig:
+ - APPL-12-000052
800-171r2:
- 3.13.9
macOS:
- "12.0"
tags:
- - none
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - 800-171
+ - cnssi-1253
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml
index 18fce9cbc..df0575a16 100644
--- a/rules/os/os_sshd_client_alive_interval_configure.yaml
+++ b/rules/os/os_sshd_client_alive_interval_configure.yaml
@@ -26,15 +26,21 @@ references:
800-53r4:
- SC-10
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000163-GPOS-00072
+ disa_stig:
+ - APPL-12-000051
800-171r2:
- 3.13.9
macOS:
- "12.0"
tags:
- - none
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - 800-171
+ - cnssi-1253
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml
new file mode 100644
index 000000000..c7268d117
--- /dev/null
+++ b/rules/os/os_sshd_fips_140_ciphers.yaml
@@ -0,0 +1,58 @@
+id: os_sshd_fips_140_ciphers
+title: "Limit SSHD to FIPS 140 Validated Ciphers"
+discussion: |
+ If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated.
+
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
+
+ Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
+
+ NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
+check: |
+ /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
+ ----
+references:
+ cce:
+ - CCE-91114-9
+ cci:
+ - CCI-000803
+ - CCI-000068
+ - CCI-003123
+ - CCI-002890
+ 800-53r5:
+ - AC-17(2)
+ - IA-7
+ - SC-13
+ - SC-8(1)
+ 800-53r4:
+ - AC-17(2)
+ - IA-7
+ - SC-8(1)
+ - SC-13
+ - MA-4(6)
+ srg:
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000120-GPOS-00061
+ - SRG-OS-000125-GPOS-00065
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
+ disa_stig:
+ - APPL-12-000054
+ 800-171r2:
+ - 3.1.13
+ - 3.13.8
+ - 3.13.11
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml
new file mode 100644
index 000000000..fd7cfafc7
--- /dev/null
+++ b/rules/os/os_sshd_fips_140_macs.yaml
@@ -0,0 +1,58 @@
+id: os_sshd_fips_140_macs
+title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms"
+discussion: |
+ If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated.
+
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.
+
+ Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
+
+ NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
+check: |
+ /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
+ ----
+references:
+ cce:
+ - CCE-91115-6
+ cci:
+ - CCI-000068
+ - CCI-000803
+ - CCI-003123
+ - CCI-002890
+ 800-53r5:
+ - AC-17(2)
+ - IA-7
+ - SC-13
+ - SC-8(1)
+ 800-53r4:
+ - AC-17(2)
+ - IA-7
+ - SC-8(1)
+ - SC-13
+ - MA-4(6)
+ srg:
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000120-GPOS-00061
+ - SRG-OS-000125-GPOS-00065
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
+ disa_stig:
+ - APPL-12-000055
+ 800-171r2:
+ - 3.1.13
+ - 3.13.8
+ - 3.13.11
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml
index 4e48baaa6..0820e07da 100644
--- a/rules/os/os_sshd_fips_compliant.yaml
+++ b/rules/os/os_sshd_fips_compliant.yaml
@@ -50,10 +50,10 @@ references:
- IA-7
- SC-8(1)
- SC-13
- - MF-4(6)
+ - MA-4(6)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.13
diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml
index d98bbc924..cec03295d 100644
--- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml
+++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml
@@ -7,7 +7,7 @@ discussion: |
The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated.
- By specifying a Key Exchange Algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections.
+ By specifying a Key Exchange Algorithm list with the order of hashes being in a "strongest to weakest" orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
@@ -37,15 +37,27 @@ references:
- AC-17(2)
- MA-4(6)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000120-GPOS-00061
+ - SRG-OS-000125-GPOS-00065
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
+ disa_stig:
+ - APPL-12-000056
800-171r2:
- N/A
macOS:
- "12.0"
tags:
- - none
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - cnssi-1253
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml
index a2b8168e4..1dd0b85ed 100644
--- a/rules/os/os_sshd_login_grace_time_configure.yaml
+++ b/rules/os/os_sshd_login_grace_time_configure.yaml
@@ -23,15 +23,15 @@ references:
800-53r4:
- SC-10
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000163-GPOS-00072
+ disa_stig:
+ - APPL-12-000053
800-171r2:
- 3.13.9
macOS:
- "12.0"
tags:
- - none
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml
index 4d44b6857..9e7d803eb 100644
--- a/rules/os/os_sshd_permit_root_login_configure.yaml
+++ b/rules/os/os_sshd_permit_root_login_configure.yaml
@@ -25,13 +25,15 @@ references:
800-53r4:
- IA-2(5)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000109-GPOS-00056
+ disa_stig:
+ - APPL-12-001100
macOS:
- "12.0"
tags:
- - none
+ - 800-53r5_high
+ - 800-53r4_high
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml
index 54ad1cd76..049a7e733 100644
--- a/rules/os/os_store_encrypted_passwords.yaml
+++ b/rules/os/os_store_encrypted_passwords.yaml
@@ -30,8 +30,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 3.11
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 3.11
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml
new file mode 100644
index 000000000..8ec1e888c
--- /dev/null
+++ b/rules/os/os_sudo_timeout_configure.yaml
@@ -0,0 +1,44 @@
+id: os_sudo_timeout_configure
+title: "Configure Sudo Timeout Period to Zero"
+discussion: |
+ The file /etc/sudoers _MUST_ include a timestamp_timout of zero.
+check: |
+ /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=0" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \;
+ /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp
+ ----
+references:
+ cce:
+ - CCE-91116-4
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ cis:
+ benchmark:
+ - 5.3 (level 1)
+ controls v8:
+ - 4.3
+macOS:
+ - "12.0"
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml
new file mode 100644
index 000000000..790abd82c
--- /dev/null
+++ b/rules/os/os_sudoers_timestamp_type_configure.yaml
@@ -0,0 +1,46 @@
+id: os_sudoers_timestamp_type_configure
+title: "Configure Sudoers Timestamp Type"
+discussion: |
+ The file /etc/sudoers _MUST_ be configured to not include a timestamp_type of global or ppid.
+
+ This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement.
+check: |
+ /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E '(^Defaults\s+timestamp_type=global|^Defaults\s+timestamp_type=ppid)' '{}' \; | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d' '{}' \;
+ ----
+references:
+ cce:
+ - CCE-91015-8
+ cci:
+ - CCI-000366
+ 800-53r5:
+ - CM-5(1)
+ - IA-11
+ 800-53r4:
+ - IA-11
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ cis:
+ benchmark:
+ - 5.4 (level 1)
+ controls v8:
+ - 4.3
+macOS:
+ - "12.0"
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml
index 7687d4496..f68ce9048 100644
--- a/rules/os/os_sudoers_tty_configure.yaml
+++ b/rules/os/os_sudoers_tty_configure.yaml
@@ -3,15 +3,15 @@ title: "Configure Sudoers to Authenticate Users on a Per -tty Basis"
discussion: |
The file /etc/sudoers _MUST_ be configured to include tty_tickets.
- This rule ensures that the "sudo" command will prompt for the administrator’s password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window.
+ This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window.
check: |
- /usr/bin/grep -Ec "^Defaults tty_tickets" /etc/sudoers
+ /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+\!tty_tickets" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs
result:
- integer: 1
+ integer: 0
fix: |
[source,bash]
----
- /bin/cp /etc/sudoers /etc/sudoers.bk; /bin/echo "Defaults tty_tickets" >> /etc/sudoers
+ /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/!tty_tickets/d' '{}' \;
----
references:
cce:
@@ -24,9 +24,14 @@ references:
800-53r4:
- IA-11
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
+ - APPL-12-004021
+ cis:
+ benchmark:
+ - 5.4 (level 1)
+ controls v8:
+ - 4.3
macOS:
- "12.0"
tags:
@@ -34,6 +39,10 @@ tags:
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml
new file mode 100644
index 000000000..568954ef0
--- /dev/null
+++ b/rules/os/os_system_wide_applications_configure.yaml
@@ -0,0 +1,44 @@
+id: os_system_wide_applications_configure
+title: "Ensure Appropriate Permissions Are Enabled for System Wide Applications"
+discussion: |
+ Applications in the System Applications Directory (/Applications) _MUST_ not be world-writable.
+check: |
+ /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ IFS=$'\n'
+ for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); do
+ /bin/chmod -R o-w "$apps"
+ done
+ ----
+references:
+ cce:
+ - CCE-91117-2
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.1.6 (level 1)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml
new file mode 100644
index 000000000..f4a830b0f
--- /dev/null
+++ b/rules/os/os_terminal_secure_keyboard_enable.yaml
@@ -0,0 +1,43 @@
+id: os_terminal_secure_keyboard_enable
+title: "Ensure Secure Keyboard Entry Terminal.app is Enabled"
+discussion: |
+ Secure keyboard entry _MUST_ be enabled in Terminal.app.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\
+ .objectForKey('SecureKeyboardEntry').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91118-0
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ disa_stig:
+ - N/A
+ srg:
+ - N/A
+ cci:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.10 (level 1)
+ controls v8:
+ - 4.8
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.Terminal:
+ SecureKeyboardEntry: true
diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml
index 9a735f5b1..99f5d45e7 100644
--- a/rules/os/os_tftpd_disable.yaml
+++ b/rules/os/os_tftpd_disable.yaml
@@ -29,16 +29,19 @@ references:
- AC-3
- IA-5(1)
srg:
- - N/A
+ - SRG-OS-000074-GPOS-00042
disa_stig:
- - N/A
+ - APPL-12-002038
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 3.3
- - 3.1
- - 5.2
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 3.3
+ - 3.1
+ - 5.2
macOS:
- "12.0"
tags:
@@ -51,6 +54,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml
new file mode 100644
index 000000000..100ae51db
--- /dev/null
+++ b/rules/os/os_time_offset_limit_configure.yaml
@@ -0,0 +1,41 @@
+id: os_time_offset_limit_configure
+title: "Ensure Time Offset Within Limits"
+discussion: |
+ The macOS system time _MUST_ be monitored to not drift more than four minutes and thirty seconds.
+check: |
+ /usr/bin/sntp $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') | /usr/bin/awk -F'.' '/\+\/\-/{if (substr($1,2) >= 270) {print "No"} else {print "Yes"}}'
+result:
+ string: "Yes"
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sntp -Ss $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}')
+ ----
+references:
+ cce:
+ - CCE-91119-8
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.2.2 (level 1)
+ controls v8:
+ - 8.4
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml
index 9d41d2a5d..80f6de1fe 100644
--- a/rules/os/os_time_server_enabled.yaml
+++ b/rules/os/os_time_server_enabled.yaml
@@ -25,13 +25,17 @@ references:
800-53r4:
- AU-8(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000355-GPOS-00143
+ - SRG-OS-000356-GPOS-00144
+ disa_stig:
+ - APPL-12-000014
800-171r2:
- 3.3.7
- cisv8:
- - 8.4
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 8.4
macOS:
- "12.0"
tags:
@@ -43,6 +47,7 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml
index 1f9978a67..b068ba722 100644
--- a/rules/os/os_touchid_prompt_disable.yaml
+++ b/rules/os/os_touchid_prompt_disable.yaml
@@ -5,29 +5,35 @@ discussion: |
macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipTouchIDSetup = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
+ .objectForKey('SkipTouchIDSetup').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91020-8
cci:
- - N/A
+ - CCI-000381
800-53r5:
- CM-6
800-53r4:
- CM-6
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-005054
800-171r2:
- 3.4.1
- 3.4.2
- cisv8:
- - 4.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
@@ -40,6 +46,8 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:
diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml
index 7c0f5e9e5..c92ee0bed 100644
--- a/rules/os/os_unique_identification.yaml
+++ b/rules/os/os_unique_identification.yaml
@@ -19,9 +19,12 @@ references:
- N/A
srg:
- N/A
- cisv8:
- - 5.1
- - 6.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 5.1
+ - 6.1
macOS:
- "12.0"
tags:
diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml
index c9b1a60e8..b2fc53029 100644
--- a/rules/os/os_unlock_active_user_session_disable.yaml
+++ b/rules/os/os_unlock_active_user_session_disable.yaml
@@ -1,9 +1,9 @@
id: os_unlock_active_user_session_disable
-title: "Disable Login to Other User’s Active and Locked Sessions"
+title: "Disable Login to Other User's Active and Locked Sessions"
discussion: |
- The ability to log in to another user’s active or locked session _MUST_ be disabled.
+ The ability to log in to another user's active or locked session _MUST_ be disabled.
- macOS has a privilege that can be granted to any user that will allow that user to unlock active user’s sessions. Disabling the admins and/or user’s ability to log into another user’s active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
+ macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
check: |
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui'
result:
@@ -28,11 +28,14 @@ references:
- N/A
srg:
- N/A
- cci:
- - N/A
800-171r2:
- 3.5.1
- 3.5.2
+ cis:
+ benchmark:
+ - 5.11 (level 1)
+ controls v8:
+ - 4.3
macOS:
- "12.0"
tags:
@@ -44,5 +47,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml
index 7e8ff2f78..36a119b3e 100644
--- a/rules/os/os_user_app_installation_prohibit.yaml
+++ b/rules/os/os_user_app_installation_prohibit.yaml
@@ -5,9 +5,22 @@ discussion: |
Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.
check: |
- /usr/bin/profiles -P -o stdout-xml | /usr/bin/sed -n '/pathBlackList/,/key/p' | /usr/bin/grep -c "/Users/"
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('familyControlsEnabled'))
+ let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
+ .objectForKey('pathBlackList').js
+ for ( let app in pathlist ) {
+ if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){
+ return("true")
+ }
+ }
+ return("false")
+ }
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml
index 2ee40966f..3e71cbe63 100644
--- a/rules/os/os_uucp_disable.yaml
+++ b/rules/os/os_uucp_disable.yaml
@@ -27,16 +27,19 @@ references:
800-53r4:
- AC-3
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002006
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 3.3
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 3.3
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -49,6 +52,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml
new file mode 100644
index 000000000..1f413b299
--- /dev/null
+++ b/rules/os/os_world_writable_library_folder_configure.yaml
@@ -0,0 +1,45 @@
+id: os_world_writable_library_folder_configure
+title: "Ensure No World Writable Files Exist in the Library Folder"
+discussion: |
+ Folders in /System/Volumes/Data/Library _MUST_ not be world-writable.
+
+ NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment.
+check: |
+ /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ IFS=$'\n'
+ for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do
+ /bin/chmod -R o-w "$libPermissions"
+ done
+ ----
+references:
+ cce:
+ - CCE-91120-6
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.1.8 (level 2)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml
new file mode 100644
index 000000000..041732799
--- /dev/null
+++ b/rules/os/os_world_writable_system_folder_configure.yaml
@@ -0,0 +1,44 @@
+id: os_world_writable_system_folder_configure
+title: "Ensure No World Writable Files Exist in the System Folder"
+discussion: |
+ Folders in /System/Volumes/Data/System _MUST_ not be world-writable.
+check: |
+ /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ IFS=$'\n'
+ for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do
+ /bin/chmod -R o-w "$sysPermissions"
+ done
+ ----
+references:
+ cce:
+ - CCE-91121-4
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 5.1.7 (level 1)
+ controls v8:
+ - 3.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
index 9a44432c6..b1ec3fcba 100644
--- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
@@ -7,7 +7,10 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('maxPINAgeInDays').js
+ EOS
result:
integer: 60
fix: |
@@ -23,9 +26,9 @@ references:
- IA-5
- IA-5(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000076-GPOS-00044
+ disa_stig:
+ - APPL-12-003008
800-171r2:
- 3.5.1
- 3.5.2
@@ -33,8 +36,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 4.7
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.7
macOS:
- "12.0"
tags:
@@ -47,6 +53,7 @@ tags:
- 800-53r5_moderate
- 800-53r5_high
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
index 678dae8d9..2cc480494 100644
--- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
@@ -45,13 +45,16 @@ references:
- IA-4
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.5.5
- 3.5.6
- cisv8:
- - 5.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 5.3
macOS:
- "12.0"
tags:
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
index 164a84c5c..89a5fd904 100644
--- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
@@ -5,9 +5,12 @@ discussion: |
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'maxFailedAttempts = 3'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('maxFailedAttempts').js
+ EOS
result:
- integer: 1
+ integer: 3
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,13 +23,16 @@ references:
800-53r4:
- AC-7
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000329-GPOS-00128
+ disa_stig:
+ - APPL-12-000022
800-171r2:
- 3.1.8
- cisv8:
- - 4.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 6.2
macOS:
- "12.0"
tags:
@@ -39,6 +45,7 @@ tags:
- 800-53r5_moderate
- 800-53r5_high
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml
new file mode 100644
index 000000000..88233d7dc
--- /dev/null
+++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml
@@ -0,0 +1,46 @@
+id: pwpolicy_account_lockout_enforce_five
+title: "Limit Consecutive Failed Login Attempts to Five"
+discussion: |
+ The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of five. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after.
+
+ This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('maxFailedAttempts').js
+ EOS
+result:
+ integer: 5
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91122-2
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-7
+ 800-53r4:
+ - AC-7
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - 3.1.8
+ cis:
+ benchmark:
+ - 5.2.1 (level 1)
+ controls v8:
+ - 6.2
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.mobiledevice.passwordpolicy:
+ maxFailedAttempts: 5
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
index bc92b833b..3af6e544f 100644
--- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
@@ -5,9 +5,12 @@ discussion: |
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minutesUntilFailedLoginReset = 15'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('minutesUntilFailedLoginReset').js
+ EOS
result:
- integer: 1
+ integer: 15
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,13 +23,16 @@ references:
800-53r4:
- AC-7
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000329-GPOS-00128
+ disa_stig:
+ - APPL-12-000022
800-171r2:
- 3.1.8
- cisv8:
- - 4.1
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
@@ -39,6 +45,7 @@ tags:
- 800-53r5_moderate
- 800-53r5_high
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
index 2ba366f9f..699fca16f 100644
--- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
@@ -7,9 +7,12 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;"
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('requireAlphanumeric').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -23,9 +26,9 @@ references:
- IA-5
- IA-5(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000071-GPOS-00039
+ disa_stig:
+ - APPL-12-003007
800-171r2:
- 3.5.1
- 3.5.2
@@ -33,8 +36,12 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - 5.2.3 (level 2)
+ - 5.2.4 (level 2)
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
@@ -46,7 +53,9 @@ tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml
index bff8b25c0..c5c7918e5 100644
--- a/rules/pwpolicy/pwpolicy_force_password_change.yaml
+++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml
@@ -36,8 +36,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml
index 09aac6670..4fcf0bd03 100644
--- a/rules/pwpolicy/pwpolicy_history_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml
@@ -9,7 +9,10 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('pinHistory').js
+ EOS
result:
integer: 5
fix: |
@@ -24,16 +27,19 @@ references:
800-53r4:
- IA-5(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000077-GPOS-00045
+ disa_stig:
+ - APPL-12-003009
800-171r2:
- 3.5.7
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
@@ -46,6 +52,7 @@ tags:
- 800-53r5_moderate
- 800-53r5_high
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml
new file mode 100644
index 000000000..19415f1da
--- /dev/null
+++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml
@@ -0,0 +1,51 @@
+id: pwpolicy_history_enforce_fifteen
+title: "Prohibit Password Reuse for a Minimum of Fifteen Generations"
+discussion: |
+ The macOS _MUST_ be configured to enforce a password history of at least fifteen previous passwords when a password is created.
+
+ This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations.
+
+ Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('pinHistory').js
+ EOS
+result:
+ integer: 15
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91123-0
+ cci:
+ - N/A
+ 800-53r5:
+ - IA-5(1)
+ 800-53r4:
+ - IA-5(1)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - 3.5.7
+ - 3.5.8
+ - 3.5.9
+ - 3.5.10
+ cis:
+ benchmark:
+ - 5.2.8 (level 1)
+ controls v8:
+ - 5.2
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.mobiledevice.passwordpolicy:
+ pinHistory: 15
diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
index 436937607..f1f077c00 100644
--- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
@@ -46,7 +46,7 @@ references:
800-53r4:
- IA-5
- IA-5(1)
- disa_stig:
+ disa_stig:
- N/A
srg:
- N/A
@@ -57,8 +57,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - 5.2.6 (level 2)
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
@@ -70,6 +73,7 @@ tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
index b6bb32e26..247dd2364 100644
--- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
@@ -7,9 +7,12 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('minLength').js
+ EOS
result:
- integer: 1
+ integer: 15
fix: |
This is implemented by a Configuration Profile.
references:
@@ -23,9 +26,9 @@ references:
- IA-5
- IA-5(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000078-GPOS-00046
+ disa_stig:
+ - APPL-12-003010
800-171r2:
- 3.5.1
- 3.5.2
@@ -33,8 +36,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - 5.2.2 (level 1)
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
@@ -46,7 +52,10 @@ tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
index 2ef25f10f..dac5c63a8 100644
--- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
@@ -45,7 +45,7 @@ references:
- IA-5
800-53r4:
- IA-5(1)
- disa_stig:
+ disa_stig:
- N/A
srg:
- N/A
@@ -54,8 +54,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 4.7
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.7
macOS:
- "12.0"
tags:
diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
index 3a41ce183..88f7611b7 100644
--- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
@@ -7,9 +7,12 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('allowSimple').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -24,7 +27,7 @@ references:
- IA-5(1)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.5.1
@@ -33,8 +36,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
index 9d9923a2b..d060025d1 100644
--- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -9,7 +9,10 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\
+ .objectForKey('minComplexChars').js
+ EOS
result:
integer: 1
fix: |
@@ -25,9 +28,9 @@ references:
- IA-5
- IA-5(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000266-GPOS-00101
+ disa_stig:
+ - APPL-12-003011
800-171r2:
- 3.5.1
- 3.5.2
@@ -35,8 +38,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - 5.2.5 (level 2)
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
@@ -48,7 +54,9 @@ tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
index 0b9be9dd1..9b3dc3f3e 100644
--- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
@@ -65,9 +65,10 @@ references:
800-53r4:
- AC-2(2)
srg:
- - N/A
+ - SRG-OS-000002-GPOS-00002
+ - SRG-OS-000123-GPOS-00064
disa_stig:
- - N/A
+ - APPL-12-000012
macOS:
- "12.0"
tags:
@@ -76,6 +77,7 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- manual
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
index 4590872ba..feb8f16d9 100644
--- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
@@ -46,7 +46,7 @@ references:
800-53r4:
- IA-5
- IA-5(1)
- disa_stig:
+ disa_stig:
- N/A
srg:
- N/A
@@ -57,8 +57,11 @@ references:
- 3.5.8
- 3.5.9
- 3.5.10
- cisv8:
- - 5.2
+ cis:
+ benchmark:
+ - 5.2.6 (level 2)
+ controls v8:
+ - 5.2
macOS:
- "12.0"
tags:
@@ -70,6 +73,7 @@ tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml
new file mode 100644
index 000000000..ddee60593
--- /dev/null
+++ b/rules/supplemental/supplemental_cis_manual.yaml
@@ -0,0 +1,98 @@
+id: supplemental_cis_manual
+title: " CIS Manual Recommendations"
+discussion: |
+ List of CIS recommendations that are manual check in the CIS macOS Benchmark.
+
+ [cols="15%h, 85%a"]
+ |===
+
+ |Section
+ |Install Updates, Patches and Additional Security Software
+
+ |Recommendations
+ |1.7 Audit Computer Name
+ |===
+
+ [cols="15%h, 85%a"]
+ |===
+ |Section
+ |System Preferences
+
+ |Recommendations
+ |2.3.3 Audit Lock Screen and Start Screen Saver Tools +
+ 2.5.1.2 Ensure all user storage APFS volumes are encrypted +
+ 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted +
+ 2.5.4 Audit Location Services Access +
+ 2.5.7 Audit Camera Privacy and Confidentiality +
+ 2.6.1.1 Audit iCloud Configuration +
+ 2.6.1.2 Audit iCloud Keychain +
+ 2.6.1.3 Audit iCloud Drive +
+ 2.6.2 Audit App Store Password Settings +
+ 2.12 Audit Automatic Actions for Optical Media +
+ 2.13 Audit Siri Settings +
+ 2.14 Audit Sidecar Settings +
+ 2.15 Audit Touch ID and Wallet & Apple Pay Settings +
+ 2.16 Audit Notification System Preference Settings +
+ 2.17 Audit Passwords System Preference Setting +
+ |===
+
+ [cols="15%h, 85%a"]
+ |===
+ |Section
+ |Logging and Auditing
+
+ |Recommendations
+ |3.7 Audit Software Inventory
+ |===
+
+ [cols="15%h, 85%a"]
+ |===
+ |Section
+ |Network Configurations
+
+ |Recommendations
+ |4.3 Audit Network Specific Locations +
+ 4.6 Audit Wi-Fi Settings +
+ |===
+
+ [cols="15%h, 85%a"]
+ |===
+ |Section
+ |System Access, Authentication and Authorization
+
+ |Recommendations
+ |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured +
+ 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +
+ 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured +
+ 5.5 Ensure login keychain is locked when the computer sleeps +
+ 5.15 Ensure Fast User Switching Is Disabled +
+ |===
+
+ [cols="15%h, 85%a"]
+ |===
+ |Section
+ |Appendix: Additional Considerations
+
+ |Recommendations
+ |7.1 Extensible Firmware Interface (EFI) password +
+ 7.2 FileVault and Local Account Password Reset using AppleID +
+ |===
+check: |
+fix: |
+references:
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - supplemental
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml
index 2d5c9003d..b8831b7b3 100644
--- a/rules/supplemental/supplemental_filevault.yaml
+++ b/rules/supplemental/supplemental_filevault.yaml
@@ -47,9 +47,9 @@ discussion: |
The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately.
- When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple’s Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[].
+ When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple's Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[].
- It’s recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device. You can find more guidance on choosing a recover key here: link:https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Choosing_a_Recovery_Key.html[].
+ It's recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device. You can find more guidance on choosing a recover key here: link:https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Choosing_a_Recovery_Key.html[].
NOTE: FileVault currently only uses password-based authentication and cannot be done using a smartcard or any other type of multi-factor authentication.
check: |
diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml
index c22cc06c4..678c82633 100644
--- a/rules/supplemental/supplemental_firewall_pf.yaml
+++ b/rules/supplemental/supplemental_firewall_pf.yaml
@@ -13,7 +13,7 @@ discussion: |
* The PF firewall can manipulate virtually any packet data and is highly configurable.
** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html
- Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to “detailed”, set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system’s pf ruleset.
+ Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset.
The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`.
diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml
index eaf3f9472..8f97916ab 100644
--- a/rules/supplemental/supplemental_smartcard.yaml
+++ b/rules/supplemental/supplemental_smartcard.yaml
@@ -25,7 +25,7 @@ discussion: |
[discrete]
==== Smartcard Pairing
- The default method for using smartcards in macOS is a method called "local account pairing". Local account pairing is automatically initiated when a user inserts a smartcard into the Mac. The user is prompted to pair their smartcard with their account. If a user receives a new smartcard, the previous card must be unpaired, and the new card paired to the account. Local account pairing employs fixed key mapping with the hash of a public key on the user’s smartcard with a local account.
+ The default method for using smartcards in macOS is a method called "local account pairing". Local account pairing is automatically initiated when a user inserts a smartcard into the Mac. The user is prompted to pair their smartcard with their account. If a user receives a new smartcard, the previous card must be unpaired, and the new card paired to the account. Local account pairing employs fixed key mapping with the hash of a public key on the user's smartcard with a local account.
[discrete]
==== Smartcard Attribute Mapping
@@ -60,7 +60,7 @@ discussion: |
- 2: certificate trust check is turned on, and a soft revocation check is performed. Until the certificate is explicitly rejected by CRL/OCSP, it is considered valid. This implies that unavailable/unreachable CRL/OCSP allows this check to succeed.
- - 3: certificate trust check is turned on, plus a hard revocation check is performed. Unless CRL/OCSP explicitly states that “this certificate is OK”, the certificate is considered invalid. This is the most secure value for this setting.
+ - 3: certificate trust check is turned on, plus a hard revocation check is performed. Unless CRL/OCSP explicitly states that "this certificate is OK", the certificate is considered invalid. This is the most secure value for this setting.
<.^|oneCardPerUser
^.^|bool
diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml
index ce2a46928..60a9300f7 100644
--- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml
+++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml
@@ -7,9 +7,12 @@ discussion: |
The information system _MUST_ be configured to provide only essential capabilities.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AirplayRecieverEnabled = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowAirPlayIncomingRequests').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -24,21 +27,26 @@ references:
- N/A
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.13 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.controlcenter:
- AirplayRecieverEnabled: false
+ com.apple.applicationaccess:
+ allowAirPlayIncomingRequests: false
diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml
index d51fdee97..f040376cc 100644
--- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml
+++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAutoUnlock = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowAutoUnlock').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,9 +23,9 @@ references:
800-53r4:
- AC-11
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000028-GPOS-00009
+ disa_stig:
+ - APPL-12-000001
800-171r2:
- 3.1.10
macOS:
@@ -34,6 +37,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml
index 85d475f43..aa2bec71f 100644
--- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml
+++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.login.mcx.DisableAutoLoginClient" = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
+ .objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -22,12 +25,17 @@ references:
- IA-2
- IA-5(13)
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00229
disa_stig:
- - N/A
+ - APPL-12-002066
800-171r2:
- 3.5.1
- 3.5.2
+ cis:
+ benchmark:
+ - 5.7 (level 1)
+ controls v8:
+ - 4.7
macOS:
- "12.0"
tags:
@@ -39,6 +47,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml
index 775de6e35..3b313f240 100644
--- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml
+++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml
@@ -7,12 +7,15 @@ discussion: |
[IMPORTANT]
====
- The 24-hour automatic logout may cause disruptions to an organization’s workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting.
+ The 24-hour automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting.
====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\
+ .objectForKey('com.apple.autologout.AutoLogOutDelay').js
+ EOS
result:
- integer: 1
+ integer: 86400
fix: |
This is implemented by a Configuration Profile.
references:
diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml
index b993f4f95..d5f7c6c97 100644
--- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml
+++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml
@@ -8,9 +8,12 @@ discussion: |
Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableBluetooth = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\
+ .objectForKey('DisableBluetooth').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -26,15 +29,19 @@ references:
- AC-18(3)
- SC-8
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000481-GPOS-000481
+ - SRG-OS-000319-GPOS-00164
+ disa_stig:
+ - APPL-12-002062
800-171r2:
- 3.13.8
- cisv8:
- - 4.8
- - 12.6
- - 13.9
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.8
+ - 12.6
+ - 13.9
macOS:
- "12.0"
tags:
@@ -46,6 +53,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "low"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml
new file mode 100644
index 000000000..ac7c9ddbb
--- /dev/null
+++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_bluetooth_menu_enable
+title: "Enable Bluetooth Menu"
+discussion: |
+ The bluetooth menu _MUST_ be enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\
+ .objectForKey('Bluetooth').js
+ EOS
+result:
+ integer: 18
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91124-8
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.1.2 (level 1)
+ controls v8:
+ - 4.8
+ - 13.9
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.controlcenter:
+ Bluetooth: 18
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml
new file mode 100644
index 000000000..d44426c83
--- /dev/null
+++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml
@@ -0,0 +1,36 @@
+id: sysprefs_bluetooth_prefpane_disable
+title: "Disable the Bluetooth System Preference Pane"
+discussion: |
+ The Bluetooth System Preference pane _MUST_ be disabled to prevent access to the bluetooth configuration.
+
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91150-3
+ cci:
+ - CCI-002418
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - SC-8
+ srg:
+ - SRG-OS-000481-GPOS-000481
+ disa_stig:
+ - APPL-12-002062
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ DisabledPreferencePanes:
+ - com.apple.preferences.Bluetooth
diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml
new file mode 100644
index 000000000..e39d31958
--- /dev/null
+++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml
@@ -0,0 +1,36 @@
+id: sysprefs_bluetooth_prefpane_hide
+title: "Hide the Bluetooth System Preference Pane"
+discussion: |
+ The Bluetooth System Preference pane _MUST_ be hidden to prevent access to the bluetooth configuration.
+
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91125-5
+ cci:
+ - CCI-002418
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - SC-8
+ srg:
+ - SRG-OS-000481-GPOS-000481
+ disa_stig:
+ - APPL-12-002062
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ HiddenPreferencePanes:
+ - com.apple.preferences.Bluetooth
diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml
index 96ed99513..8969ca677 100644
--- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml
+++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml
@@ -39,17 +39,20 @@ references:
- CM-7(1)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.1
- 3.1.2
- 3.1.16
- 3.4.7
- cisv8:
- - 3.3
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.7 (level 1)
+ controls v8:
+ - 3.3
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -61,6 +64,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml
new file mode 100644
index 000000000..506437d02
--- /dev/null
+++ b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml
@@ -0,0 +1,53 @@
+id: sysprefs_bluetooth_unpaired_disable
+title: "Disable Bluetooth When No Devices are Paired"
+discussion: |
+ Bluetooth _MUST_ be disabled when no devices are paired.
+check: |
+ isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'Connected: Yes')
+ if [[ "$isPaired" = "0" ]]; then
+ powerState=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'State: On')
+ /bin/echo "$powerState"
+ else
+ /bin/echo "0"
+ fi
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/defaults write /private/var/root/Library/Preferences/com.apple.BTServer.plist defaultPoweredState off
+ /usr/bin/killall -HUP bluetoothd
+ ----
+references:
+ cce:
+ - CCE-91126-3
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-18
+ - SC-8
+ - AC-18(3)
+ 800-53r4:
+ - AC-18(3)
+ - SC-8
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.1.1 (level 1)
+ controls v8:
+ - 4.8
+ - 12.6
+ - 13.9
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml
new file mode 100644
index 000000000..e71c4a7d7
--- /dev/null
+++ b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml
@@ -0,0 +1,52 @@
+id: sysprefs_cd_dvd_sharing_disable
+title: "Disable CD/DVD Sharing"
+discussion: |
+ CD/DVD Sharing _MUST_ be disabled.
+check: |
+ /usr/bin/pgrep -q ODSAgent; /bin/echo $?
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist
+ ----
+references:
+ cce:
+ - CCE-91127-1
+ cci:
+ - N/A
+ 800-53r5:
+ - CM-7
+ - CM-7(1)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.4.6 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
+macOS:
+ - "12.0"
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
+
diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml
index 1d3504d3d..f3913dd9c 100644
--- a/rules/sysprefs/sysprefs_content_caching_disable.yaml
+++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowContentCaching = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowContentCaching').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -27,9 +30,12 @@ references:
- N/A
800-171r2:
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.10 (level 2)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -41,6 +47,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml
index b1c1f6f61..c9503dfaf 100644
--- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml
+++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml
@@ -3,9 +3,12 @@ title: "Enforce Critical Security Updates to be Installed"
discussion: |
Ensure that security updates are installed as soon as they are available from Apple.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'CriticalUpdateInstall = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
+ .objectForKey('CriticalUpdateInstall').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -19,20 +22,25 @@ references:
- N/A
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- N/A
- cisv8:
- - 7.3
- - 7.4
- - 7.7
+ cis:
+ benchmark:
+ - 1.5 (level 1)
+ controls v8:
+ - 7.3
+ - 7.4
+ - 7.7
macOS:
- "12.0"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml
index e90751a15..0d7df0fb9 100644
--- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml
+++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml
@@ -5,9 +5,21 @@ discussion: |
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowDiagnosticSubmission = 0|AutoSubmit = 0)'
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\
+ .objectForKey('AutoSubmit').js
+ let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowDiagnosticSubmission').js
+ if ( pref1 == false && pref2 == false ){
+ return("true")
+ } else {
+ return("false")
+ }
+ }
+ EOS
result:
- integer: 2
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -23,14 +35,17 @@ references:
- AC-20
- SI-11
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000096-GPOS-00050
+ disa_stig:
+ - APPL-12-002021
800-171r2:
- 3.1.20
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.5.5 (level 2)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -42,7 +57,9 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml
index 29bbddd74..cb55a3813 100644
--- a/rules/sysprefs/sysprefs_filevault_enforce.yaml
+++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml
@@ -24,14 +24,19 @@ references:
- SC-28
- SC-28(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000185-GPOS-00079
+ - SRG-OS-000404-GPOS-00183
+ - SRG-OS-000405-GPOS-00184
+ disa_stig:
+ - APPL-12-005020
800-171r2:
- 3.13.16
- cisv8:
- - 3.6
- - 3.11
+ cis:
+ benchmark:
+ - 2.5.5.1 (level 1)
+ controls v8:
+ - 3.6
+ - 3.11
macOS:
- "12.0"
tags:
@@ -41,7 +46,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml
index 2d2d05c21..bdce3e9a7 100644
--- a/rules/sysprefs/sysprefs_find_my_disable.yaml
+++ b/rules/sysprefs/sysprefs_find_my_disable.yaml
@@ -3,13 +3,27 @@ title: "Disable Find My Service"
discussion: |
The Find My service _MUST_ be disabled.
- A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple’s Find My service.
+ A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service.
- Apple’s Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
+ Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowFindMyDevice = 0|allowFindMyFriends = 0|DisableFMMiCloudSetting = 1)'
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowFindMyDevice'))
+ let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowFindMyFriends'))
+ let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\
+ .objectForKey('DisableFMMiCloudSetting'))
+ if ( pref1 == false && pref2 == false && pref3 == true ) {
+ return("true")
+ } else {
+ return("false")
+ }
+ }
+ EOS
result:
- integer: 3
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -27,15 +41,18 @@ references:
- AC-20
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
- - 15.3
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
+ - 15.3
macOS:
- "12.0"
tags:
diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml
index 00c95fb6c..ebc10a9b7 100644
--- a/rules/sysprefs/sysprefs_firewall_enable.yaml
+++ b/rules/sysprefs/sysprefs_firewall_enable.yaml
@@ -5,9 +5,12 @@ discussion: |
When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableFirewall = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
+ .objectForKey('EnableFirewall').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -30,9 +33,9 @@ references:
- CM-7(1)
- SC-7(12)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00232
+ disa_stig:
+ - APPL-12-005050
800-171r2:
- 3.1.3
- 3.1.5
@@ -41,10 +44,13 @@ references:
- 3.13.1
- 3.13.2
- 3.13.5
- cisv8:
- - 4.1
- - 4.5
- - 13.1
+ cis:
+ benchmark:
+ - 2.5.2.2 (level 1)
+ controls v8:
+ - 4.1
+ - 4.5
+ - 13.1
macOS:
- "12.0"
tags:
@@ -56,7 +62,10 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
index a932e0716..f737d74fb 100644
--- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
+++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
@@ -10,9 +10,12 @@ discussion: |
Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode.
====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableStealthMode = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
+ .objectForKey('EnableStealthMode').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -29,18 +32,21 @@ references:
- CM-7(1)
- SC-7(16)
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00232
disa_stig:
- - N/A
+ - APPL-12-005050
800-171r2:
- 3.4.6
- 3.13.1
- 3.13.2
- 3.13.5
- cisv8:
- - 4.1
- - 4.5
- - 4.8
+ cis:
+ benchmark:
+ - 2.5.2.3 (level 1)
+ controls v8:
+ - 4.1
+ - 4.5
+ - 4.8
macOS:
- "12.0"
tags:
@@ -52,7 +58,11 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml
index 76fddbaa2..1a82d75b6 100644
--- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml
+++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml
@@ -28,9 +28,9 @@ references:
- CM-5
- SI-7(15)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-002060
800-171r2:
- 3.4.5
macOS:
@@ -43,6 +43,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml
index 837510f9a..df59b86b0 100644
--- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml
+++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml
@@ -5,17 +5,14 @@ discussion: |
If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableOverride = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\
+ .objectForKey('DisableOverride').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
- To implement the prescribed state with a Configuration Profile, create a configuration profile (com.apple.systempolicy.managed) with the following key DisableOverride set to true
- [source,xml]
- ----
- DisableOverride
-
- ----
- NOTE - This will apply to the whole system
+ This is implemented by a Configuration Profile.
references:
cce:
- CCE-91058-8
@@ -29,7 +26,7 @@ references:
- SI-7(15)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.4.5
diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml
index daa3ae37b..59dcf612a 100644
--- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml
+++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml
@@ -31,10 +31,13 @@ references:
800-171r2:
- 3.5.1
- 3.5.2
- cisv8:
- - 5.2
- - 6.2
- - 6.8
+ cis:
+ benchmark:
+ - 6.1.4 (level 1)
+ controls v8:
+ - 5.2
+ - 6.2
+ - 6.8
macOS:
- "12.0"
tags:
@@ -46,6 +49,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml
index 4947d17aa..f5a93b6c8 100644
--- a/rules/sysprefs/sysprefs_guest_account_disable.yaml
+++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Turning off guest access prevents anonymous users from accessing files.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableGuestAccount = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
+ .objectForKey('DisableGuestAccount').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -22,16 +25,19 @@ references:
- AC-2
- AC-2(9)
srg:
- - N/A
+ - SRG-OS-000364-GPOS-00151
disa_stig:
- - N/A
+ - APPL-12-002063
800-171r2:
- 3.5.1
- 3.5.2
- cisv8:
- - 5.2
- - 6.2
- - 6.8
+ cis:
+ benchmark:
+ - 6.1.3 (level 1)
+ controls v8:
+ - 5.2
+ - 5.3
+ - 6.8
macOS:
- "12.0"
tags:
@@ -43,7 +49,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "high"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml
index 5f223926e..7eb56e4d8 100644
--- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml
+++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml
@@ -20,9 +20,9 @@ references:
800-53r4:
- AC-11(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000031-GPOS-00012
+ disa_stig:
+ - APPL-12-000007
800-171r2:
- 3.1.10
macOS:
@@ -34,6 +34,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/rules/sysprefs/sysprefs_hot_corners_secure.yaml
new file mode 100644
index 000000000..9b5953315
--- /dev/null
+++ b/rules/sysprefs/sysprefs_hot_corners_secure.yaml
@@ -0,0 +1,52 @@
+id: sysprefs_hot_corners_secure
+title: "Secure Hot Corners"
+discussion: |
+ Hot corners _MUST_ be secured.
+
+ The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.
+check: |
+ bl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)"
+ tl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)"
+ tr_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null)"
+ br_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null)"
+
+ if [[ "$bl_corner" != "6" ]] && [[ "$tl_corner" != "6" ]] && [[ "$tr_corner" != "6" ]] && [[ "$br_corner" != "6" ]]; then
+ echo "0"
+ fi
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null
+ /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null
+ /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null
+ /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null
+ ----
+references:
+ cce:
+ - CCE-91128-9
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-11(1)
+ 800-53r4:
+ - AC-11(1)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.3.2 (level 2)
+ controls v8:
+ - 4.3
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml
index 6cc5180c7..286e0952b 100644
--- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml
+++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"Siri Data Sharing Opt-In Status" = 2;'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\
+ .objectForKey('Siri Data Sharing Opt-In Status').js
+ EOS
result:
- integer: 1
+ integer: 2
fix: |
This is implemented by a Configuration Profile.
references:
@@ -28,9 +31,12 @@ references:
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml
new file mode 100644
index 000000000..a5bf902b1
--- /dev/null
+++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_install_macos_updates_enforce
+title: "Enforce macOS Updates are Automatically Installed"
+discussion: |
+ Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
+ .objectForKey('AutomaticallyInstallMacOSUpdates').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91129-7
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 1.6 (level 1)
+ controls v8:
+ - 7.3
+ - 7.4
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.SoftwareUpdate:
+ AutomaticallyInstallMacOSUpdates: true
diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml
similarity index 80%
rename from rules/os/os_internet_accounts_prefpane_disable.yaml
rename to rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml
index 09f146c8b..a71efe32f 100644
--- a/rules/os/os_internet_accounts_prefpane_disable.yaml
+++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml
@@ -1,4 +1,4 @@
-id: os_internet_accounts_prefpane_disable
+id: sysprefs_internet_accounts_prefpane_disable
title: "Disable the Internet Accounts System Preference Pane"
discussion: |
The Internet Accounts System Preference pane _MUST_ be disabled to prevent the addition of unauthorized internet accounts.
@@ -8,7 +8,7 @@ discussion: |
Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts'
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
result:
integer: 1
fix: |
@@ -26,14 +26,18 @@ references:
- AC-20
- CM-7(5)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000370-GPOS-00155
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002032
800-171r2:
- 3.1.20
- cisv8:
- - 4.8
- - 15.2
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.8
+ - 15.2
macOS:
- "12.0"
tags:
@@ -46,6 +50,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml
new file mode 100644
index 000000000..0086cb5cb
--- /dev/null
+++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_internet_accounts_prefpane_hide
+title: "Hide the Internet Accounts System Preference Pane"
+discussion: |
+ The Internet Accounts System Preference pane _MUST_ be hidden to prevent the addition of unauthorized internet accounts.
+
+ [IMPORTANT]
+ ====
+ Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
+ ====
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91130-5
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7(5)
+ - AC-20
+ 800-53r4:
+ - AC-20
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
+ disa_stig:
+ - APPL-12-002032
+ 800-171r2:
+ - 3.1.20
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ HiddenPreferencePanes:
+ - com.apple.preferences.internetaccounts
diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml
index 6626b3a6e..d45097d22 100644
--- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml
+++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
The information system _MUST_ be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'forceInternetSharingOff = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
+ .objectForKey('forceInternetSharingOff').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -22,15 +25,18 @@ references:
- AC-4
- AC-20
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002007
800-171r2:
- 3.1.3
- 3.1.20
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.2 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -42,7 +48,10 @@ tags:
- 800-53r5_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_location_services_audit.yaml b/rules/sysprefs/sysprefs_location_services_audit.yaml
new file mode 100644
index 000000000..603a6b3fa
--- /dev/null
+++ b/rules/sysprefs/sysprefs_location_services_audit.yaml
@@ -0,0 +1,38 @@
+id: sysprefs_location_services_audit
+title: "Audit Location Services"
+discussion: |
+ The organization _MUST_ audit which applications have access to location services.
+check: |
+ sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }'
+result:
+ string: "a list containing approved applications."
+fix: |
+ Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services.
+references:
+ cce:
+ - CCE-91131-3
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ disa_stig:
+ - N/A
+ srg:
+ - N/A
+ cis:
+ benchmark:
+ - 2.5.4 (level 2)
+ controls v8:
+ - 2.3
+ - 4.1
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+ - cis_manual
+ - manual
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml
index d51307ebd..8a274ae0f 100644
--- a/rules/sysprefs/sysprefs_location_services_disable.yaml
+++ b/rules/sysprefs/sysprefs_location_services_disable.yaml
@@ -26,14 +26,11 @@ references:
- CM-7
- CM-7(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002004
800-171r2:
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
macOS:
- "12.0"
tags:
@@ -45,7 +42,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
- - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_location_services_enable.yaml b/rules/sysprefs/sysprefs_location_services_enable.yaml
new file mode 100644
index 000000000..f99d89361
--- /dev/null
+++ b/rules/sysprefs/sysprefs_location_services_enable.yaml
@@ -0,0 +1,41 @@
+id: sysprefs_location_services_enable
+title: "Enable Location Services"
+discussion: |
+ Location Services _MUST_ be enabled.
+check: |
+ /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled
+result:
+ boolean: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; /bin/launchctl kickstart -k system/com.apple.locationd
+ ----
+references:
+ cce:
+ - CCE-91132-1
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.5.3 (level 2)
+ controls v8:
+ - 4.1
+ - 4.8
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml
new file mode 100644
index 000000000..338d03840
--- /dev/null
+++ b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_loginwindow_loginwindowtext_enable
+title: "Configure Login Window to Show A Custom Message"
+discussion: |
+ The login window _MUST_ be configured to show a custom access warning message.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
+ .objectForKey('LoginwindowText').js
+ EOS
+result:
+ string: "Approved message goes here"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91133-9
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 6.1.1 (level 1)
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+mobileconfig: true
+mobileconfig_info:
+ com.apple.loginwindow:
+ LoginwindowText: "Approved message goes here"
diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml
index 04f430ee9..a71e9cd30 100644
--- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml
+++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml
@@ -3,29 +3,37 @@ title: "Configure Login Window to Prompt for Username and Password"
discussion: |
The login window _MUST_ be configured to prompt all users for both a username and a password.
- By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else’s account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system.
+ By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SHOWFULLNAME = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
+ .objectForKey('SHOWFULLNAME').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-91065-3
cci:
- - N/A
+ - CCI-000366
800-53r5:
- IA-2
800-53r4:
- IA-2
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00229
+ disa_stig:
+ - APPL-12-005052
800-171r2:
- 3.5.1
- 3.5.2
+ cis:
+ benchmark:
+ - 6.1.1 (level 1)
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
@@ -37,6 +45,11 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.loginwindow:
diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml
index 85f1a8773..d5b9d2b30 100644
--- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml
+++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml
@@ -3,15 +3,29 @@ title: "Disable Media Sharing"
discussion: |
Media sharing _MUST_ be disabled.
- When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user’s music collection with other users in the same subnet.
+ When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet.
The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk.
NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(homeSharingUIStatus = 0|legacySharingUIStatus = 0|mediaSharingUIStatus = 0)'
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\
+ .objectForKey('homeSharingUIStatus'))
+ let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\
+ .objectForKey('legacySharingUIStatus'))
+ let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\
+ .objectForKey('mediaSharingUIStatus'))
+ if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) {
+ return("true")
+ } else {
+ return("false")
+ }
+ }
+ EOS
result:
- integer: 3
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -31,9 +45,12 @@ references:
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.12 (level 2)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -44,6 +61,7 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- 800-171
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml
index 14c430814..e4aa0926e 100644
--- a/rules/sysprefs/sysprefs_password_hints_disable.yaml
+++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'RetriesUntilHint = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
+ .objectForKey('RetriesUntilHint').js
+ EOS
result:
- integer: 1
+ integer: 0
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,11 +23,16 @@ references:
800-53r4:
- IA-6
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - N/A
+ - APPL-12-003012
800-171r2:
- 3.5.11
+ cis:
+ benchmark:
+ - 6.1.2 (level 1)
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
@@ -36,6 +44,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
index 196c17afc..84d7f1d36 100644
--- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
+++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
@@ -3,11 +3,14 @@ title: "Disable Personalized Advertising"
discussion: |
Ad tracking and targeted ads _MUST_ be disabled.
- The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users’ interests and deliver targeted advertisements.
+ The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowApplePersonalizedAdvertising = 0;'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.AdLib')\
+ .objectForKey('allowApplePersonalizedAdvertising').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -26,14 +29,17 @@ references:
- CM-7(1)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.5.6 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -45,6 +51,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml
index 3907329c6..6018ed095 100644
--- a/rules/sysprefs/sysprefs_power_nap_disable.yaml
+++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml
@@ -39,9 +39,12 @@ references:
- N/A
800-171r2:
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.9 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -53,6 +56,8 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml
new file mode 100644
index 000000000..9e10c0942
--- /dev/null
+++ b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml
@@ -0,0 +1,52 @@
+id: sysprefs_printer_sharing_disable
+title: "Disable Printer Sharing"
+discussion: |
+ Printer Sharing _MUST_ be disabled.
+check: |
+ /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0"
+result:
+ boolean: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/sbin/cupsctl --no-share-printers
+ /usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false
+ ----
+references:
+ cce:
+ - CCE-91134-7
+ cci:
+ - N/A
+ 800-53r5:
+ - CM-7
+ - CM-7(1)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.4.4 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
+macOS:
+ - "12.0"
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
+
diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml
index 29fa870f4..038780509 100644
--- a/rules/sysprefs/sysprefs_rae_disable.yaml
+++ b/rules/sysprefs/sysprefs_rae_disable.yaml
@@ -26,15 +26,18 @@ references:
800-53r4:
- AC-3
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000096-GPOS-00050
+ disa_stig:
+ - APPL-12-002022
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.1 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -46,7 +49,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_remote_management_disable.yaml b/rules/sysprefs/sysprefs_remote_management_disable.yaml
new file mode 100644
index 000000000..c99c9448a
--- /dev/null
+++ b/rules/sysprefs/sysprefs_remote_management_disable.yaml
@@ -0,0 +1,51 @@
+id: sysprefs_remote_management_disable
+title: "Disable Remote Management"
+discussion: |
+ Remote Management _MUST_ be disabled.
+check: |
+ /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0"
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
+ ----
+references:
+ cce:
+ - CCE-91135-4
+ cci:
+ - N/A
+ 800-53r5:
+ - CM-7
+ - CM-7(1)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.4.3 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
+macOS:
+ - "12.0"
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml
index 6bf39667f..5fbe0776d 100644
--- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml
+++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml
@@ -26,15 +26,18 @@ references:
- AC-3
- AC-17
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-12-002050
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.3 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -46,7 +49,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
index a5735af5d..45a83fe57 100644
--- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
@@ -5,9 +5,12 @@ discussion: |
An unattended system with an excessive grace period is vulnerable to a malicious user.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'askForPasswordDelay = 5'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+ .objectForKey('askForPasswordDelay').js
+ EOS
result:
- integer: 1
+ integer: 5
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,11 +23,16 @@ references:
800-53r4:
- AC-11
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000028-GPOS-00009
+ disa_stig:
+ - APPL-12-000003
800-171r2:
- 3.1.10
+ cis:
+ benchmark:
+ - 5.8 (level 1)
+ controls v8:
+ - 4.7
macOS:
- "12.0"
tags:
@@ -34,6 +42,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml
index 00d502f27..5188d2eb0 100644
--- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml
@@ -3,11 +3,14 @@ title: "Enforce Screen Saver Password"
discussion: |
Users _MUST_ authenticate when unlocking the screen saver.
- The screen saver acts as a session lock and prevents unauthorized users from accessing the current user’s account.
+ The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'askForPassword = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+ .objectForKey('askForPassword').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -20,9 +23,9 @@ references:
800-53r4:
- AC-11
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000028-GPOS-00009
+ disa_stig:
+ - APPL-12-000002
800-171r2:
- 3.1.10
macOS:
@@ -34,6 +37,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
index c655a07ac..a7186c0e5 100644
--- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
@@ -1,13 +1,16 @@
id: sysprefs_screensaver_timeout_enforce
title: "Enforce Screen Saver Timeout"
discussion: |
- The screen saver timeout _MUST_ be set to 15 minutes or a shorter length of time.
+ The screen saver timeout _MUST_ be set to 20 minutes or a shorter length of time.
- This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity.
+ This rule ensures that a full session lock is triggered within no more than 20 minutes of inactivity.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"} else {print "No"}}'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+ .objectForKey('idleTime').js
+ EOS
result:
- string: "Yes"
+ integer: 1200
fix: |
This is implemented by a Configuration Profile.
references:
@@ -21,13 +24,16 @@ references:
800-53r4:
- AC-11
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000029-GPOS-00010
+ disa_stig:
+ - APPL-12-000004
800-171r2:
- 3.1.10
- cisv8:
- - 4.3
+ cis:
+ benchmark:
+ - 2.3.1 (level 1)
+ controls v8:
+ - 4.3
macOS:
- "12.0"
tags:
@@ -38,9 +44,12 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
- idleTime: 900
+ idleTime: 1200
diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml
index 444312ac7..c94dd986f 100644
--- a/rules/sysprefs/sysprefs_siri_disable.yaml
+++ b/rules/sysprefs/sysprefs_siri_disable.yaml
@@ -5,9 +5,12 @@ discussion: |
The information system _MUST_ be configured to provide only essential capabilities.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"Ironwood Allowed" = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\
+ .objectForKey('Ironwood Allowed').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -26,15 +29,19 @@ references:
- CM-7(1)
- AC-20
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000095-GPOS-00049
+ - SRG-OS-000370-GPOS-00155
+ disa_stig:
+ - APPL-12-002020
800-171r2:
- 3.1.20
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -47,6 +54,7 @@ tags:
- 800-171
- cnssi-1253
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml
new file mode 100644
index 000000000..8a53aac41
--- /dev/null
+++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_siri_prefpane_disable
+title: "Disable the System Preference Pane for Siri"
+discussion: |
+ The system preference pane for Siri _MUST_ be disabled.
+
+ Disabling the system preference pane prevents the users from configuring Siri.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91136-2
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(5)
+ 800-53r4:
+ - CM-7
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002053
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ DisabledPreferencePanes:
+ - com.apple.preferences.speech
diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml
new file mode 100644
index 000000000..791929ff3
--- /dev/null
+++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_siri_prefpane_hide
+title: "Hide the System Preference Pane for Siri"
+discussion: |
+ The system preference pane for Siri _MUST_ be hidden.
+
+ HIding the system preference pane prevents the users from configuring Siri.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91137-0
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(5)
+ 800-53r4:
+ - CM-7
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002053
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ HiddenPreferencePanes:
+ - com.apple.preferences.speech
diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml
index 5608aef93..acc271b56 100644
--- a/rules/sysprefs/sysprefs_smbd_disable.yaml
+++ b/rules/sysprefs/sysprefs_smbd_disable.yaml
@@ -25,15 +25,18 @@ references:
800-53r4:
- AC-3
srg:
- - N/A
+ - SRG-OS-000095-GPOS-00049
disa_stig:
- - N/A
+ - APPL-12-002001
800-171r2:
- 3.1.1
- 3.1.2
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.8 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
@@ -45,7 +48,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml
new file mode 100644
index 000000000..88c4b3d1e
--- /dev/null
+++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_software_update_app_update_enforce
+title: "Enforce Software Update App Update Updates Automatically"
+discussion: |
+ Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
+ .objectForKey('AutomaticallyInstallAppUpdates').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91138-8
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 1.4 (level 1)
+ controls v8:
+ - 7.3
+ - 7.4
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.SoftwareUpdate:
+ AutomaticallyInstallAppUpdates: true
diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml
new file mode 100644
index 000000000..a550000cd
--- /dev/null
+++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_software_update_download_enforce
+title: "Enforce Software Update Downloads Updates Automatically"
+discussion: |
+ Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
+ .objectForKey('AutomaticDownload').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91139-6
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 1.3 (level 1)
+ controls v8:
+ - 7.3
+ - 7.4
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.SoftwareUpdate:
+ AutomaticDownload: true
diff --git a/rules/sysprefs/sysprefs_software_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_enforce.yaml
new file mode 100644
index 000000000..21544a90b
--- /dev/null
+++ b/rules/sysprefs/sysprefs_software_update_enforce.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_software_update_enforce
+title: "Enforce Software Update Automatically"
+discussion: |
+ Software Update _MUST_ be configured to enforce automatic update is enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
+ .objectForKey('AutomaticCheckEnabled').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91140-4
+ cci:
+ - N/A
+ 800-53r5:
+ - SI-2(5)
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 1.2 (level 1)
+ controls v8:
+ - 7.3
+ - 7.4
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.SoftwareUpdate:
+ AutomaticCheckEnabled: true
diff --git a/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/rules/sysprefs/sysprefs_softwareupdate_current.yaml
new file mode 100644
index 000000000..26803e52f
--- /dev/null
+++ b/rules/sysprefs/sysprefs_softwareupdate_current.yaml
@@ -0,0 +1,52 @@
+id: sysprefs_softwareupdate_current
+title: "Ensure Software Update is Updated and Current"
+discussion: |
+ Make sure Software Update is updated and current.
+
+ NOTE: Automatic fix can cause unplanned restarts and may lose work.
+check: |
+ softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s")
+ thirty_days_epoch=$(/bin/date -v -30d "+%s")
+ if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then
+ /bin/echo "0"
+ else
+ /bin/echo "1"
+ fi
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/sbin/softwareupdate -i -a -R
+ ----
+ NOTE - This will apply to the whole system
+references:
+ cce:
+ - CCE-91141-2
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 1.1 (level 1)
+ controls v8:
+ - 7.3
+ - 7.4
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml
index 1cc04e9de..6fd2916bc 100644
--- a/rules/sysprefs/sysprefs_ssh_disable.yaml
+++ b/rules/sysprefs/sysprefs_ssh_disable.yaml
@@ -27,20 +27,36 @@ references:
- CM-7
- CM-7(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000319-GPOS-00164
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
+ - SRG-OS-000112-GPOS-00057
+ - SRG-OS-000113-GPOS-00058
+ - SRG-OS-000423-GPOS-00187
+ - SRG-OS-000424-GPOS-00188
+ - SRG-OS-000425-GPOS-00189
+ - SRG-OS-000426-GPOS-00190
+ disa_stig:
+ - APPL-12-000011
800-171r2:
- 3.1.1
- 3.1.2
- 3.4.6
- cisv8:
- - 4.1
- - 4.8
+ cis:
+ benchmark:
+ - 2.4.5 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
macOS:
- "12.0"
tags:
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml
index 7db5212ba..d3eeaf287 100644
--- a/rules/sysprefs/sysprefs_ssh_enable.yaml
+++ b/rules/sysprefs/sysprefs_ssh_enable.yaml
@@ -30,7 +30,7 @@ references:
- IA-2(9)
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.1
diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml
index 52f64c2f7..e1139b8cd 100644
--- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml
+++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml
@@ -27,12 +27,15 @@ references:
- AC-6(1)
- AC-6(2)
disa_stig:
- - N/A
- srg:
- - N/A
+ - APPL-12-002069
800-171r2:
- 3.1.5
- 3.1.6
+ cis:
+ benchmark:
+ - 5.10 (level 1)
+ controls v8:
+ - 4.1
macOS:
- "12.0"
tags:
@@ -42,6 +45,10 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - stig
severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml
new file mode 100644
index 000000000..980179651
--- /dev/null
+++ b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml
@@ -0,0 +1,42 @@
+id: sysprefs_time_machine_auto_backup_enable
+title: "Configure Time Machine for Automatic Backups"
+discussion: |
+ Automatic backups _MUST_ be enabled when using Time Machine.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\
+ .objectForKey('AutoBackup').js
+ EOS
+result:
+ string: "true"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91142-0
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.7.1 (level 2)
+ controls v8:
+ - 11.2
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.TimeMachine:
+ AutoBackup: true
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml
new file mode 100644
index 000000000..f0029d8d1
--- /dev/null
+++ b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml
@@ -0,0 +1,51 @@
+id: sysprefs_time_machine_encrypted_configure
+title: "Ensure Time Machine Volumes are Encrypted"
+discussion: |
+ Time Machine volumes _MUST_ be encrypted.
+check: |
+ error_count=0
+ for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do
+ tmMounted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/Mounted/{print $2}')
+ tmEncrypted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/FileVault/{print $2}')
+ if [[ "$tmMounted" = "Yes" && "$tmEncrypted" = "No" ]]; then
+ ((error_count++))
+ fi
+ done
+ echo "$error_count"
+result:
+ integer: 0
+fix: |
+ . Go to System Preferences -> Time Machine
+ . Click *Select Disk*
+ . Select existing Backup Disk under *Available Disks*
+ . Click *Encrypt Backups*
+ . Click *Use Disk*
+references:
+ cce:
+ - CCE-91143-8
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.7.2 (level 2)
+ controls v8:
+ - 3.6
+ - 3.11
+ - 11.2
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml
index 4a587580b..2eda90925 100644
--- a/rules/sysprefs/sysprefs_time_server_configure.yaml
+++ b/rules/sysprefs/sysprefs_time_server_configure.yaml
@@ -5,7 +5,10 @@ discussion: |
This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/awk -F "= " '/timeServer/{print $2}' | /usr/bin/tr -d ';' | /usr/bin/tr -d '"'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
+ .objectForKey('timeServer').js
+ EOS
result:
string: "time-a.nist.gov,time-b.nist.gov"
fix: |
@@ -22,13 +25,17 @@ references:
800-53r4:
- AU-8(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000355-GPOS-00143
+ - SRG-OS-000356-GPOS-00144
+ disa_stig:
+ - APPL-12-000014
800-171r2:
- 3.3.7
- cisv8:
- - 8.4
+ cis:
+ benchmark:
+ - 2.2.1 (level 1)
+ controls v8:
+ - 8.4
macOS:
- "12.0"
tags:
@@ -39,7 +46,10 @@ tags:
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml
index acd264193..bcf33c4f7 100644
--- a/rules/sysprefs/sysprefs_time_server_enforce.yaml
+++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml
@@ -5,9 +5,12 @@ discussion: |
This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'TMAutomaticTimeOnlyEnabled = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\
+ .objectForKey('TMAutomaticTimeOnlyEnabled').js
+ EOS
result:
- integer: 1
+ string: "true"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -22,13 +25,17 @@ references:
800-53r4:
- AU-8(1)
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000355-GPOS-00143
+ - SRG-OS-000356-GPOS-00144
+ disa_stig:
+ - APPL-12-000014
800-171r2:
- 3.3.7
- cisv8:
- - 8.4
+ cis:
+ benchmark:
+ - 2.2.1 (level 1)
+ controls v8:
+ - 8.4
macOS:
- "12.0"
tags:
@@ -39,7 +46,10 @@ tags:
- 800-53r5_high
- 800-53r4_moderate
- 800-53r4_high
+ - cis_lvl1
+ - cis_lvl2
- cisv8
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml
index f78e670d7..8691dcde2 100644
--- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml
+++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml
@@ -10,7 +10,10 @@ discussion: |
Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization.
====
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'tokenRemovalAction = 1'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
+ .objectForKey('tokenRemovalAction').js
+ EOS
result:
integer: 1
fix:
@@ -25,9 +28,9 @@ references:
800-53r4:
- AC-11
srg:
- - N/A
- disa_stig:
- - N/A
+ - SRG-OS-000030-GPOS-00011
+ disa_stig:
+ - APPL-12-000005
800-171r2:
- 3.1.10
macOS:
@@ -39,6 +42,7 @@ tags:
- 800-53r4_high
- 800-171
- cnssi-1253
+ - stig
severity: "medium"
mobileconfig: true
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml
new file mode 100644
index 000000000..f3e002c99
--- /dev/null
+++ b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_touchid_prefpane_disable
+title: "Disable the System Preference Pane for Touch ID"
+discussion: |
+ The system preference pane for Touch ID _MUST_ be disabled.
+
+ Disabling the system preference pane prevents the users from configuring Touch ID.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91144-6
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(5)
+ 800-53r4:
+ - CM-7
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002051
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ DisabledPreferencePanes:
+ - com.apple.preferences.password
diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml
new file mode 100644
index 000000000..88d574ca4
--- /dev/null
+++ b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_touchid_prefpane_hide
+title: "Hide the System Preference Pane for Touch ID"
+discussion: |
+ The system preference pane for Touch ID _MUST_ be hidden.
+
+ Hiding the system preference pane prevents the users from configuring Touch ID.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91145-3
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(5)
+ 800-53r4:
+ - CM-7
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002051
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ HiddenPreferencePanes:
+ - com.apple.preferences.password
diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml
index 92fe3858c..adffe7db5 100644
--- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml
+++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml
@@ -1,15 +1,18 @@
id: sysprefs_touchid_unlock_disable
title: "Disable TouchID for Unlocking the Device"
discussion: |
- TouchID enables the ability to unlock a Mac system with a user’s fingerprint.
+ TouchID enables the ability to unlock a Mac system with a user's fingerprint.
TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID.
The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method.
check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowFingerprintForUnlock = 0'
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowFingerprintForUnlock').js
+ EOS
result:
- integer: 1
+ string: "false"
fix: |
This is implemented by a Configuration Profile.
references:
@@ -23,7 +26,7 @@ references:
- AC-11
srg:
- N/A
- disa_stig:
+ disa_stig:
- N/A
800-171r2:
- 3.1.10
diff --git a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml
new file mode 100644
index 000000000..9155cce77
--- /dev/null
+++ b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml
@@ -0,0 +1,41 @@
+id: sysprefs_wake_network_access_disable
+title: "Ensure Wake for Network Access Is Disabled"
+discussion: |
+ Wake for network access _MUST_ be disabled.
+check: |
+ /usr/bin/pmset -g custom | /usr/bin/awk '/womp/{print $2}'
+result:
+ integer: 0
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/pmset -a womp 0
+ ----
+references:
+ cce:
+ - CCE-91146-1
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ disa_stig:
+ - N/A
+ srg:
+ - N/A
+ cci:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 2.8 (level 1)
+ controls v8:
+ - 4.8
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml
new file mode 100644
index 000000000..eea464b9f
--- /dev/null
+++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_wallet_applepay_prefpane_disable
+title: "Disable the System Preference Pane for Wallet and Apple Pay"
+discussion: |
+ The system preference pane for Wallet and Apple Pay _MUST_ be disabled.
+
+ Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91147-9
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(5)
+ 800-53r4:
+ - CM-7
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002052
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ DisabledPreferencePanes:
+ - com.apple.preferences.wallet
diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml
new file mode 100644
index 000000000..bf5872a28
--- /dev/null
+++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml
@@ -0,0 +1,40 @@
+id: sysprefs_wallet_applepay_prefpane_hide
+title: "Hide the System Preference Pane for Wallet and Apple Pay"
+discussion: |
+ The system preference pane for Wallet and Apple Pay _MUST_ be hidden.
+
+ Hiding the system preference pane prevents the users from configuring Wallet and Apple Pay.
+check: |
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
+result:
+ integer: 1
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91148-7
+ cci:
+ - CCI-001774
+ - CCI-000381
+ 800-53r5:
+ - CM-7
+ - CM-7(5)
+ 800-53r4:
+ - CM-7
+ - CM-7(5)
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - APPL-12-002052
+ 800-171r2:
+ - N/A
+macOS:
+ - "12.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+ com.apple.systempreferences:
+ HiddenPreferencePanes:
+ - com.apple.preferences.wallet
diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml
index d15d31ecb..63a2daca6 100644
--- a/rules/sysprefs/sysprefs_wifi_disable.yaml
+++ b/rules/sysprefs/sysprefs_wifi_disable.yaml
@@ -30,15 +30,18 @@ references:
- AC-4
- AC-18(1)
- AC-18(3)
- disa_stig:
+ disa_stig:
- N/A
srg:
- N/A
800-171r2:
- N/A
- cisv8:
- - 4.2
- - 12.6
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - 4.2
+ - 12.6
macOS:
- "12.0"
tags:
diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml
index 6c257edc1..fb834a1c5 100644
--- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml
+++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml
@@ -23,7 +23,7 @@ references:
- AC-4
- AC-18(1)
- AC-18(3)
- disa_stig:
+ disa_stig:
- N/A
srg:
- N/A
diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml
new file mode 100644
index 000000000..2d4164ee2
--- /dev/null
+++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml
@@ -0,0 +1,44 @@
+id: sysprefs_wifi_menu_enable
+title: "Enable Wifi Menu"
+discussion: |
+ The WiFi menu _MUST_ be enabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\
+ .objectForKey('WiFi').js
+ EOS
+result:
+ integer: 18
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-91149-5
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r2:
+ - N/A
+ cis:
+ benchmark:
+ - 4.2 (level 1)
+ controls v8:
+ - 4.8
+ - 12.6
+macOS:
+ - "12.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.controlcenter:
+ WiFi: 18
\ No newline at end of file
diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py
index 9c22b151c..6928976f4 100755
--- a/scripts/generate_guidance.py
+++ b/scripts/generate_guidance.py
@@ -23,7 +23,7 @@
class MacSecurityRule():
- def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cisv8, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized):
+ def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized):
self.rule_title = title
self.rule_id = rule_id
self.rule_severity = severity
@@ -36,7 +36,7 @@ def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, n
self.rule_800171 = nist_171
self.rule_disa_stig = disa_stig
self.rule_srg = srg
- self.rule_cisv8 = cisv8
+ self.rule_cis = cis
self.rule_custom_refs = custom_refs
self.rule_result_value = result_value
self.rule_tags = tags
@@ -57,7 +57,7 @@ def create_asciidoc(self, adoc_rule_template):
rule_cci=self.rule_cci,
rule_80053r5=self.rule_80053r5,
rule_disa_stig=self.rule_disa_stig,
- rule_cisv8=self.rule_cisv8,
+ rule_cis=self.rule_cis,
rule_srg=self.rule_srg,
rule_result=self.rule_result_value
)
@@ -388,6 +388,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
# setup lists and dictionaries
profile_errors = []
profile_types = {}
+ mount_controls = {}
for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']:
@@ -431,7 +432,13 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
valid = False
if valid:
- if payload_type == "com.apple.ManagedClient.preferences":
+ if payload_type == "com.apple.systemuiserver":
+ for setting_key, setting_value in info['mount-controls'].items():
+ mount_controls[setting_key] = setting_value
+ payload_settings = {"mount-controls": mount_controls}
+ profile_types.setdefault(
+ payload_type, []).append(payload_settings)
+ elif payload_type == "com.apple.ManagedClient.preferences":
for payload_domain, settings in info.items():
for key, value in settings.items():
payload_settings = (
@@ -581,7 +588,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
# get the currently logged in user
CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}')
-CURR_USER_UID=$(/usr/bin/id -u $CURR_USER)
+CURR_USER_UID=$(/usr/bin/id -u $CURRENT_USER)
# get system architecture
arch=$(/usr/bin/arch)
@@ -842,7 +849,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
if "integer" in result:
result_value = result['integer']
elif "boolean" in result:
- result_value = result['boolean']
+ result_value = str(result['boolean']).lower()
elif "string" in result:
result_value = result['string']
else:
@@ -856,7 +863,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then
#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
unset result_value
- result_value=$({2})
+ result_value=$({2}\n)
# expected result {3}
@@ -885,7 +892,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
echo "$(date -u) {5} does not apply to this architechture" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO
fi
- """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id), arch)
+ """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), str(result).lower(), result_value, ' '.join(log_reference_id), arch)
check_function_string = check_function_string + zsh_check_text
@@ -1128,7 +1135,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
top = xlwt.easyxf("align: vert top")
headers = xlwt.easyxf("font: bold on")
counter = 1
- column_counter = 15
+ column_counter = 16
custom_ref_column = {}
sheet1.write(0, 0, "CCE", headers)
sheet1.write(0, 1, "Rule ID", headers)
@@ -1142,9 +1149,10 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.write(0, 9, "800-171", headers)
sheet1.write(0, 10, "SRG", headers)
sheet1.write(0, 11, "DISA STIG", headers)
- sheet1.write(0, 12, "CIS Controls v8", headers)
- sheet1.write(0, 13, "CCI", headers)
- sheet1.write(0, 14, "Modifed Rule", headers)
+ sheet1.write(0, 12, "CIS Benchmark", headers)
+ sheet1.write(0, 13, "CIS v8", headers)
+ sheet1.write(0, 14, "CCI", headers)
+ sheet1.write(0, 15, "Modifed Rule", headers)
sheet1.set_panes_frozen(True)
sheet1.set_horz_split_pos(1)
sheet1.set_vert_split_pos(2)
@@ -1221,22 +1229,28 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.write(counter, 11, disa_refs, topWrap)
sheet1.col(11).width = 500 * 15
+ cis = ""
+ if rule.rule_cis != ['None']:
+ for title, ref in rule.rule_cis.items():
+ if title.lower() == "benchmark":
+ sheet1.write(counter, 12, ref, topWrap)
+ sheet1.col(12).width = 500 * 15
+ if title.lower() == "v8":
+ cis = (str(ref).strip('[]\''))
+ cis = cis.replace(", ", "\n")
+ sheet1.write(counter, 13, cis, topWrap)
+ sheet1.col(13).width = 500 * 15
+
cci = (str(rule.rule_cci)).strip('[]\'')
cci = cci.replace(", ", "\n").replace("\'", "")
- cisv8_refs = (str(rule.rule_cisv8)).strip('[]\'')
- cisv8_refs = cisv8_refs.replace(", ", "\n").replace("\'", "")
-
- sheet1.write(counter, 12, cisv8_refs, topWrap)
- sheet1.col(12).width = 500 * 15
-
- sheet1.write(counter, 13, cci, topWrap)
+ sheet1.write(counter, 14, cci, topWrap)
sheet1.col(13).width = 400 * 15
customized = (str(rule.rule_customized)).strip('[]\'')
customized = customized.replace(", ", "\n").replace("\'", "")
- sheet1.write(counter, 14, customized, topWrap)
+ sheet1.write(counter, 15, customized, topWrap)
sheet1.col(14).width = 400 * 15
if rule.rule_custom_refs != ['None']:
@@ -1281,7 +1295,7 @@ def create_rules(baseline_yaml):
'cce',
'800-53r5',
'800-171r2',
- 'cisv8',
+ 'cis',
'srg',
'custom']
@@ -1324,7 +1338,7 @@ def create_rules(baseline_yaml):
rule_yaml['references']['800-171r2'],
rule_yaml['references']['disa_stig'],
rule_yaml['references']['srg'],
- rule_yaml['references']['cisv8'],
+ rule_yaml['references']['cis'],
rule_yaml['references']['custom'],
rule_yaml['tags'],
rule_yaml['result'],
@@ -1421,6 +1435,19 @@ def parse_custom_references(reference):
string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
return string
+def parse_cis_references(reference):
+ string = "\n"
+ for item in reference:
+ if isinstance(reference[item], list):
+ string += "!CIS " + str(item).title() + "\n!\n"
+ string += "* "
+ for i in reference[item]:
+ string += str(i) + ", "
+ string = string[:-2] + "\n"
+ else:
+ string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
+ return string
+
def main():
@@ -1553,9 +1580,9 @@ def main():
adoc_STIG_show=":show_STIG!:"
if "CIS" in baseline_yaml['title'].upper():
- adoc_cisv8_show=":show_cisv8:"
+ adoc_cis_show=":show_cis:"
else:
- adoc_cisv8_show=":show_cisv8!:"
+ adoc_cis_show=":show_cis!:"
if "800" in baseline_yaml['title']:
adoc_171_show=":show_171:"
@@ -1573,7 +1600,7 @@ def main():
tag_attribute=adoc_tag_show,
nist171_attribute=adoc_171_show,
stig_attribute=adoc_STIG_show,
- cisv8_attribute=adoc_cisv8_show,
+ cis_attribute=adoc_cis_show,
version=version_yaml['version'],
os_version=version_yaml['os'],
release_date=version_yaml['date']
@@ -1669,7 +1696,6 @@ def main():
except KeyError:
nist_80053r5 = 'N/A'
else:
- #nist_80053r5 = ulify(rule_yaml['references']['800-53r5'])
nist_80053r5 = rule_yaml['references']['800-53r5']
try:
@@ -1677,7 +1703,6 @@ def main():
except KeyError:
nist_800171 = '- N/A'
else:
- #nist_80053r5 = ulify(rule_yaml['references']['800-53r5'])
nist_800171 = ulify(rule_yaml['references']['800-171r2'])
try:
@@ -1688,11 +1713,11 @@ def main():
disa_stig = ulify(rule_yaml['references']['disa_stig'])
try:
- rule_yaml['references']['cisv8']
+ rule_yaml['references']['cis']
except KeyError:
- cisv8 = '- N/A'
+ cis = '- N/A'
else:
- cisv8 = ulify(rule_yaml['references']['cisv8'])
+ cis = parse_cis_references(rule_yaml['references']['cis'])
try:
rule_yaml['references']['srg']
@@ -1776,7 +1801,7 @@ def main():
rule_80053r5=nist_controls,
rule_800171=nist_800171,
rule_disa_stig=disa_stig,
- rule_cisv8=cisv8,
+ rule_cis=cis,
rule_cce=cce,
rule_tags=tags,
rule_srg=srg
@@ -1792,7 +1817,7 @@ def main():
rule_80053r5=nist_controls,
rule_800171=nist_800171,
rule_disa_stig=disa_stig,
- rule_cisv8=cisv8,
+ rule_cis=cis,
rule_cce=cce,
rule_custom_refs=custom_refs,
rule_tags=tags,
@@ -1810,7 +1835,7 @@ def main():
rule_80053r5=nist_controls,
rule_800171=nist_800171,
rule_disa_stig=disa_stig,
- rule_cisv8=cisv8,
+ rule_cis=cis,
rule_cce=cce,
rule_tags=tags,
rule_srg=srg,
diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py
index d0ace2197..19ce56c7b 100755
--- a/scripts/generate_mapping.py
+++ b/scripts/generate_mapping.py
@@ -36,7 +36,7 @@ def dir_path(string):
parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings')
parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt'))
- parser.add_argument("-f", "--framework", default="800-53r5", help="Specificy framework for the source. If no framework is specified, the default is 800-53r5.", action="store")
+ parser.add_argument("-f", "--framework", default="800-53r5", help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", action="store")
try:
results = parser.parse_args()
@@ -94,23 +94,45 @@ def dir_path(string):
try:
rule_yaml['references']
- for yaml_control in rule_yaml['references'][results.framework]:
- if duplicate == yaml_control.split("(")[0]:
- continue
- if csv_duplicate == str(row[other_header]):
- continue
-
- if control.replace(" ",'') == yaml_control:
- duplicate = yaml_control.split("(")[0]
- csv_duplicate = str(row[other_header])
- row_array = str(row[other_header]).split(",")
- for item in row_array:
- control_array.append(item)
- print(rule_yaml['id'] + " - " + str(results.framework) + " " + yaml_control + " maps to " + other_header + " " + item)
+ if "/" in str(results.framework):
+ framework_main = results.framework.split("/")[0]
+ framework_sub = results.framework.split("/")[1]
+
+ for yaml_control in rule_yaml['references'][framework_main][framework_sub]:
+ if duplicate == str(yaml_control).split("(")[0]:
+ continue
+ if csv_duplicate == str(row[other_header]):
+
+ continue
+ if control.replace(" ",'') == str(yaml_control):
+
+ duplicate = str(yaml_control).split("(")[0]
+ csv_duplicate = str(row[other_header])
+
+ row_array = str(row[other_header]).split(",")
+ for item in row_array:
+ control_array.append(item)
+ print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item)
+ else:
+
+ for yaml_control in rule_yaml['references'][results.framework]:
+ if duplicate == str(yaml_control).split("(")[0]:
+ continue
+ if csv_duplicate == str(row[other_header]):
+ continue
+
+ if control.replace(" ",'') == str(yaml_control):
+ duplicate = str(yaml_control).split("(")[0]
+ csv_duplicate = str(row[other_header])
+ row_array = str(row[other_header]).split(",")
+ for item in row_array:
+ control_array.append(item)
+ print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item)
+
except:
- continue
-
+ continue
+
if len(control_array) == 0:
continue
diff --git a/scripts/yaml-to-oval.py b/scripts/generate_oval.py
similarity index 63%
rename from scripts/yaml-to-oval.py
rename to scripts/generate_oval.py
index 4d5899ec0..f2268cea9 100755
--- a/scripts/yaml-to-oval.py
+++ b/scripts/generate_oval.py
@@ -9,6 +9,8 @@
import warnings
from pathlib import Path
from datetime import datetime
+import shutil
+from time import sleep
warnings.filterwarnings("ignore", category=DeprecationWarning)
@@ -25,7 +27,7 @@ def main():
output_basename = os.path.basename(results.baseline.name)
output_filename = os.path.splitext(output_basename)[0]
- baseline_name = os.path.splitext(output_basename)[0].capitalize()
+ baseline_name = os.path.splitext(output_basename)[0]
file_dir = os.path.dirname(os.path.abspath(__file__))
parent_dir = os.path.dirname(file_dir)
@@ -69,11 +71,11 @@ def main():
macOS Security Compliance Project
'''.format(date_time_string)
- oval_definition = ""
- oval_test = ""
- oval_object = ""
- oval_state = ""
- oval_variable = ""
+ oval_definition = str()
+ oval_test = str()
+ oval_object = str()
+ oval_state = str()
+ oval_variable = str()
print()
for sections in profile_yaml['profile']:
for profile_rule in sections['rules']:
@@ -85,19 +87,33 @@ def main():
rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']:
continue
+ if "time_machine" in rule_yaml['id'] and "encrypted" in rule_yaml['id']:
+ print(rule_yaml['id'] + " - Manual Check Required")
+ continue
+ if "bluetooth" in rule_yaml['id'] and "unpaired" in rule_yaml['id']:
+ print(rule_yaml['id'] + " - Manual Check Required")
+ continue
if rule_yaml['check'][0] != "/" and "[source,bash]" not in rule_yaml['fix']:
print(rule_yaml['id'] + " - Manual Check")
continue
+ if "hint" in rule_yaml['check'] and "dscl" in rule_yaml['check']:
+ print(rule_yaml['id'] + " - no relevant oval")
+ continue
if "manual" in rule_yaml['tags']:
print(rule_yaml['id'] + " - Manual Check")
continue
-
- if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check']:
+ if "eficheck" in rule_yaml['check']:
+ print(rule_yaml['id'] + " - eficheck - no relevant oval")
+ continue
+ if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check'] or "aslmanager" in rule_yaml['check']:
print(rule_yaml['id'] + " - Manual Check Required")
continue
if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']:
print(rule_yaml['id'] + " - pwpolicy getaccountpolicies - no relevant oval")
continue
+ if "find" in rule_yaml['check'].split(" ")[0]:
+ print(rule_yaml['id'] + " - no relevant oval")
+ continue
if "os_home_folders_secure" in rule_file:
oval_definition = oval_definition + '''
@@ -227,56 +243,54 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x)
oval_test = oval_test + '''
-
+
-
+
'''.format(rule_yaml['id'],x,x,x)
if payload_domain == "com.apple.dock":
oval_object = oval_object + '''
-
- lastUserName
+
/Library/Preferences/com.apple.loginwindow.plist
- 1
-
-
- {}
+ /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text()
+
+
- 1
-
- '''.format(x+1999,key,x,key,x)
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(x+1999,key,x,x,key)
oval_variable = oval_variable + '''
/Library/Managed Preferences/
-
+
/com.apple.dock.plist
'''.format(x,x+1999)
else:
oval_object = oval_object + '''
-
- {}
+
/Library/Managed Preferences/{}.plist
- 1
-
- '''.format(rule_yaml['id'],x,key,payload_domain)
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+
+
+ '''.format(rule_yaml['id'],x,payload_domain,key)
oval_state = oval_state + '''
-
- {}
-
+
+ {}
+
'''.format(rule_yaml['id'],x,state_kind,value)
x += 1
continue
for key, value in info.items():
+
if key == "familyControlsEnabled":
xpath_search = ""
if len(info) > 1:
@@ -335,73 +349,238 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x)
oval_test = oval_test + '''
-
+
-
+
'''.format(rule_yaml['id'],x,x,x)
oval_object = oval_object + '''
-
- {}
- /Library/Managed Preferences/{}.plist
- 1
-
- '''.format(rule_yaml['id'],x,key,payload_type)
+
+ /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'],x,payload_type)
state_kind = ""
if type(value) == bool:
+ oval_object = oval_object + '''
+name(//*[contains(text(), "{}")]/following-sibling::*[1])
+'''.format(key)
state_kind = "boolean"
elif type(value) == int:
state_kind = "int"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
elif type(value) == str:
state_kind = "string"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
oval_state = oval_state + '''
-
- {}
-
+
+ {}
+
'''.format(rule_yaml['id'],x,state_kind,value)
x = x + 1
continue
+ if payload_type == "com.apple.finder":
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x)
+
+ oval_test = oval_test + '''
+
+
+
+
+ '''.format(rule_yaml['id'],x,x,x)
+
+ oval_object = oval_object + '''
+
+ /Library/Preferences/com.apple.loginwindow.plist
+ /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text()
+
+
+
+ '''.format(x+1999,rule_yaml['id'],x,x)
+
+ state_kind = ""
+ if type(value) == bool:
+ oval_object = oval_object + '''
+name(//*[contains(text(), "{}")]/following-sibling::*[1])
+'''.format(key)
+ state_kind = "boolean"
+ elif type(value) == int:
+ state_kind = "int"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
+ elif type(value) == str:
+ state_kind = "string"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
+
+ oval_state = oval_state + '''
+
+ {}
+
+ '''.format(rule_yaml['id'],x,state_kind,value)
+
+
+ oval_variable = oval_variable + '''
+
+
+ /Library/Managed Preferences/
+
+ /com.apple.finder.plist
+
+ '''.format(x,x+1999)
+ x += 1
+ continue
- if payload_type == "com.apple.systemuiserver" and key == "mount-controls":
+ if payload_type == "com.apple.DiscRecording":
oval_definition = oval_definition + '''
-
+
- {}
+ {}
{}
-
+
-
-
- '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x)
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x)
oval_test = oval_test + '''
+
+
+
+
+ '''.format(rule_yaml['id'],x,x,x)
+
+ oval_object = oval_object + '''
+
+ /Library/Preferences/com.apple.loginwindow.plist
+ /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text()
+
+
+
+ '''.format(x+1999,rule_yaml['id'],x,x)
+
+ state_kind = ""
+ if type(value) == bool:
+ oval_object = oval_object + '''
+name(//*[contains(text(), "{}")]/following-sibling::*[1])
+'''.format(key)
+ state_kind = "boolean"
+ elif type(value) == int:
+ state_kind = "int"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
+ elif type(value) == str:
+ state_kind = "string"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
+
+ oval_state = oval_state + '''
+
+ {}
+
+ '''.format(rule_yaml['id'],x,state_kind,value)
+
+
+ oval_variable = oval_variable + '''
+
+
+ /Library/Managed Preferences/
+
+ /com.apple.DiscRecording.plist
+
+ '''.format(x,x+1999)
+ x += 1
+ continue
+ if payload_type == "com.apple.Safari" and key == "AutoOpenSafeDownloads":
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x)
-
+ oval_test = oval_test + '''
+
- '''.format(rule_yaml['id'],x,x,x)
+
+ '''.format(rule_yaml['id'],x,x,x)
oval_object = oval_object + '''
-
- /Library/Managed Preferences/com.apple.systemuiserver.plist
- /plist/dict/dict/array/string/text()
- '''.format(rule_yaml['id'],x)
+
+ /Library/Preferences/com.apple.loginwindow.plist
+ /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text()
+
+
+
+ '''.format(x+1999,rule_yaml['id'],x,x)
+
+ state_kind = ""
+ if type(value) == bool:
+ oval_object = oval_object + '''
+name(//*[contains(text(), "{}")]/following-sibling::*[1])
+'''.format(key)
+ state_kind = "boolean"
+ elif type(value) == int:
+ state_kind = "int"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
+ elif type(value) == str:
+ state_kind = "string"
+ oval_object = oval_object + '''
+//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+'''.format(key)
oval_state = oval_state + '''
-
- deny
-
- '''.format(rule_yaml['id'],x)
- x = x + 1
- continue
- if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes":
+
+ {}
+
+ '''.format(rule_yaml['id'],x,state_kind,value)
+
+
+ oval_variable = oval_variable + '''
+
+
+ /Library/Managed Preferences/
+
+ /com.apple.Safari.plist
+
+ '''.format(x,x+1999)
+ x += 1
+ continue
+ if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes":
oval_definition = oval_definition + '''
@@ -425,31 +604,30 @@ def main():
'''.format(rule_yaml['id'],x,x,x)
oval_object = oval_object + '''
-
- lastUserName
+
/Library/Preferences/com.apple.loginwindow.plist
- 1
-
+ /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text()
+
- boolean(plist/dict/array/string/text() = "{}")
+ /plist/dict/key[string()="{}"]/following-sibling::*[1]/string[string()="{}"]/text()
- '''.format(x+1999,rule_yaml['id'],x,x,str(value).strip('[]').strip("'"))
+ '''.format(x+1999,rule_yaml['id'],x,x,key,str(value).strip('[]').strip("'"))
oval_state = oval_state + '''
- true
+ {}
- '''.format(rule_yaml['id'],x)
+ '''.format(rule_yaml['id'],x,str(value).strip('[]').strip("'"))
oval_variable = oval_variable + '''
/Library/Managed Preferences/
-
+
/com.apple.systempreferences.plist
'''.format(x,x+1999)
@@ -483,31 +661,40 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x)
oval_test = oval_test + '''
-
+
-
+
'''.format(rule_yaml['id'],x,x,x)
oval_object = oval_object + '''
-
- {}
- /Library/Managed Preferences/{}.plist
- 1
-
- '''.format(rule_yaml['id'],x,key,payload_type)
-
+
+ /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'],x,payload_type)
+
+ if state_kind == "boolean":
+ oval_object = oval_object + '''
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+ '''.format(key)
+ else:
+ oval_object = oval_object + '''
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
oval_state = oval_state + '''
-
- {}
-
+
+ {}
+
'''.format(rule_yaml['id'],x,state_kind,value)
x += 1
continue
else:
command = rule_yaml['check'].split("/")
+ if "sntp" in rule_yaml['check']:
+ x += 1
+ print(rule_yaml['id'] + " - No relevant oval test")
+ continue
+
if "SPStorageDataType" in rule_yaml['check']:
x += 1
print(rule_yaml['id'] + " - No relevant oval test")
@@ -616,6 +803,119 @@ def main():
print(rule_yaml['id'] + " - No relevant oval test")
x += 1
continue
+
+
+ if "pmset" in command[3] and "standby" in rule_yaml['check']:
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+
+
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888)
+
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x,x)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'] + "_standbydelaylow",x+877,x+877,x+877)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888,x+888,x+888)
+
+
+ standbydelayhigh = str()
+ standbydelaylow = str()
+ highstandbythreshold = str()
+
+ for line in rule_yaml['fix'].split("----")[1].split("\n"):
+ if line == "":
+ continue
+ if "standbydelayhigh" in line:
+ standbydelayhigh = line.split(" ")[-1].rstrip()
+ if "standbydelaylow" in line:
+ standbydelaylow = line.split(" ")[-1].rstrip()
+ if "highstandbythreshold" in line:
+ highstandbythreshold = line.split(" ")[-1].rstrip()
+
+ oval_object = oval_object + '''
+
+ SPHardwareDataType
+
+ //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text()
+ '''.format("hardware UUID",x+999)
+
+ oval_variable = oval_variable + '''
+
+
+ /Library/Preferences/com.apple.PowerManagement.
+
+ .plist
+
+ '''.format(x,x+999)
+
+ oval_object = oval_object + '''
+
+ '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x)
+
+ oval_object = oval_object + '''
+ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}")
+ '''.format("High Standby Delay",standbydelayhigh)
+
+
+ oval_object = oval_object + '''
+
+ '''.format(rule_yaml['id'] + "_standbydelaylow",x+877, x)
+
+ oval_object = oval_object + '''
+ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}")
+ '''.format("Standby Delay",standbydelaylow)
+
+ oval_object = oval_object + '''
+
+ '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888, x)
+
+ oval_object = oval_object + '''
+ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}")
+ '''.format("Standby Battery Threshold",highstandbythreshold)
+
+ oval_state = oval_state + '''
+
+ true
+ '''.format(rule_yaml['id'] + "_standbydelayhigh",x)
+
+ oval_state = oval_state + '''
+
+ true
+ '''.format(rule_yaml['id'] + "_standbydelaylow",x+877)
+
+ oval_state = oval_state + '''
+
+ true
+ '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888)
+
+ x += 1
+ continue
+
+
+
if "pmset" in command[3]:
oval_definition = oval_definition + '''
@@ -636,12 +936,19 @@ def main():
'''.format(rule_yaml['id'],x,x,x)
-
+
oval_object = oval_object + '''
- /Library/Preferences/com.apple.PowerManagement.plist
- boolean(plist/dict[key="AC Power"]/dict[key="DarkWakeBackgroundTasks"]/integer/text() = "0")
- '''.format(rule_yaml['id'],x)
+ /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'],x)
+ pmset_key = str()
+ if "powernap" in rule_yaml['check']:
+ pmset_key = "DarkWakeBackgroundTasks"
+ if "womp" in rule_yaml['check']:
+ pmset_key = "Wake On LAN"
+
+ oval_object = oval_object + '''
+ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}")
+ '''.format(pmset_key,rule_yaml['fix'].split("----")[1].replace("\n","")[-1])
oval_state = oval_state + '''
@@ -665,10 +972,10 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x)
oval_test = oval_test + '''
-
+
-
+
'''.format(rule_yaml['id'],x,x,x)
if rule_yaml['check'].split()[1] == "--getloggingmode":
@@ -679,16 +986,15 @@ def main():
firewall_variable = "globalstate"
oval_object = oval_object + '''
-
- {}
+
/Library/Preferences/com.apple.alf.plist
- 1
- '''.format(rule_yaml['id'],x,firewall_variable)
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(rule_yaml['id'],x,firewall_variable)
oval_state = oval_state + '''
-
- 1
- '''.format(rule_yaml['id'],x)
+
+ 1
+ '''.format(rule_yaml['id'],x)
x += 1
continue
if "systemsetup" in command[3]:
@@ -763,10 +1069,10 @@ def main():
'''.format(rule_yaml['id']+"_"+str(abc),x)
oval_test = oval_test + '''
-
+
- '''.format(rule_yaml['id']+"_"+str(abc),x,x,x)
+ '''.format(rule_yaml['id']+"_"+str(abc),x,x,x)
key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","")
value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","")
@@ -802,27 +1108,32 @@ def main():
oval_object = oval_object + '''
-
- {}
-
- 1
- '''.format(rule_yaml['id']+"_"+str(abc),x,key,x)
+
+ '''.format(rule_yaml['id']+"_"+str(abc),x,x)
oval_datatype = ""
try:
int(value)
oval_datatype = "int"
+ oval_object = oval_object + '''
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
except:
if value.lower() == "true" or value.lower == "false":
oval_datatype = "boolean"
-
+ oval_object = oval_object + '''
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+ '''.format(key)
else:
oval_datatype = "string"
+ oval_object = oval_object + '''
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
oval_state = oval_state + '''
-
- {}
- '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value)
+
+ {}
+ '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value)
abc =+ 1
x = x+1
@@ -836,6 +1147,132 @@ def main():
if "defaults" in rule_yaml['check']:
+ if rule_yaml['id'] == "sysprefs_hot_corners_secure":
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+
+
+
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x,rule_yaml['id'],x+5000,rule_yaml['id'],x+5001,rule_yaml['id'],x+5002)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'],x,x,x)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'],x+5000,x+5000,x+5000)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'],x+5001,x+5001,x+5001)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id'],x+5002,x+5002,x+5002)
+
+ plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","")
+ check_length = len(rule_yaml['check'].split())
+ key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'')
+
+ oval_object = oval_object + '''
+
+ .*
+ oval:mscp:ste:{}
+
+
+
+
+ '''.format(x+1999,x+1999,rule_yaml['id'],x,x)
+ oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
+
+ key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'')
+
+ oval_object = oval_object + '''
+
+
+ '''.format(rule_yaml['id'],x+5000,x)
+
+ oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
+
+ key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'')
+
+ oval_object = oval_object + '''
+
+
+ '''.format(rule_yaml['id'],x+5001,x)
+
+ oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
+
+ key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'')
+
+ oval_object = oval_object + '''
+
+
+ '''.format(rule_yaml['id'],x+5002,x)
+ oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
+
+ oval_state = oval_state + '''
+
+ ^[^_\s].*
+ 0
+ 0
+ /usr/bin/false
+ '''.format(x+1999)
+
+
+ after_user = plist.split('"')[2]
+ oval_variable = oval_variable + '''
+
+
+
+ {}
+ .plist
+
+ '''.format(x,x+1999,after_user,x+999)
+ try:
+ check_if = rule_yaml['check'].split("\n")[5]
+
+ modifier = 0
+ for n in check_if.split():
+
+ if n.replace('"',"").isdigit():
+ if modifier >= 4999:
+ modifier = modifier + 1
+ oval_state = oval_state + '''
+ {}
+ '''.format(rule_yaml['id'],x+modifier,n.replace('"',""))
+ if modifier == 0:
+ modifier = 4999
+ x = x + 1
+ continue
+ except:
+ x = x + 1
+ continue
+
+
+
oval_definition = oval_definition + '''
@@ -850,10 +1287,10 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x)
oval_test = oval_test + '''
-
+
- '''.format(rule_yaml['id'],x,x,x)
+ '''.format(rule_yaml['id'],x,x,x)
plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","")
@@ -867,7 +1304,7 @@ def main():
'''.format("hardware UUID",x+999)
if "$CURRENT_USER" in rule_yaml['check']:
- # plist = rule_yaml['check'].split()[6]
+
check_length = len(rule_yaml['check'].split())
key = rule_yaml['check'].split()[check_length-1]
@@ -878,13 +1315,19 @@ def main():
oval:mscp:ste:{}
-
- {}
-
- 1
-
- '''.format(x+1999,x+1999,rule_yaml['id'],x,key,x)
-
+
+
+ '''.format(x+1999,x+1999,rule_yaml['id'],x,x)
+
+ try:
+ rule_yaml['result']['boolean']
+ oval_object = oval_object + '''
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+ '''.format(key)
+ except:
+
+ oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
oval_state = oval_state + '''
^[^_\s].*
@@ -903,18 +1346,27 @@ def main():
'''.format(x,x+1999,plist,x+999)
+
else:
check_length = len(rule_yaml['check'].split())
- key = rule_yaml['check'].split()[check_length-1]
+ key = rule_yaml['check'].replace(" 2>/dev/null","").split()[check_length-1]
oval_object = oval_object + '''
-
- {}
+
- 1
- '''.format(rule_yaml['id'],x,key,x)
+ '''.format(rule_yaml['id'],x,x)
+
+ try:
+ rule_yaml['result']['boolean']
+ oval_object = oval_object + '''
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+ '''.format(key)
+ except:
+ oval_object = oval_object + '''
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
oval_variable = oval_variable + '''
@@ -925,23 +1377,76 @@ def main():
'''.format(x,plist,x+999)
+ elif "$CURRENT_USER" in rule_yaml['check']:
+
+
+ check_length = len(rule_yaml['check'].split())
+ key = rule_yaml['check'].replace(" 2>/dev/null","").split()[-1]
+
+ oval_object = oval_object + '''
+
+ .*
+ oval:mscp:ste:{}
+
+
+
+
+ '''.format(x+1999,x+1999,rule_yaml['id'],x,x)
+
+ try:
+ rule_yaml['result']['boolean']
+ oval_object = oval_object + '''
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+'''.format(key)
+ except:
+
+ oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(key)
+ oval_state = oval_state + '''
+
+ ^[^_\s].*
+ 0
+ 0
+ /usr/bin/false
+ '''.format(x+1999)
+
+ oval_variable = oval_variable + '''
+
+
+
+ /Library/Preferences/{}.
+ plist
+
+ '''.format(x,x+1999,plist,x+999)
+
else:
+
if plist[-6:] != ".plist":
plist = plist + ".plist"
- plist_key = rule_yaml['check'].split(" ")[3].rstrip()
+ plist_key = rule_yaml['check'].replace(" 2>/dev/null","").split(" ")[3].rstrip()
oval_object = oval_object + '''
-
- {}
- {}
- 1
- '''.format(rule_yaml['id'],x,plist_key,plist)
-
+
+ {}'''.format(rule_yaml['id'],x,plist)
+
+ try:
+ rule_yaml['result']['boolean']
+ oval_object = oval_object + '''
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+ '''.format(plist_key)
+ except:
+ oval_object = oval_object + '''
+ //*[contains(text(), "{}")]/following-sibling::*[1]/text()
+ '''.format(plist_key)
+
+
datatype = ""
+ plist_key = rule_yaml['check'].split(" ")[3].rstrip()
for key in rule_yaml['result']:
datatype = key
if datatype == "integer":
oval_datatype = "int"
+
else:
oval_datatype = datatype
@@ -953,13 +1458,13 @@ def main():
value = rule_yaml['result'][datatype]
oval_state = oval_state + '''
-
- {}
- '''.format(rule_yaml['id'],x,oval_datatype,value)
+
+ {}
+ '''.format(rule_yaml['id'],x,oval_datatype,value)
oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition)
x = x+1
-
+ continue
if "security" in command[3]:
if rule_yaml['check'].split()[1] == "authorizationdb":
check = rule_yaml['check'].split("|")
@@ -1040,12 +1545,42 @@ def main():
'''.format(rule_yaml['id'],x,key)
x += 1
continue
+ if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']:
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x)
+ oval_test = oval_test + '''
+
+
+ '''.format(x,rule_yaml['id'],x)
+
+ path = rule_yaml['fix'].split("----")[1].split(" ")[-1]
+
+ oval_object = oval_object + '''
+
+ {}
+
+ '''.format(x,rule_yaml['id'],path.rstrip())
+ x += 1
+ continue
+
+
if "ls" in command[2] or "stat" in command[3].split()[0]:
if '/Library/Security/PolicyBanner.rtf' in rule_yaml['check']:
oval_definition = oval_definition + '''
-
+
{}
@@ -1077,34 +1612,43 @@ def main():
'''.format(x,rule_yaml['id'],x+2999,rule_yaml['id'])
x = x + 1
continue
-
+
s = rule_yaml['check']
+ config_file = str()
+ oval_variable_need = bool()
+ if "grep" in s.split()[2]:
+
+
+ oval_variable_need = True
+ grep_search = re.search('\((.*?)\)', s).group(1)
- grep_search = re.search('\((.*?)\)', s).group(1)
-
- substring = grep_search.split("|")[0]
- regex = re.search('\'(.*?)\'', substring).group(1)
-
- try:
- regex = re.search('/(.*?)/', regex).group(1)
- except:
- regex = regex
-
-
- config_file = substring = grep_search.split("|")[0].split()[-1]
+ substring = grep_search.split("|")[0]
+ regex = re.search('\'(.*?)\'', substring).group(1)
+
+ try:
+ regex = re.search('/(.*?)/', regex).group(1)
+ except:
+ regex = regex
+
+ config_file = substring = grep_search.split("|")[0].split()[-1]
+
+ oval_object = oval_object + '''
+
+ {}
+ {}:\s*(.*)$
+ 1
+
+ '''.format(rule_yaml['id'], x+999, config_file, regex)
+
+ oval_variable = oval_variable + '''
+
+
+ '''.format(x,rule_yaml['id'],x+999)
- oval_object = oval_object + '''
-
- {}
- {}:\s*(.*)$
- 1
-
- '''.format(rule_yaml['id'], x+999, config_file, regex)
-
- oval_variable = oval_variable + '''
-
-
- '''.format(x,rule_yaml['id'],x+999)
+ else:
+ oval_variable_need = False
+ config_file = s.split()[2]
+
s = rule_yaml['fix']
fix_command = re.search('-\n(.*?)\n-', s).group(1).split('$')[0]
@@ -1138,12 +1682,20 @@ def main():
behavior = ""
filename = ''
- oval_object = oval_object + '''
-
- {}
-
- {}
- '''.format(rule_yaml['id'],x,behavior,x,filename)
+ if oval_variable_need == True:
+ oval_object = oval_object + '''
+
+ {}
+
+ {}
+ '''.format(rule_yaml['id'],x,behavior,x,filename)
+ else:
+ oval_object = oval_object + '''
+
+ {}
+ {}
+
+ '''.format(rule_yaml['id'],x,behavior,config_file)
state_test = ""
if "-" in fix_command and "N" in fix_command and "chmod" in fix_command:
state_test = '''
@@ -1187,6 +1739,7 @@ def main():
true
true'''
elif perms[0] == "4":
+
state_test = '''
true
false
@@ -1228,6 +1781,7 @@ def main():
true
true'''
elif perms[1] == "4":
+
state_test = state_test + '''
true
false
@@ -1249,6 +1803,7 @@ def main():
true'''
if perms[2] == "0":
+
state_test = state_test + '''
false
false
@@ -1396,17 +1951,12 @@ def main():
'''.format(x,rule_yaml['id'],awk_file.rstrip(), awk_search)
x += 1
continue
- if "grep" in command[3]:
+ if "grep" in command[3] and not "pgrep" in command[3]:
if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']:
text_to_find = rule_yaml['check'].split("=")[1].split('"')[1]
-
- # matches = re.findall(r'(?=\=")(?s)(.*)\."',rule_yaml['check'])
-
- # matches = str(matches).replace('="',"").replace("[","").replace("]","").replace("'","")
- # matches = matches + "."
- # matches = matches.replace(".","\.").replace(")","\)").replace("(","\(")
+
matches = text_to_find.replace(".","\.").replace(")","\)").replace("(","\(").replace("*","\*")
oval_definition = oval_definition + '''
@@ -1441,6 +1991,7 @@ def main():
else:
s = rule_yaml['check']
+
try:
grep_search = re.search('"(.*?)"', s).group(1)
@@ -1480,9 +2031,9 @@ def main():
x += 1
continue
- if "launchctl" in command[2]:
+ if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']:
- if "disable" in command[2] and "=> true" in rule_yaml['check']:
+ if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix']:
oval_definition = oval_definition + '''
@@ -1498,25 +2049,28 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999)
oval_test = oval_test + '''
-
+
-
+
'''.format(rule_yaml['id'],x,x,x,x+999,rule_yaml['id'],x+999)
- s = command[5].split()[2]
- domain = re.search('"(.*?)"', s).group(1)
-
+ domain = str()
+ if "launchctl" not in rule_yaml['check']:
+ domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","")
+
+ else:
+ s = command[5].split()[2]
+ domain = re.search('"(.*?)"', s).group(1)
oval_object = oval_object + '''
-
- {}
+
/var/db/com.apple.xpc.launchd/disabled.plist
- 1
-
+ name(//*[contains(text(), "{}")]/following-sibling::*[1])
+
'''.format(rule_yaml['id'],x,domain,x+999,rule_yaml['id'],domain)
@@ -1527,9 +2081,43 @@ def main():
else:
status = "true"
oval_state = oval_state + '''
-
- {}
- '''.format(rule_yaml['id'],x,status)
+
+ {}
+ '''.format(rule_yaml['id'],x,status)
+
+ elif "launchctl unload" in rule_yaml['fix']:
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999)
+
+ oval_test = oval_test + '''
+
+
+ '''.format(x,rule_yaml['id'],x)
+
+ domain = str()
+
+ if "launchctl" not in rule_yaml['check']:
+ domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","")
+
+ else:
+ s = command[5].split()[2]
+ domain = re.search('"(.*?)"', s).group(1)
+
+ oval_object = oval_object + '''
+
+
+ '''.format(x, rule_yaml['id'],domain)
+
else:
oval_definition = oval_definition + '''
@@ -1560,16 +2148,33 @@ def main():
x += 1
continue
+ total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n"
+ if oval_state != "":
+ total_oval = total_oval + "\n" + oval_state + "\n\n"
+ if oval_variable != "":
+ total_oval = total_oval + "\n\n" + oval_variable + "\n\n"
+
+ total_oval = total_oval + "\n"
-
- total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n\n"+ oval_state +"\n\n\n" + oval_variable + "\n\n"
final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval)
- # final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', total_oval)
oval_file = output
- with open(oval_file,'w') as rite:
+ with open(oval_file + "temp",'w') as rite:
rite.write(final_oval)
+ cmd = shutil.which('xmllint')
+ rite.close()
+ if cmd == None:
+ try:
+ os.rename(oval_file + "temp", oval_file)
+ except:
+ print("Error writing Oval file.")
+ else:
+ cmd = cmd + " " + oval_file + "temp --format --output " + oval_file
+
+ os.popen(cmd).read()
+ if os.path.exists(oval_file):
+ os.remove(oval_file + "temp")
if __name__ == "__main__":
main()
\ No newline at end of file
diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc
index 2776e437b..20627c595 100644
--- a/templates/adoc_additional_docs.adoc
+++ b/templates/adoc_additional_docs.adoc
@@ -28,7 +28,7 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
-|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_11_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 11 (Big Sur) STIG_
+|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_12_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 12 (Monterey) STIG_
|===
[%header, cols=2*a]
@@ -57,5 +57,5 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
-|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 11.0]|_CIS Apple macOS 11.0 Benchmark version 1.2.0_
+|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 1.0_
|===
\ No newline at end of file
diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc
index 951cb8d0e..417ea007c 100644
--- a/templates/adoc_header.adoc
+++ b/templates/adoc_header.adoc
@@ -14,7 +14,7 @@
:nofooter:
$nist171_attribute
$stig_attribute
-$cisv8_attribute
+$cis_attribute
ifdef::backend-pdf[]
= $profile_title
$version ($release_date)
diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc
index bf9b2ef4f..9726d1f3c 100644
--- a/templates/adoc_rule.adoc
+++ b/templates/adoc_rule.adoc
@@ -3,7 +3,7 @@
$rule_discussion
To check the state of the system, run the following command(s):
-[source,bash]
+[source,bash,options="nowrap"]
----
$rule_check
----
@@ -45,9 +45,8 @@ ifdef::show_STIG[]
!$rule_disa_stig
endif::[]
-ifdef::show_CISv8[]
-!CIS Controls V8
-!$rule_cisv8
+ifdef::show_CIS[]
+$rule_cis
endif::[]
!CCE
diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc
index b0bbfef4b..ed23571eb 100644
--- a/templates/adoc_rule_custom_refs.adoc
+++ b/templates/adoc_rule_custom_refs.adoc
@@ -45,9 +45,8 @@ ifdef::show_STIG[]
!$rule_disa_stig
endif::[]
-ifdef::show_CISv8[]
-!CIS Controls V8
-!$rule_cisv8
+ifdef::show_CIS[]
+$rule_cis
endif::[]
!CCE
diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc
index 44c950acf..25661de26 100644
--- a/templates/adoc_rule_no_setting.adoc
+++ b/templates/adoc_rule_no_setting.adoc
@@ -31,9 +31,8 @@ ifdef::show_STIG[]
!$rule_disa_stig
endif::[]
-ifdef::show_CISv8[]
-!CIS Controls V8
-!$rule_cisv8
+ifdef::show_CIS[]
+$rule_cis
endif::[]
ifdef::show_tags[]